Yet a new Java zero-day exploit?

We don’t know yet if this is a bad joke intended to discredit Oracle and Java, but the media is buzzing about a possible new undetected exploit in Java.

This was started by a post of the security researcher Brian Krebs who observed a thread in a known online crime forum where somebody was selling the exploit for 5000 USD (that’s not much for a zero-day exploit) only to two persons. Why exactly two? Because an exploit is more successful if it is not detected for a longer period of time by the security companies like Avira. I have written about the fact that security vulnerabilities are becoming a business these days and how a disclosure should be properly done.

True or fake, one thing is sure: Oracle fixed the previous zero-day exploit in a big hurry and some are saying that not everything was fixed.  In an email to the Bugtraq mailing list Friday, 11.01.2013, Adam Gowdiak, CEO and founder of Poland-based Security Explorations, said that Oracle has still to fix all vulnerabilities his company reported since April 2012 (yes, 2012). They have even discovered a new vulnerability which “demonstrates a complete JVM sandbox bypass in the environment of a latest Java SE software (Version 7 Update 7, released on Aug 30, 2012). The reason for it is a new security issue that made exploitation of some of our not-yet-addressed bugs possible to exploit again” said Gowdiak.

We can only assume in which situation is Oracle right now: they bought Sun Microsystems in 2010 and Java with it, probably without knowing what a big bulky code that is. As it happens in many take overs,  probably a lot of the developers left and their know-how about Java with them. It is clear and understandable that Oracle is fixing primarily issues which make headlines, but software development and especially quality assurance for software is not something that is being done over night in a big hurry. I hope that Oracle will reserve the time to make a proper code review and refactoring so that they continue to build on a more solid and known platform. Of course, assuming that the time between two vulnerabilities is enough to do a refactoring and a code review.  If things continue to be like in the last 16 months, I am afraid that we will continue to see more and more vulnerabilities hitting Java. According to Oracle, Java is running on over 850K PCs and on over 3 billion devices world-wide. That’s a lot of Java code. How come that Oracle didn’t think about this two years ago?

I wrote already about the fact that you should deactivate or uninstall Java if you don’t really need it. If you really need Java, I advise to have two browsers installed, one with the Java plugin activated, one without. The one with Java should be exclusively used with those applications/applets which require Java to be present. The browser without the Java plugin should be used for normal browsing. And, update Java if you haven’t done it until today.

 

Sorin Mustaca

IT Security Expert