Will the Java Whack-a-Mole game ever end?
On Monday (March 4), the nearly ubiquitous Java cross-platform software module received its third update in less than a month, and its fifth for the still-young year.
The emergency patch from Java maker Oracle is meant to stop cybercriminals from actively exploiting a security vulnerability that let them place malware on a victim's computer by attacking a Web browser. The patch also fixes a less serious flaw.
"I thought this was an unusually speedy patch response for Oracle," observed independent security blogger Brian Krebs about the fix. "That is, until I read an Oracle blog post that accompanied the patch release."
On its official security blog, Oracle said it had known about the more serious flaw since the beginning of February, but didn't have time to include a fix in the Critical Patch Update it sent out Feb. 19.
Still, instead of waiting until its next scheduled Critical Patch Update, set for the middle of April, Oracle decided to push out this fix outside of its normal patch cycle "to help maintain the security posture of all Java SE users."
Oracle has come under fire in recent years for failing to fix Java critical vulnerabilities in a timely manner. The company usually adheres to its strict patch schedule, which was recently accelerated from thrice yearly to every two months.
However, this is the second time in about a month — the last occurred Feb. 4 — that the company has issued an out-of-cycle software fix.
The two flaws being patched affect Java's browser plug-ins, not server or desktop applications that rely on Java.
"For an exploit to be successful, an unsuspecting user running an affected release in a browser must visit a malicious Web page that leverages these vulnerabilities," said the official Oracle security alert. "Successful exploits can impact the availability, integrity and confidentiality of the user's system."
Both exploits took advantage of a flaw in a graphics component of Java. According to Milpitas, Calif., security firm FireEye, which first reported the flaw last week, the attack method only works some of the time.
"The exploit is not very reliable, as it tries to overwrite a big chunk of memory," researchers Darien Kindlund and Yichong Lin wrote on the official FireEye blog. "As a result, in most cases, upon exploitation, we can still see the payload downloading, but it fails to execute."
Unlike most software flaws, Java bugs affect Mac, Windows and Linux computers equally severely, and many security experts recommend that all Java browser plug-ins be disabled unless absolutely necessary. (Java-based desktop applications do not depend upon browser plug-ins.)
Java's "write once, run anywhere" environment means software developers, including malware writers, can be sure their creations will operate on all platforms on which the Java software environment is installed.
Although neither Microsoft nor Apple still bundle Java with their operating systems, the software is free to obtain and easy to install. Oracle estimates 1.1 billion desktop and laptop computers run Java.
Despite the recent rash of out-of-band fixes, Oracle often seems one step behind. Researchers at Polish firm Security Explorations revealed five new flaws Monday that could be used to completely bypass Java's sandboxing feature.