Java users are being warned to beware of a flaw that attackers could exploit to fully compromise a user's system, and to only use newly released installers.
See Also: 2016 Social Engineering Report
Eric P. Maurice, director of Oracle's software security assurance group, says in a blog post that the vulnerability - designated CVE-2016-0603 - can be exploited whenever users install Java 6, 7 or 8. "Though considered relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user's system," he adds.
"Oracle recommends that Java home users visit Java.com to ensure that ... all older versions of Java SE have been completely removed."
Oracle says the flaw can only be exploited during installation, and it has urged users to delete any previous installers and replace them with Java 6 version 113, Java 7 version 97 or Java 8 version 73, or later versions, which have been patched.
All Java home or BYOD users installing or upgrading the software should only use software obtained from the official Java site, because anything else might be malware in disguise. "Oracle recommends that Java home users visit Java.com to ensure that they are running the most recent version of Java SE and that all older versions of Java SE have been completely removed," Murray says.
This is the first time that Oracle has specifically recommended that users delete old Java. Back in December, the U.S. Federal Trade Commission announced it had settled a complaint with Oracle relating to it having failed to automatically replace all previous, insecure versions of Java when users installed a new version (see Nuke Old Java, FTC Tells Oracle).
Oracle Plans to Dump Plug-In
Oracle's emergency Java alert arrives just one week after the company announced that with the release of Java version 9 - due out Sept. 22 - it will no longer support the Java Web browser plug-in. That move is notable because known vulnerabilities in the plug-in have been regularly targeted by advanced persistent threat groups as well as crimeware toolkits, enabling them to compromise large numbers of PCs at once (see Cybercriminals Mourn Java Plug-In Death).
Oracle has blamed its decision to drop the Java plug-in on browser makers' "removal of standards-based plug-in support" - meaning, they no longer supported the Java plug-in. That's an interesting spin, because the risk posed by the plug-in is arguably what drove browser makers to dump it. Indeed, according to software development firm NTT Innovation Institute, eight of the top 10 most-targeted software vulnerabilities in 2013 involved Java flaws, while Java accounted for four of the top 10 flaws in 2014.
Once Java 9 arrives, however, the plug-in won't magically disappear. "The reality is that the plug-in isn't going away - only support for the plug-in is," says Jake Williams, principal consultant at consultancy Rendition Infosec, in a recent SANS Institute research note. "Many organizations currently depend on the plug-in for browser-based Java applications that may no longer have developer support. Organizations without good software inventories need to start looking today for plugin-based applications that need to be migrated before the Java plug-in architecture stops receiving patches."
Plug-In Death Upsides: Overrated?
In the wake of Oracle revealing its plan to ditch the Java browser plug-in, I reached out to veteran Java bug hunter Adam Gowdiak, who heads Polish research firm Security Explorations. Gowdiak has uncovered dozens of vulnerabilities in Java in recent years.
Bad news: Gowdiak says it's not clear that Oracle's move will have any big security upsides, owing to its continued use of Java Web Start. Oracle says the technology gets automatically installed with every version of Java since version 5, and that "the Java Web Start software is launched automatically, when a Java application using Java Web Start technology is downloaded for the first time." Such applications are also known as JNLP files.
"Java applets and Web Start applications are pretty much the same ... from a security point of view," Gowdiak tells me. "They are both launched from a Web browser. They both make use of the underlying Java platform - runtime, classes, security, etc."
Attackers can also still launch Web Start applications from browsers, for example by creating a website that includes links to malicious JNLP files. "Oracle's move will not 'unlink' Java applications from Web browsers completely. It will only remove their one form - Java applets - and exploitation vector," he says. "The other form - Java Web Start applications - will likely be still there."
In other words, whenever someone installs Java, they will be installing Java Web Start, which still gives online attackers a potential way to exploit known flaws in Java. "In that context, it's hard to see Oracle's move as being a security improvement," Gowdiak says.
Oracle didn't immediately respond to a request for comment on Gowdiak's analysis.
But the attack scenario he outlines is not academic. The so-called Pawn Storm APT attack campaign, for example, which launched targeted attacks against the White House, NATO and others, has targeted Java Web Start technology, according to security firm Trend Micro.