Oracle's emergency Java patch blocks zero-day exploits, researchers confirm
Fixes flaws that hackers have been using in an ever-increasing number of attacks
Computerworld - Oracle today issued an emergency update to patch the critical vulnerabilities hackers have been using in increasing numbers to hijack Windows PCs.
According to Rapid7, the security firm that maintains the Metasploit open-source penetration framework, the so-called "out-of-band" update will stymie the current attack campaigns.
"It appears that it's effective in blocking the exploit," Tod Beardsley, the engineering manager for Metasploit, said early Thursday. "We just finished testing it 10 minutes ago."
Oracle posted the update -- designated "1.7.0_07-b10" -- published a bare-bones release note on its website, and followed that with an alert shortly after 1 p.m. ET listing the three security vulnerabilities addressed and a single defense-in-depth change it included.
The company also posted a short blog entry on the update.
Hackers had been exploiting two of the bugs for some time in targeted attacks, but in the last several days the scale of those campaigns had dramatically increased.
Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations, who in early April reported the vulnerabilities, also confirmed that Thursday's Java update shuts down the in-use exploits.
"None of the original code that we sent to Oracle in April 2012 can be used to achieve a complete Java security sandbox bypass [after the update is applied]," said Gowdiak in an email reply to questions.
Oracle did not give Gowdiak a heads-up that it would be shipping an out-of-band update today. "[But] we expected that they would do this, taking into account the recent events surrounding the 0-day attack code and the widespread surprise that the serious security flaws we reported to the company in April 2012 had not been addressed earlier," said Gowdiak.
Gowdiak, Beardsley and others also commented on the unusual nature of an emergency update from Oracle.
"If we assume that they heard about [the vulnerabilities] the same time they went public, then getting a patch out in four days was lightning quick," said Beardsley. "And if the rumor is true that they've had it for several months, it's still pretty quick for them ... they usually take six months or more."
Andrew Storms, director of security operations at nCircle Security, also applauded Oracle's speed. "Let's give them a little credit and say they delivered the patch in about a week of it going public," said Storms. "I'd say not bad on the turn-around, [so] hat tip to the dev team."
Gowdiak agreed. "We are glad that Oracle didn't wait with the update till October," he said, referring to the next regularly-scheduled Oracle patch date of Oct. 16. "We hope that out-of-band patches will become more common and will be used whenever a need arises to protect users of Oracle software."
But Storms blasted Oracle's communication skills. "Talk to the hand for the [security] PR team," he said. "Oracle is so horrible at security PR, unless they want to let you know that their products are supposedly unbreakable."
Until today, Oracle had refused to comment on the bugs or the in-the-wild exploits.
Users can obtain the emergency update from Oracle's website.
Lucian Constantin, of the IDG News Service, contributed to this report.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Microsoft plans another short patch slate for next week, but finds a few XP bugs to crush
- Target attack shows danger of remotely accessible HVAC systems
- Target hackers try new ways to use stolen card data
- Update: Microsoft to patch just-revealed Windows zero-day tomorrow
- NSA spying prompts open TrueCrypt encryption software audit to go viral
- Microsoft warns of Office zero-day, active hacker exploits
- Hackers move to create next Blackhole after 'Paunch' arrest
- Adobe hack shows subscription software vendors lucrative targets
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts