Feeds

Rotten hackers feast on mouldy Java flaws

Updates don't remove the elderly versions...

5 things you didn’t know about cloud backup

Most enterprise networks are riddled with vulnerable Java installations, according to a new study whose release coincides with the discovery of another 0-day Java flaw.

Less than one per cent of organisations are running the latest version of Java, according to a study by security software firm Bit9. The most frequently encountered version of Java running on endpoints is version 6 update 20, found on 9 per cent of systems and subject to 96 high-severity vulnerabilities.

The average enterprise has more than 50 versions of Java installed across its PCs and servers, while five per cent of those enterprises have more than 100 versions of Java installed.

This creates a smorgasbord of mouldy vulnerabilities for hackers to feast upon. At least part of the reason for this sorry state of affairs is that the Java installation and update process often does not remove older versions of the widely used technology.

Most endpoints have multiple versions of Java installed, which means hackers can fairly easily determine what versions of Java an enterprise is running before targeting the oldest, most vulnerable versions. Eighty-two per cent of the endpoints analysed by Bit9 were running version 6 series of Java, which has the most known vulnerabilities of any version of Java.

All these factors make Java a hacker and cyberspy favourite or the "endpoint technology most targeted by cyber attacks," as Bit 9 puts it.

Bit9's study, put together in a report entitled Java Vulnerabilities: Write Once, Pwn Anywhere, is based on an analysis of Java deployment statistics on approximately 1 million endpoints at hundreds of enterprises worldwide.

Oracle only recently revamped the Java update process so that older versions were purged. But these changes have done nothing by themselves to address legacy or orphaned Java installations, some of which date back to the dawn of personal computing, according to Bit9. In trying to minimise compatibility problems, a legacy of insecurity has been created.

“For the past 15 years or so, IT administrators have been under the misconception that updating Java would address its security issues,” explained Harry Sverdlove, Bit9's chief technology officer. “They have been told that to improve security, they should continuously and aggressively deploy Java updates on all of their endpoints. Unfortunately, updating is not the same as upgrading.

"Until very recently, those updates have failed to deliver the promised security upgrade because they have not removed older, highly vulnerable versions of Java they were intended to replace. As a result, most organisations have multiple versions of Java on their endpoints, including some that were released at the same time as Windows 95,” he added.

Sorting out the mess involves picking up the cyber-security equivalent of an emergency audit. Enterprises should first evaluate how many versions of Java are running before deciding whether these older versions are needed for valid business reasons and, in particular, whether Java should be running in browsers.

Several security firms routinely advise consumers and business to disable Java browser add-ons, which are seldom needed to surf the 'net but sometimes needed for internet applications. Users can then use security technologies from the likes of Bit9 and others to enforce these policy decisions.

A video featuring Bit9 CTO Harry Sverdlove discussing the Java problem can be found here.

Groundhog 0-day

Separately‎‎, Poland-based security research outfit Security Exploration claim to have unearthed a flaw that bypasses the security sandbox on Java 7, exposing host systems to malicious attacks. Adam Gowdiak, chief exec and founder of Security Explorations, explained the flaw in a post on a Full Disclosure mailing list.

Security Explorations has created proof-of-concept exploit code PoC exploit code that does the business against Java SE 7 Update 25 and earlier. The vulnerability arises because of flaws in Reflection API (application programming interface), a technology that debuted in Java 7 SE and which has been the font of earlier security problems involving the latest version of the frequently abused software technology.

The upshot is that the latest version of Java can be attacked by types of attack that are more than 10 years old, according to Gowdiak, who slammed Oracle for permitting a through-route to such a well-known attack, which he argues should have been straightforward to defend against.

"If Oracle had any Software Security Assurance procedures adopted for Java SE, most of simple Reflection API flaws along with a known, 10+ years old attack should have been eliminated prior to Java SE 7 release. This didn't happen, thus it is reasonable to assume that Oracle's security policies and procedures are either not worth much or their implementation is far from perfect."

Gowdiak's find means the Java zero-day counter was reset on Thursday, yet again. Oracle is yet to respond to Gowdiak's discovery, so it's unclear if and when a fix might become available. The security giant last released a batch of Java updates in June (details here) and the next scheduled update is not due until October. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
JLaw, Kate Upton exposed in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.