Java 7 Attack Vectors, Oh My!
While researching how to successfully mitigate the recent Java 7 vulnerability (VU#636312, CVE-2012-4681), we (and by "we" I mean "Will Dormann") found quite a mess. In the midst of discussion about exploit activity and the out-of-cycle update from Oracle, I'd like to call attention to a couple other important points.
First, there's the question of the defensive value of the Java 7u7 update (and patching in general). You want to defend against Java attacks. Is installing the update necessary? Yes. Is it sufficient? No.
Recall that Security Explorations has reported more than one Java vulnerabilities. According to the FAQ for SE-2012-01, 4 out of 30 issues were addressed in Java 7u7. Furthermore, Security Explorations posted this on August 31:
Today we sent a security vulnerability report along with a Proof of Concept code to Oracle. The code successfully demonstrates a complete JVM sandbox bypass in the environment of a latest Java SE software (version 7 Update 7 released on Aug 30, 2012). The reason for it is a new security issue discovered, that made exploitation of some of our not yet addressed bugs possible to exploit again.
How long will it take for someone else to find a Java 7 vulnerability and develop stable exploit code?
Oracle released Java 7u7 out of cycle to address this vulnerability. Classic vulnerability disclosure: Scheduled releases make planning and management easier, but sometimes it's necessary to respond to an emergency like active exploitation. Oracle has also suggested that it's not necessary to disable Java since there's an update available. Patch and forget!
We strongly recommend disabling Java support in web browsers--and also applying any and all Java security updates.
Second, it's surprisingly difficult to completely disable Java support in web browsers. There are multiple ways to invoke Java, and each one is a potential attack vector: the Java plug-in, the Java Deployment Toolkit plug-in, the next generation Java plug-in, Java Web Start, and in Internet Explorer, hundreds of ActiveX controls. Disabling Java support in IE is by far the most complicated. We've got a 2,379-line registry file to help and more browser-specific advice in VU#636312.
So keep these things in mind:
- Java-through-the-browser is high threat, and it will be for some time.
- Updating isn't good enough.
- It's harder than you'd think to disable Java-through-the-browser.
Let me repeat: We strongly recommend disabling Java support in web browsers. And leave it off.