Oracle plugs a host of critical Java vulnerabilities
Oracle’s Java SE Critical Patch Update for April 2013 contains 19 CVEs with CVSS base score of 10 (the highest you can go) indicating that exploiting the vulnerability is not particularly challenging and could give complete control of compromised systems.
For all of these vulnerabilities, the browser is the vector of exploit. For one of those (CVE-2013-1537) some Java server configurations will also be exposed. In total, there are 42 distinct CVEs for Java this quarter, of which 39 are through the Java Web Start plugin and can be remotely exploited without authentication.
Java exploits have publicly impacted major forces in the world of technology. Both Facebook and Bit9 have disclosed that they were compromised via Java. Administrators and end users alike have to realize that the common wisdom regarding Java plugin security and precautions will not change with this patch, the next one, or the one after that.
Java as a web plugin has a lot of unpatched issues, many of which are found and disclosed to Oracle by responsible researchers who are essentially doing Oracle’s Quality Assurance work for free on an ongoing basis.
We don’t know how many vulnerabilities the “bad guys” are finding though, until they hit the common market in widespread exploits. It’s doubtful that skilled and motivated attackers won’t find the same things as more ethical researchers. And some may well have more resources available to them to look.
With a browser plugin, pretty much any browser plugin as complex as Java (such as Flash, for instance), you should always assume that some attacker, somewhere has at least one 0day waiting for the right opportunity. Disable Java in the browser unless you have a specific business need to run it.
Ideally, only enable it in an alternate browser and restrict use of that browser to the sites where you need Java. If you do need to use it, apply this patch immediately, make sure Java is running at the highest security settings, and ensure that any old versions of Java have been uninstalled.
Author: Ross Barrett, Senior Manager, Security Engineering, Rapid7