Websense Security Labs showed that 94% of endpoints currently running Java contain at least one known vulnerability. First, is there an easy way for organizations to determine the security vulnerabilities in the Java versions they are running? Also, how can organizations further secure old versions of Java if they can't upgrade in a timely fashion?
Ask the Expert!
SearchSecurity expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)
In the first three months of 2013, the number of Java security vulnerabilities that have been discovered already surpassed the 57 reported in 2011, which was previously Java's worst year! A number of these Java vulnerabilities were zero-days, and such exploits have become a feature in many crimeware kits, such as Cool, Blackhole and RedKit. A recent study of the Blackhole crimeware kit found that Java bugs were being used to exploit systems in 77% of all successful attacks. A Java security vulnerability recently patched by Oracle was exploited for five years in the Red October espionage campaign against government agencies in the former Soviet Union.
At the time of this writing, the Common Vulnerabilities and Exposures dictionary showed unpatched vulnerabilities with a CVSS score of 10. This is their highest score and implies that little knowledge or skill is required to exploit the vulnerability, and that it can lead to total information disclosure, total compromise of system integrity, and can render the resource completely unavailable. This listing shows all the vulnerabilities for Java Runtime Environment (JRE), as well as the versions that are affected. Secunia's Advisory and Vulnerability Database is another source of information about the vulnerabilities that affect specific versions of JRE.
Research by Websense found that some 94% of browsers may be vulnerable to at least one Java exploit, with only around 5% of Java users running the latest JRE -- version 1.7.17. Many of the versions being used are months or years out of date. Worryingly, nearly 80% of users have a version of Java that will no longer receive any patches due to Oracle's end-of-life for Java 1.6. There are a variety of reasons for this situation. Java updates independently from the applications that use it, such as browsers. Many updates don't even reach end users because Oracle doesn't offer automatic updates; instead, it requires users to trigger the update themselves.
The JRE is only required to run Java applications in either a browser or as standalone programs, with the main problem being the Java browser plug-in. Although desktop Java apps use the same runtime environments with the same vulnerabilities, they are designed to work in a different way to the plug-in, and so aren't affected. The Department of Homeland Security, along with numerous security experts, has recommended that whenever possible businesses should disable the Java plug-in in their browsers. Most home users probably don't need it and can safely remove it.
As many Java exploits are zero-days, antivirus and antimalware programs will not recognize and stop them. However, the products can prevent users from reaching malicious sites in the first place, and can often provide some protection until a patch is ready and installed. As always, it's important to keep your operating system and applications up to date with the latest Java version and security patches. If Java is critical to an enterprise, then a product such as Bromium's vSentry may be necessary, as it hardware-isolates any potentially malicious code execution.
To keep up to date with the latest JRE security alerts, subscribe to Oracle's Critical Patch Update Alert Emails and RSS feed. You can also receive alerts and advice about JRE by signing up to Secunia's Vulnerability Intelligence Manager service.
This was first published in August 2013