Oracle plans to release an update for the widely exploited Java browser plugin. The update fixes 39 critical vulnerabilities and introduces changes designed to make it harder to carry out drive-by attacks on end-user computers.
The update scheduled for Tuesday comes as the security of Java is reaching near-crisis levels. Throughout the past year, a series of attacks hosted on popular websites has been used to surreptitiously install malware on unwitting users’ machines. The security flaws have been used to infect employees of Facebook and Apple in targeted attacks intended to penetrate those companies. The vulnerabilities have also been exploited to hijack computers of home and business users. More than once, attackers have exploited one previously undocumented bug within days or weeks of patching a previous “zero-day,” as such vulnerabilities are known, creating a string of attacks on the latest version of the widely used plugin.
In all, Java 7 Update 21 will fix at least 42 security bugs, Oracle said in a pre-release announcement. The post went on to say that “39 of those vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.” The advisory didn’t specify or describe the holes that will be patched. Security Exploration, a Poland-based security company that has discovered dozens of “security issues” in Java, has a running list of them here.
In addition to the bug fixes, Oracle developers plan to roll out changes to Java that are intended to help end users make better decisions about when (and when not) to allow Java code to be executed in their browsers. Under the update, Java will display a variety of messages and dialog boxes, such as the one shown above, when it encounters websites that host Java applets. In some cases, the code will be executed only after an end user clicks an “OK” button.
“The messages presented depend upon different risk factors, such as using old versions of Java or running applet code that is not signed from a trusted Certificate Authority,” an article posted to Oracle’s Java.com explained. “Apps that present a lower risk display a simple informational message. This includes an option to prevent showing similar messages for apps from the same publisher in the future.”
By contrast, higher-risk apps will be accompanied by a message that includes an exclamation point in a yellow warning triangle when the app certificate is untrusted or expired, or a yellow warning shield when the app is unsigned or is signed by a certificate that’s not valid.
Oracle introduced a similar dialog message scheme late last year, but as previously reported by Ars, it doesn’t check the validity of application certificates. It’s a shortcoming that makes it easy for attackers to bypass the protection. That’s because it presents certificates as trustworthy even when they’ve been reported as stolen and added to publicly available revocation databases. The failure of Java to check certificate revocation lists came to light last month after Java gave the green light to a malicious app even though the digital certificate signing it had been revoked by the company that owned it.
For almost a year now, Ars has been calling on Oracle developers to rigorously audit the Java software framework to patch the most critical security holes. It’s also crucial for Java to be outfitted with protections designed to help end users block drive-by attacks and to lessen the damage that can be done when vulnerabilities are exploited. It will take a few weeks to know if Tuesday’s update will finally deliver these long-overdue changes. We’re certainly keeping our fingers crossed, but in the meantime, we’re repeating our oft-repeated advice: users who have no need for the Java browser plugin should uninstall it, or users could reserve a specific browser for the handful of websites they use that require Java and a separate browser for all other sites.
via New security protection, fixes for 39 exploitable bugs coming to Java | Ars Technica.