Showing posts with label Oracle. Show all posts
Showing posts with label Oracle. Show all posts

42 Java Holes Fixed By Oracle in April 2013 Critical Patch Update Advisory

Posted by Avik Sarkar On 4/18/2013 06:08:00 pm

42 Java Holes Fixed By Oracle in April 2013 Critical Patch Update (CPU) Advisory

The Oracle Corporation has released what it called a critical patch update for its Web-based Java programming language. Java SE software that fixes at least 42 security flaws in the widely-installed program and associated browser plugin. The Java update also introduces new features designed to alert users about the security risks of running certain Java contentThe April patch, which targets 42 vulnerabilities, 19 of which have a severity rating of 10 (highest possible threat level) includes a majority of vulnerabilities that are currently being exploited. Among those 42 new security fixes across Java SE products of which 2 are applicable to server deployments of Java.  According to Oracle, “39 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.” Along with the fixes, Oracle changed the default setting of Java SE. Java applets will no longer run in a Web browser unless they have been digitally signed until a warning prompt is acknowledged. It has also extended how users will be alerted of other Java-related security issues. According to renowned security expert and blogger Brian KrebsJava 7 Update 21 also introduces some new security warnings and message prompts for users who keep the program plugged into a Web browser (on installation and updating, Java adds itself as an active browser plugin). Oracle said the messages that will be presented depend upon different risk factors, such as using old versions of Java or running applet code that is not signed from a trusted Certificate Authority. Apps that present a lower risk display a simple informational message. This includes an option to prevent showing similar messages for apps from the same publisher in the future. Java applications considered to be higher risk — such as those that use an untrusted or expired certificate — will be accompanied by a prompt with a yellow exclamation point in a yellow warning triangle.

Affected Product Releases and Versions:-
Java SEPatch Availability
JDK and JRE 7 Update 17 and earlierJava SE
JDK and JRE 6 Update 43 and earlierJava SE
JDK and JRE 5.0 Update 41 and earlierJava SE
JavaFX 2.2.7 and earlierJavaFX
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. As Java has been run by millions of devices and users across the globe, so we urge all of our readers to install and apply the security fixes to avoid any kind of threats. Note that - Oracle said that this week's security updates don't take care of all known flaws, they do address all known vulnerabilities currently being exploited in the wild. 






SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

DHS & US-CERT Recommended to Disable Java in Web Browsers

Posted by Avik Sarkar On 1/18/2013 06:49:00 pm

DHS & US-CERT Recommended to Disable Java in Web Browsers Unless It's Absolutely Necessary

The running time is proving to be the worst period for Java, as it has been walking under serious security issues. Yet again security researchers have pointed out a zero-day security vulnerability in the Java program that hackers are exploiting. The exploit takes advantage of a vulnerability left open in Java 7 Update 10, released in October last year. It works by getting Java users to visit a website with malicious code that takes advantage of a security gap to take control of users' computers. Thus how Java is being used by cyber criminals to infect computers with malware. Oracle, hasn't specified the number of users who have downloaded Java 7 Update 10. However, Java runs on more than 850 million computers and other devices. When Oracle released Update 10, so it is predictable that more than 850 million devices run by Java is under threat. The exploit was first discovered by French researcher Kafeine, who claimed to have found it running on a site registering hundreds of thousands of page views daily. From that site, immediately that vulnerability and a large number of effected devices has been spotted in the wild. In Java 7 Update 10 the creator of Java, Oracle added several security control and fixed older bugs and promised more security enhancement, but its very unfortunate that Oracle failed to keep their promise. What ever after this newly discovered 0-day hole spotted wildly, Oracle Security Alert CVE-2013-0422 states that Java 7 Update 11 addresses this (CVE-2013-0422) and an equally severe, but distinct vulnerability (CVE-2012-3174). Immunity has indicated that only the reflection vulnerability has been fixed and that the JMX MBean vulnerability remains. Java 7u11 sets the default Java security settings to "High" so that users will be prompted before running unsigned or self-signed Java applets. It "strongly recommends" that Java SE 7 users upgrade immediately to avoid all kind of security hazards. 

After seeing all the drama, many of you have failed to keep trust in Java, and you all will be relieved when you will gone through the security advisory of CERT (Computer Emergency Response Team) where they have clearly instructed to disable Java in your popular web-browser. In their official release CERT said "Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future."

You will see similar advice in the advisory posted on the official DHS US-CERT website where DHS also suggested to disable Java until and unless it is that much necessary. "To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available. As with any software, unnecessary features should be disabled or removed as appropriate for your environment." - said U.S. CERT in their advisory. 






SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Oracle Released Java 7 update 10 With Security Enhancements & Bug Fixes

Posted by Avik Sarkar On 12/21/2012 07:18:00 pm

Oracle Released Java 7 update 10 With Security Enhancements & Bug Fixes 

This is the third time in a year when Oracle has updated the standard edition of Java platform. This release includes new security controls in addition to a bug fix and updated timezone data. This latest update also contains a number of security enhancements and is now certified for Mac OS X 10.8 and Windows 8. The security enhancements include the ability to disable any Java application from running in the browser and the ability to set a desired level of security for unsigned applets, Java Web Start applications, and embedded JavaFX applications. While keeping in mind the last security issues with Java, in the press release of this Java update Oracle said "if the JRE is deemed expired or insecure, additional security warnings are displayed. In most of these dialogs, the user has the option to block running the app, to continue running the app, or to go to java.com to download the latest release."

Security Feature Enhancements

The JDK 7u10 release includes the following enhancements:
  • The ability to disable any Java application from running in the browser. This mode can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument.
  • The ability to select the desired level of security for unsigned applets, Java Web Start applications, and embedded JavaFX applications that run in a browser. Four levels of security are supported. This feature can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument.
  • New dialogs to warn you when the JRE is insecure (either expired or below the security baseline) and needs to be updated.

Bug Fixes

Notable Bug Fixes in JDK 7u10

The following are some of the notable bug fixes included in JDK 7u10.
Area: java command

Description: Wildcard expansion for single entry classpath does not work on Windows platforms.

The Java command and Setting the classpath documents describe how the wildcard character (*) can be used in a classpath element to expand into a list of the .jar files in the associated directory, separated by the classpath separator (;).
This wildcard expansion does not work in a Windows command shell for a single element classpath due to the Microsoft bug described in Wildcard Handling is Broken.
See 7146424.
For a list of other bug fixes included in this release, see JDK 7u10 Bug Fixes page. 

The updated Java Development Kit and Java Runtime Environment are available to download from the Oracle site. 



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Researcher Figure-out Yet Another Java Hole That Puts 1 Billion Users at Risk

Posted by Avik Sarkar On 9/28/2012 04:42:00 am

Researcher Figure-out Yet Another Java Hole That Puts 1 Billion Users at Risk

Just as Oracle is ramping up for the September 30 start of JavaOne 2012 in San Francisco yet again another critical Java vulnerability has been spotted in the wild.  The Polish security researcher Adam Gowdiak has found another vulnerability in Java that could allow an attacker to bypass the sandbox. This newly discovered security hole has effected all latest versions of Oracle Java SE software. According to Security Explorations researcher Adam Gowdiak, who sent the email to the Full Disclosure Seclist, this Java exploit affects one billion users of Oracle Java SE software.” So far the researcher were able to successfully exploit the vulnerability and achieve a complete Java security sandbox bypass 
in the environment of Java SE 5, 6 and 7. Researcher could only claim such an impact with reference to Java 7 environment (the 
Apple QuickTime attack relying on Issues 15 and 22 is the only exception here). 





The following Java SE versions were verified to be vulnerable:

  • Java SE 5 Update 22 (build 1.5.0_22-b03)
  • Java SE 6 Update 35 (build 1.6.0_35-b10)
  • Java SE 7 Update 7  (build 1.7.0_07-b10)


All tests were successfully conducted in the environment of a fully patched Windows 7 32-bit system and with the following web browser applications:

  • Firefox 15.0.1
  • Google Chrome 21.0.1180.89
  • Internet Explorer 9.0.8112.16421 (update 9.0.10)
  • Opera 12.02 (build 1578)
  • Safari 5.1.7 (7534.57.2)
So far there are no reports that the vulnerability is being exploited for attacks. Oracle has not said whether or when it will close the vulnerability. Here we want to remind the very recent history, when several zero day vulnerability was found in all the version of java, which was added on BlackHole Exploit kit. Later Oracle released a patch to close the security hole. 








SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Ekoparty Conference: Stealth Password Cracking Vulnerability Found in Oracle Database

Posted by Avik Sarkar On 9/23/2012 12:05:00 am

Ekoparty Conference: Stealth Password Cracking Vulnerability Found in Oracle Database

Researchers unveiled serious vulnerability in the authentication protocol used by some Oracle databases, a flaw that could enable a remote attacker to brute-force a token provided by the server prior to authentication and determine a user's password. The attacker could then log on as an authenticated user and take unauthorized actions on the database. The vulnerability exists in Oracle Database 11g Releases 1 and 2 and is caused by a problem with the way the authentication protocol protects session keys when users try to log in. The first step in the authentication process when a client contacts the database server is for the server to send a session key back to the client, along with a salt. The vulnerability enables an attacker to link a specific session key with a specific password hash. The researcher who discovered the bug named Esteban Martinez Fayó has also released a tool that can crack some simple passwords in about five hours on a normal PC.  Fayó is a security specialist of AppSec Inc, he demonstrated his findings at the Ekoparty conference which is currently taking place in Buenos Aires. 
According to Esteban Martinez Fayo "This Session Key is a random value that the server generates and sends as the initial step in the authentication process, before the authentication has been completed.  This is the reason why this attack can be done remotely without the need of authentication and also, as the attacker can close the connection once the Session Key has been sent, there is no failed login attempt recorded in the server because the authentication is never completed."  He also staid "Once the attacker has a Session Key and a Salt (which is also sent by the server along with the session key), the attacker can perform a brute force attack on the session key by trying millions of passwords per second until the correct one is found.  This is very similar to a SHA-1 password hash cracking.  Rainbow tables can’ t be used because there is a Salt used for password hash generation, but advanced hardware can be used, like GPUs combined with advanced techniques like Dictionary hybrid attacks, which can make the cracking process much more efficient."  
"Basically, I discovered that not all failed login attempts were recorded by the database.  Looking closer at the issue, I located the problem in the way that one of the components of the logon protocol, the Session Key, was protected.  I noticed that, in a certain way, the Session Key was leaking information about the password hash," he added 
Although Oracle closed the hole with the 11.2.0.3 patch set, which introduced the new version 12 of the protocol in mid-2011, Fayó said that there has been no fix for versions 11.1 and 11.2 of the database because the update was never included in any of Oracle's regular "critical patch updates". The researcher explained that unless administrators activate the new protocol manually, the database will continue to use the vulnerable version 11.2 protocol. The vulnerability is in a widely deployed product and is easy to exploit, Fayo said he considers it to be quite dangerous. "The Oracle stealth password cracking vulnerability is a critical one.  There are many components to affirm this: It is easy to exploit, it doesn’t leave any trace in the database server and it resides in an essential component of the logon protocol," he said.
"It is very simple to exploit.  The attacker just needs to send a few network packets or use a standard Oracle client to get a Session Key and Salt for a particular user.  Then, an attack similar to that of cracking SHA-1 password hash can be performed. I developed a proof-of-concept tool that shows that it is possible to crack an 8 characters long lower case alphabetic password in approximately 5 hours using standard CPUs."


-Source (Threat Post)






SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Oracle Released Emergency Update to Patch Java 0day (CVE-2012-4681)

Posted by Avik Sarkar On 8/31/2012 06:06:00 pm

Oracle Released Emergency Update to Patch Java 0day (CVE-2012-4681)

Zero-day vulnerabilities in Java, which was on the spotlight for last few days; takes a new direction. Several security firms have already declared that, this newly found Java exploit had been added to Blackhole, a popular hacker's tool that bundles numerous exploits and tries each in turn until it finds one that will work against a personal computer. As expected  Oracle has released an emergency update to address those zero-day vulnerabilities. This Security Alert addresses security issues CVE-2012-4681 (US-CERT Alert TA12-240A and Vulnerability Note VU#636312) and two other vulnerabilities affecting Java running in web browsers on desktops. These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications. They also do not affect Oracle server-based software.
These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user's system.
In addition, this Security Alert includes a security-in-depth fix in the AWT subcomponent of the Java Runtime Environment.
Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2012-4681 "in the wild," Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

Supported Products Affected

Security vulnerabilities addressed by this Security Alert affect the products listed in the categories below.  Please click on the link in the Patch Availability column or in the Patch Availability Table to access the documentation for those patches.
Affected product releases and versions:
Java SEPatch Availability
JDK and JRE 7 Update 6 and beforeJava SE
JDK and JRE 6 Update 34 and beforeJava SE

Patch Availability Table and Risk Matrix

Java SE fixes in this Security Alert are cumulative; this latest update includes all fixes from previous Critical Patch Updates and Security Alerts.

Patch Availability Table

Product GroupRisk MatrixPatch Availability and Installation Information
Oracle Java SEOracle JDK and JRE Risk Matrix

Also Java 7 Update 7 is now available to download for Windows (32- and 64-bit), Linux (32- and 64-bit), Mac OS X (64-bit), Solaris x86 (32- and 64-bit) and Solaris SPARC (32- and 64-bit). JDKs with the updated Java runtimes are also available. Users with Java installed on their systems, whatever operating system, should install the updates as soon as possible because malicious software that uses the vulnerability is already in circulation. For detailed information click here






SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Related Posts Plugin for WordPress, Blogger...

Site search