Sunday, January 13, 2013

Oracle closes Java security hole, tightens default settings

Oracle promised a fix to a newly discovered Java vulnerability, and it didn't take the company long. On Sunday, just three days after the vulnerability was uncovered and one day after the company publicly promised a fix, Oracle released Java 7 Update 11 with a fix for the problem.

The new version can be downloaded directly from Oracle's website. Oracle recommended -- as do we -- that all Java 7 users update immediately to the new version.

According to Oracle's release notes, Java 7 Update 11 “contains fixes for security vulnerabilities.” The Oracle Security Alert for CVE-2013-0422 details the issues that that Update 11 fixes, clarifying that two vulnerabilities were patched.

In addition, Oracle made a change to the default Java Security Level for the software, upping it from Medium to High, meaning the user is now always prompted before any unsigned Java applet or Java Web Start application is run. Oracle explained that the change will is to prevent drive-by-downloads:
This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the “High” setting the user is always warned before any unsigned application is run to prevent silent exploitation.
Those who want to walk on the wild side can, of course, use the Java Control Panel applet to modify the setting.

This all began Thursday, when the U.S. Computer Emergency Readiness Team (US-CERT, a division of the Department of Homeland Security) started the ball rolling with following vulnerability note it issued late Thursday.

That was quickly followed with reactions from some third parties. Mozilla, for one, was quick to respond. On Friday, the company announced that it had added Java 7 Updates 9 and 10 as well as Java 6 Updates 37 and 38 to its Firefox add-on block list, after news of the new vulnerability was released. Older versions of Java are already blacklisted due to other security holes.

Meanwhile, Apple made quick moves to protect Mac OS X systems. By updating its "Xprotect.plist" blacklist in a way that disabled the Java 7 plug-in on Macs where it is already installed.

Apple's swift moves were somewhat ironic. The Flashback trojan from 2012 relied on a Java vulnerability. It was patched by Oracle, the company behind Java, fixed the vulnerability exploited to install Flashback on Feb. 14, 2012.

However, Apple maintains the Mac OS X version of Java and did not release an update for its OS until April 3, 2012. By then Flashback had already infected 600,000 systems.

At any rate, it seemed Apple learned its lesson. The latest security fiasco is now a memory. We'll see how long it takes before another one emerges.

No comments: