After informing a researcher just a few days ago that “they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle” they have made a 180 turn on the issue and pushed out an emergency patch to mitigate against the Serious Java Bug That Exposes Users To Code Execution.

They fell under heavy criticism after their statement as it was demonstrated by multiple people that the vulnerability was fairly trivial to exploit and could cause some serious damage.

I’m glad to see they took the proactive step of understanding the vulnerability and pushing out a patch. I just wish they would fix the way in which Java manages updates (multiple redundant copies of the software with minor differences).

Under criticism for not patching a critical vulnerability in its recently acquired Java virtual machine, Oracle on Thursday released an emergency update that eliminates the zero-day threat.

Functionality in the Java Web Start component made it trivial for attackers to remotely execute malicious code on end-user machines. Tavis Ormandy, one of the researchers who first discovered the threat, said he alerted Java handlers inside Oracle’s Sun division, but they decided no patch was necessary before the next update release scheduled for July.

It would appear that Oracle officials had a change of heart. On early Thursday, they pushed out Java 6, update 20, which makes changes to the Java Network Launch Protocol, according to release notes. The JNLP is closely associated with Java Web Start, which makes it easy for end users to install custom libraries needed to run Java applications.

Java 6, Update 20 is now publicly available and seems at least in part to fix the issue. I guess we’ll have to wait until next week when researchers have had some time to do more extensive testing to see if the issue is actually properly fixed.

There are unconfirmed reports however that the patch doesn’t completely eliminate the vulnerability. I wouldn’t be surprised if it’s not totally fixed, but I’ll be happy to see it is. But then from the report it only effects the way in which the Firefox plugin deals with the update so the majority (IE users) should be safe.

There are unconfirmed reports that the patch doesn’t completely eliminate the threat, most notably in this Google translation of a report from Heise. A researcher who asked not to be named said there may be upgrade problems with the npapi plugin used by Firefox that may leave a stale version behind. Internet Explorer should be safe, however.

The out-of-cycle update is a smart move, but Oracle still has unfinished work to make Java patching more seamless. First, Java needs to stop flogging the Yahoo Toolbar each time an update is available. Patches are about security, not marketing the unwanted bloat of partners.

Another gripe we’ve long had about Java updates is that they reset some default settings. A case in point: If you have Java configured to check for updates daily, instead of monthly as the program does by default, you’ll have to reset that preference each and every time you update. That means it could take a full 30 days to get critical security patches like the one released Thursday.

I have to agree with the comments about the Java updates, I just noticed a few days ago my Firefox had about 15 Java add-ons from all the previous versions of the JVM. Why can’t it just upgrade over the existing version like every other sane piece of software does?

Anyway it’s a good move by Oracle and I hope more companies follow suit by taking security issues seriously and dealing with them in a timely fashion.

Source: The Register

Once again a different attack vector, seems to the creative season for discovering bugs. I guess it’s partially due to the fact this time of year tends to be pretty quiet business wise so researchers have plenty of downtime to look at nifty ways to break things.

This might be a tough one to solve as it’s not a typical buffer overflow or programming bug per-se but more of a flaw in the way the Java Virtual Machine functions. Sun don’t consider this vulnerability to be critical, which could be a mistake on their part as that means it won’t be patched until the next patch in the cycle is released – which should be around July.

A Google researcher has published details of a Java virtual machine bug that could be used to run unauthorized programs on a computer.

The attack was disclosed Friday by Google’s Tavis Ormandy, who said he had notified Oracle’s Sun team about the flaw earlier. “They informed me that they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle,” Ormandy wrote. “I did not agree.” Oracle declined to comment on the issue. The company just released a major Java update last week and its next set of patches is due in July.

The attack could give hackers a way to run unauthorized Java programs on a victim’s machine. They can do this because Java allows developers to tell the Java virtual machine to install alternate Java libraries. By creating a malicious library and then telling the JVM to install it, an attacker could run his malicious program.

The attack was actually disclosed by a Google employee, in some articles it stated he did not wish for his company name to be disclosed but it was anyway in this article at least.

It works in a fairly roundabout way by leveraging on the fact Java allows developers to run libraries using the JVM, by installing an alternate malicious library an attacker could compromise the machine.

