Bit9 has done the report found a large number of“critical”Java vulnerability-vulnerability warning-the black bar safety net

2013-09-09T00:00:00
ID MYHACK58:62201340477
Type myhack58
Reporter 佚名
Modified 2013-09-09T00:00:00

Description

Bit9 has done recently for Java and its vulnerabilities conducted in-depth research, the results found that nearly half of the enterprises installed two or more versions of Java. Java in the enterprise environment is very General, enterprises usually do not delete the old version, which increases the threat attack surface, so that these endpoints can easily become the attacker's target.

As is well known, Java is“write once, run everywhere”platform, almost all computing devices are installed on Java. A lot of websites and web applications require Java to run properly, if not, you can try to close the browser in Java and see how much the application can not be used.

In 2 0 1 2 year, this popular platform appeared a lot of loopholes, it becomes the attacker is most often the use of technology. In the bit9 has done just released the Java vulnerabilities report: write once, everywhere the scourge of the article to introduce us to Java question of the severity.

The Java issue is very special

Bit9 has done with the company security researchers Dan Brown said, Java is often under fire, many people have suggested that companies should disable environment Java. Brown said:“but the people did not heed these people's advice and removed Java because they don't think Java with other vulnerable software have what different. But Java is indeed different, the attackers favor of the Java is there for a reason.” There are now many different versions of Java, you very difficult to install all the patches and updates. The General business of the network are“more than 5 0 different version of Java”, but only“less than 1% of businesses to use latest version.”

According to bit9 has done the report shows, the most popular version of Java(version 6, update 2 0)A 9 6 a vulnerability was rated as“severe”, which is 9 6 very serious vulnerabilities. That these Java security vulnerabilities occur and how quickly? Brown said:“very soon. In version 7, update 2 1, and version 7, update 2 5 between the months these everywhere installation software appears a 3 8 a serious vulnerability.”

Although people have been advocating Java is a problem, but bit9 has done want to let people know that Java is not only a problem, but is a very special problem. Brown said:“people don't know the installation of Java does not remove older version. So, companies should make sure that when you upgrade, don't install again the old version. This is the endpoint in the presence of so many Java version of one of the reasons.”

The endpoint to retain older versions of Java what is wrong with that?“ Java security vulnerabilities in a variety of forms,”Brown explained,“one of which is typical of the exploit, allowing the attacker to get out of the sandbox constraints. In the browser running a Java virtual machine(VM)basically have an isolated sandbox layer. The attacker can find and use loopholes to make Java behave like a Mature Java application(with all the privileges and rights), and not to limit the browser sandbox.”

Another vulnerability with Oracle or other companies in the deployment of the control, these companies want to warn the user that the applet is trying to access an older version of Java.“ The attacker could basically get their code on older more vulnerable version of running,”Brown said,“This is a difficult problem, which with the businesses usual to deal with the vulnerability type is completely different. If each enterprise can tap a switch, get out of the environment of the Java vulnerability, they may be more secure.”

Java is a powerful black box

From a threat point of view, Java is a unique place in that it is a strong viable black box. When the attacker access to the Java VM of the control, they have a lot of features, including scripting.

If they can use one of the vulnerability is to simply break the sandbox, or upgrade their VM permissions in they download any code by the Java VM to execute, and the enterprise of safety control basic do not know this behavior.

“Java is not like Adobe Acrobat, Adobe Acrobat is a fixed function program, and can not provide attackers with a lot of software features,”Brown explained,“for Java, the attacker can according to need to use all the Java VM functions, and they can be in the Java environment do all these things.”

Usually when people are looking for malware, malicious executable file, 他们只会寻找Java.exe we all love and trust of this executable file, but note that it is internally running code.“ Internal code basically allows Java. exe to perform various malicious actions,”Brown said,“it is possible to provide these features, make the Java VM like a black box, so that the security control is invalid. I don't think all people know this thing, this also let Java become very easy targets.”

How businesses can reduce the Java exploit risk?

Some companies can be from their environment completely removed Java, and does not affect to its business. But for other companies, in a long period of time, the business case will need to use Java.“ Businesses may not have the resources to modify them in Java legacy code,”Brown said,“But you still need to pay attention to these codes, and want to approach these codes. The first step is to determine the Java in your enterprise popularity you have how many versions of Java, as well as where they are, and sure you can remove how many versions.” Another step is to delete the web browser in Java,“from browser remove Java can be almost eliminated all of the attack surface.”

If your business requires the use of Java, particularly in the browser environment to run Java, bit9 has done suggest you isolate that environment, in Brown stated:“using the sandbox browser, or VM, or some kind of isolation technology to completely isolate the desktop network in Java.” Bit9 has done suggestions, if you can, business best to delete Java. If you must use Java, leave it if not, then it should be possible to reduce the Java in the enterprise the use of, or isolation.