Rotten hackers feast on mouldy Java flaws

Updates don't remove the elderly versions...

Top three mobile application threats

Most enterprise networks are riddled with vulnerable Java installations, according to a new study whose release coincides with the discovery of another 0-day Java flaw.

Less than one per cent of organisations are running the latest version of Java, according to a study by security software firm Bit9. The most frequently encountered version of Java running on endpoints is version 6 update 20, found on 9 per cent of systems and subject to 96 high-severity vulnerabilities.

The average enterprise has more than 50 versions of Java installed across its PCs and servers, while five per cent of those enterprises have more than 100 versions of Java installed.

This creates a smorgasbord of mouldy vulnerabilities for hackers to feast upon. At least part of the reason for this sorry state of affairs is that the Java installation and update process often does not remove older versions of the widely used technology.

Most endpoints have multiple versions of Java installed, which means hackers can fairly easily determine what versions of Java an enterprise is running before targeting the oldest, most vulnerable versions. Eighty-two per cent of the endpoints analysed by Bit9 were running version 6 series of Java, which has the most known vulnerabilities of any version of Java.

All these factors make Java a hacker and cyberspy favourite or the "endpoint technology most targeted by cyber attacks," as Bit 9 puts it.

Bit9's study, put together in a report entitled Java Vulnerabilities: Write Once, Pwn Anywhere, is based on an analysis of Java deployment statistics on approximately 1 million endpoints at hundreds of enterprises worldwide.

Oracle only recently revamped the Java update process so that older versions were purged. But these changes have done nothing by themselves to address legacy or orphaned Java installations, some of which date back to the dawn of personal computing, according to Bit9. In trying to minimise compatibility problems, a legacy of insecurity has been created.

“For the past 15 years or so, IT administrators have been under the misconception that updating Java would address its security issues,” explained Harry Sverdlove, Bit9's chief technology officer. “They have been told that to improve security, they should continuously and aggressively deploy Java updates on all of their endpoints. Unfortunately, updating is not the same as upgrading.

"Until very recently, those updates have failed to deliver the promised security upgrade because they have not removed older, highly vulnerable versions of Java they were intended to replace. As a result, most organisations have multiple versions of Java on their endpoints, including some that were released at the same time as Windows 95,” he added.

Sorting out the mess involves picking up the cyber-security equivalent of an emergency audit. Enterprises should first evaluate how many versions of Java are running before deciding whether these older versions are needed for valid business reasons and, in particular, whether Java should be running in browsers.

Several security firms routinely advise consumers and business to disable Java browser add-ons, which are seldom needed to surf the 'net but sometimes needed for internet applications. Users can then use security technologies from the likes of Bit9 and others to enforce these policy decisions.

A video featuring Bit9 CTO Harry Sverdlove discussing the Java problem can be found here.

Groundhog 0-day

Separately‎‎, Poland-based security research outfit Security Exploration claim to have unearthed a flaw that bypasses the security sandbox on Java 7, exposing host systems to malicious attacks. Adam Gowdiak, chief exec and founder of Security Explorations, explained the flaw in a post on a Full Disclosure mailing list.

Security Explorations has created proof-of-concept exploit code PoC exploit code that does the business against Java SE 7 Update 25 and earlier. The vulnerability arises because of flaws in Reflection API (application programming interface), a technology that debuted in Java 7 SE and which has been the font of earlier security problems involving the latest version of the frequently abused software technology.

The upshot is that the latest version of Java can be attacked by types of attack that are more than 10 years old, according to Gowdiak, who slammed Oracle for permitting a through-route to such a well-known attack, which he argues should have been straightforward to defend against.

"If Oracle had any Software Security Assurance procedures adopted for Java SE, most of simple Reflection API flaws along with a known, 10+ years old attack should have been eliminated prior to Java SE 7 release. This didn't happen, thus it is reasonable to assume that Oracle's security policies and procedures are either not worth much or their implementation is far from perfect."

Gowdiak's find means the Java zero-day counter was reset on Thursday, yet again. Oracle is yet to respond to Gowdiak's discovery, so it's unclear if and when a fix might become available. The security giant last released a batch of Java updates in June (details here) and the next scheduled update is not due until October. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Burnt out on patches this month? Oracle's got 104 MORE fixes for you
Mass patch for issues across its software catalog
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
prev story


Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.