Biz & IT —

$5,000 will buy you access to another, new critical Java vulnerability (Updated)

Fix Oracle rushed out three days ago was "incomplete," researchers say.

$5,000 will buy you access to another, new critical Java vulnerability (Updated)

Update, April 2, 2013: As reported on KrebsonSecurity, the Java exploit being advertised turned out to be an elaborate hoax intended to learn the screen name reporter Brian Krebs was using to browse exclusive sections of an underground forum.

An exploit for yet another critical Java software vulnerability began circulating online amid reports that the patch Oracle issued two days ago is incomplete.

In an article published Wednesday morning on KrebsOnSecurity, reporter Brian Krebs said a fully "weaponized" executable that exploits the bug was being advertised for $5,000 in an underground Internet forum. The price also included source-code for the exploit so that it could be folded into other types of attacks. The advertisement came one day after Oracle rushed out a fix for an earlier critical vulnerability that was being "massively" exploited online. Researchers classified that vulnerability as CVE-2013-0422.

Krebs said the latest attack exploited "a different and apparently still-unpatched zero-day vulnerability in Java." His article came around the same time researchers from antivirus provider Trend Micro warned that the Oracle patch may not be effective at blocking some attacks.

"Based on our analysis, we have confirmed that the fix for CVE-2013-0422 is incomplete," Trend Vulnerability Research Manager Pawan Kinger wrote in a blog post. Kinger went on to explain that the vulnerability stemmed from flaws in two parts of the Java code base: one involving the findclass method and the other involving the invokeWithArguments() method. While Sunday's patch fixed the latter issue, the findclass method can still be used to get references to restricted classes, leaving a hole that attackers can exploit.

Kinger continued:

With this incident, the biggest question on everyone’s mind is “Are users safe after installing the patch?” or “Does the patch protect from recent attacks using CVE-2013-0422?” Yes, but only until someone finds another bug to couple with the first issue. findclass method still remains an open issue, but cannot be exploited on its own. However, the message is clear: Java remains a big risk.

Researchers from security firm Immunity also reported the patch fixed only one of two bugs.

Update: Asked for comment on the reports, Oracle spokeswoman Letty Ledbetter referred Ars to this post, which was published three days earlier. When Ars pointed out that the statement didn't address the claims contained in the reports, she said Oracle had no additional comment.

The Trend and Immunity reports aren't the first to claim Oracle rushed out an incomplete patch. Late last week, researcher Adam Gowdiak of Poland-based Security Explorations said the then-unpatched vulnerability that was being exploited was the result of an incomplete patch Oracle developers issued last year to fix an earlier security bug.

In light of Oracle's repeated failures to adequately repel in-the-wild attacks, it's not surprising that more and more researchers are urging administrators and end users to remove Java from Web browsers and even from desktop computers altogether. Among the growing chorus is the US CERT, which is affiliated with the US Department of Homeland Security. Even after Oracle issued Sunday's so-called 7u11 patch CERT officials wrote: "Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future."

In addition to at least partially fixing the vulnerability under attack, 7u11 also changed the security level for Web-based Java applets. As a result, end users must click an OK button before such applets are executed. This has been a largely overlooked change that Oracle should be applauded for introducing. But given the prevalence and success of social engineering attacks that trick people into taking actions that harm their security, the change is by no means a substitute for fixing critical bugs in the Java code base. Oracle developers need to begin a thorough audit and rewrite of Java now.

Channel Ars Technica