Java 0-day impact to Java 6 (and beyond?)

Published: 2013-01-12. Last Updated: 2013-01-12 14:09:45 UTC
by Stephen Hall (Version: 1)
9 comment(s)

The ISC has covered Java recently a number of times with Johannes's commentary and the January 2013 OUCH! heads-up by Adam of the issues with Java 7 update 10 and the current 0-day doing the rounds.

However, the guys over at Immunity have released their analysis (PDF) of the MBeanInstantiator.findClass 0-day. Other than the excellent review of the 0-day they comment that:

"This vulnerability affects JDK 6 (at least from update 10 and greater) up to the latest JDK 7 update 10. The comments in the source code state that these classes MBeanInstantiator and JmxMBeanServer are available since JDK 5, but we did not check versions before JDK 6 update 10. "

So, this tells us that if you are using JDK 6 this 0-day likely now includes you as a potential target, and maybe even if you have systems with JDK 5 installed.

Let's hope Oracle patching this one soon, and if the article is correct, completely this time.

Steve

Keywords: 0 Day Java
9 comment(s)

Comments

- http://www.kb.cert.org/vuls/id/625617
Last revised: 12 Jan 2013 - "... Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the Java documentation* for more details..."
Disabling Java in the Browser:
* http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html#disable

.
By reading the analysis, the 0 day seems to rely on both the JMX MBean vulnerability + the recursive reflection vulnerability using the Invoke API (which is only in Java 7)..
The CVE implies that 1.6.0_37 is ok and states that 1.6.0_35 and earlier are vulnerable. I see no reason to, and will not upgrade to 1.7 until a CVE for the last 1.6 release appears and is only patched in 1.7. Not aware of any compellingly useful code requiring 1.7. Java is mostly legacy now that Oracle owns it--kiss of death.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422
I think it's high time that most folks to just remove java period. Bet 9 out of 10 folks will never miss it. Do feel sorry for the corp folks that can't get away from it. Suspect of those that can (and tired of the endless 0-days) it's disappearing off corporate desktops right and left. Suspect Java's days are numbered.
Ahh, I really long for the good old days when we all believed the story about how safe Java was because all code ran in a sandbox and the underlying operating system could not be touched.

Unfortunately if you are an Oracle shop, you need the JRE installed on the desktop and active in the browser. We also use numerous local government websites and they seem to love Java. It's just not an option for us.

Interestingly, Check Point issued a bulletin last week that the IPS signature they released back in August for the same component is still effective against this latest exploit. Maybe other vendors will find their signatures are also still good.

Don't forget that JRE v1.6 goes off support on Feb. 1, 2013. You may be "upgrading" to v1.7 sooner than you desire. JRE 1.6 had two other "drop dead" dates last year (July 2012 and Nov. 2012) and Oracle extended it both times. I don't think that's going to happen again because they now have their own applications working with v1.7.
I do not think this issue affects Java 6. The quote Immunity states that the JMXBean vulnerability affects Java 6 and possibly previous versions. The reflection vulnerability is in code newly introduced in 7u10. The overall issue *only* affects 7u10.
Edit to my previous post: The new/vulnerable reflection code may have been introduced before 7u10, but still in 7, not 6. Also per Oracle: "Note: JDK and JRE 6, 5.0 and 1.4.2, and Java SE Embedded JRE releases are not affected."
<http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html>
BTW, 7u11 is out.
In other words, demand they keep JRE 6 functional till they work out all the bugs in JRE 7. Oracles creeping featuritis at work on us.
Oracle shops with paid support will still be getting Java 6 security updates after public/free support for Java 6 ends Feb 1, 2013. We've only just recently had a few of our critical applicatiions certified by Oracle for Java 7. Needless to say, we'll be on Java 6 for some time.

However, we don't allow internal machines direct Internet access either. Most users surf via DMZed Terminal Services, and a select amount of users have "direct" Internet via proxy server access to white-list only sites to a very short list of business critical sites.

Diary Archives