Oracle is making a mistake, not patching the bug immediately, said Marc Maiffret, chief security architect with FireEye, via instant message.

The bug is particularly nasty because it’s due to a design flaw in Java, rather than the type of programming error that would lead to a more common buffer-overflow attack. “It is a neat bug,” he said.

However, Java-based attacks are still rare, and rather than developing a brand-new type of attack, criminals are more likely to spend their time using known vectors such as the browser or Adobe Reader, said Russ Cooper, a senior information security analyst with Verizon Business.

“Java has not been exploited to any extent that should worry the average consumer, heck, or business for that matter,” he said via instant message.

Risk wise however, I’d have to agree it’s not particularly high as historically Java attacks aren’t really common and attackers will play the numbers game attacking whatever will yield the most infections.

The flaw affects all versions since Java SE 6 update 10 for Microsoft Windows and could possibly effect Linux users – but that hasn’t been verified yet.

More via The Reg here – Critical Java Vulnerability

Source: Network World

CodeCrawler is a tool aimed at assisting code review practitioners. It is a static code review tool which searches for key topics within .NET and J2EE/JAVA code. It’s a Microsoft .NET 3.5 Windows Form application which supports the OWASP Code Review Project.

It provides automatic STRIDE classification a very simple DREAD calculator and few minor utilities. Direct links to WAST 2.0 Threat Classification, Secure Java Development Guidelines and OWASP Tools are also part of the package.

Requirements

• .NET Framework 3.5 (Service Pack 1)
• Visual Studio 2008
• Windows Platform

You can download CodeCrawler here:

CODECRAWLER_2.5_RELEASE.zip

Or read more here.

You may remember a while back we did a Review of Acunetix Web Vulnerability Scanner 6 – the very full featured web vulnerability scanning software.

Well the latest version has been released recently with some updates, bug fixes and improvements on the web application security front.

I’m hoping to try out the AcuSensor on a PHP install soon to see what kind of information it can give me.

A full review isn’t really need as the installation, interface and features are mostly the same as version 6.

One of the great new features is the Login Sequence Recorder (LSR), which can record the exact sequence needed to login to a site and replay it.

Combine this with the Session Auto Recognition module, which will identify when a logged in session is invalided or expired and will re-login automatically and you have a great tool for scanning authentication based web applications.

There is also a lot more support for JSP/Tomcat based application, I haven’t had chance to test this as I don’t deal with many Java based web applications.

Also included are some back-end and interface changes like the display of port scan & network alerts separately from the web alerts, which does make it easier to see where the issues are.

Backend stuff like cookie handling and Blind SQL Injection methods have been improved, you can also import your settings from Version 6 if you are currently using that.

You can read the press release here, or more on the blog here.

The pricing can be found here (in both Euros and USD).

If you want to know more about the features you can download the manual here:

Acunetix WVS 6.5 Manual [PDF]

LAPSE stands for a Lightweight Analysis for Program Security in Eclipse. LAPSE is designed to help with the task of auditing Java J2EE applications for common types of security vulnerabilities found in Web applications. LAPSE was developed by Benjamin Livshits as part of the Griffin Software Security Project.

LAPSE targets the following Web application vulnerabilities:

• Parameter manipulation
• SQL injections
• Header manipulation
• Cross-site scripting
• Cookie poisoning
• HTTP splitting
• Command-line parameters
• Path traversal

What should you do to avoid these vulnerabilities in your code? How do we protect Web applications from exploits? The proper way to deal with these types of attacks is by sanitizing the tainted input. Please refer to the OWASP guide to find out more about Web application security.

If you are interested in auditing a Java Web application, LAPSE helps you in the following ways:

• Identify taint sources
• Identify taint sinks
• Find paths between sources and sinks

LAPSE is inspired by existing lightweight security auditing tools such as RATS, pscan, and FlawFinder. Unlike those tools, however, LAPSE addresses vulnerabilities in Web applications. LAPSE is not intended as a comprehensive solution for Web application security, but rather as an aid in the code review process. Those looking for more comprehensive tools are encouraged to look at some of the tools produced by Fortify or Secure Software.

Read more about LAPSE HERE.

You can download LAPSE here:

LAPSE: Web Application Security Scanner for Java