Rotten hackers feast on mouldy Java flaws
Updates don't remove the elderly versions...
Most enterprise networks are riddled with vulnerable Java installations, according to a new study whose release coincides with the discovery of another 0-day Java flaw.
Less than one per cent of organisations are running the latest version of Java, according to a study by security software firm Bit9. The most frequently encountered version of Java running on endpoints is version 6 update 20, found on 9 per cent of systems and subject to 96 high-severity vulnerabilities.
The average enterprise has more than 50 versions of Java installed across its PCs and servers, while five per cent of those enterprises have more than 100 versions of Java installed.
This creates a smorgasbord of mouldy vulnerabilities for hackers to feast upon. At least part of the reason for this sorry state of affairs is that the Java installation and update process often does not remove older versions of the widely used technology.
Most endpoints have multiple versions of Java installed, which means hackers can fairly easily determine what versions of Java an enterprise is running before targeting the oldest, most vulnerable versions. Eighty-two per cent of the endpoints analysed by Bit9 were running version 6 series of Java, which has the most known vulnerabilities of any version of Java.
All these factors make Java a hacker and cyberspy favourite or the "endpoint technology most targeted by cyber attacks," as Bit 9 puts it.
Bit9's study, put together in a report entitled Java Vulnerabilities: Write Once, Pwn Anywhere, is based on an analysis of Java deployment statistics on approximately 1 million endpoints at hundreds of enterprises worldwide.
Oracle only recently revamped the Java update process so that older versions were purged. But these changes have done nothing by themselves to address legacy or orphaned Java installations, some of which date back to the dawn of personal computing, according to Bit9. In trying to minimise compatibility problems, a legacy of insecurity has been created.
“For the past 15 years or so, IT administrators have been under the misconception that updating Java would address its security issues,” explained Harry Sverdlove, Bit9's chief technology officer. “They have been told that to improve security, they should continuously and aggressively deploy Java updates on all of their endpoints. Unfortunately, updating is not the same as upgrading.
"Until very recently, those updates have failed to deliver the promised security upgrade because they have not removed older, highly vulnerable versions of Java they were intended to replace. As a result, most organisations have multiple versions of Java on their endpoints, including some that were released at the same time as Windows 95,” he added.
Sorting out the mess involves picking up the cyber-security equivalent of an emergency audit. Enterprises should first evaluate how many versions of Java are running before deciding whether these older versions are needed for valid business reasons and, in particular, whether Java should be running in browsers.
Several security firms routinely advise consumers and business to disable Java browser add-ons, which are seldom needed to surf the 'net but sometimes needed for internet applications. Users can then use security technologies from the likes of Bit9 and others to enforce these policy decisions.
A video featuring Bit9 CTO Harry Sverdlove discussing the Java problem can be found here.
Separately, Poland-based security research outfit Security Exploration claim to have unearthed a flaw that bypasses the security sandbox on Java 7, exposing host systems to malicious attacks. Adam Gowdiak, chief exec and founder of Security Explorations, explained the flaw in a post on a Full Disclosure mailing list.
Security Explorations has created proof-of-concept exploit code PoC exploit code that does the business against Java SE 7 Update 25 and earlier. The vulnerability arises because of flaws in Reflection API (application programming interface), a technology that debuted in Java 7 SE and which has been the font of earlier security problems involving the latest version of the frequently abused software technology.
The upshot is that the latest version of Java can be attacked by types of attack that are more than 10 years old, according to Gowdiak, who slammed Oracle for permitting a through-route to such a well-known attack, which he argues should have been straightforward to defend against.
"If Oracle had any Software Security Assurance procedures adopted for Java SE, most of simple Reflection API flaws along with a known, 10+ years old attack should have been eliminated prior to Java SE 7 release. This didn't happen, thus it is reasonable to assume that Oracle's security policies and procedures are either not worth much or their implementation is far from perfect."
Gowdiak's find means the Java zero-day counter was reset on Thursday, yet again. Oracle is yet to respond to Gowdiak's discovery, so it's unclear if and when a fix might become available. The security giant last released a batch of Java updates in June (details here) and the next scheduled update is not due until October. ®