As any Java user will be more than aware, platform security is certainly nothing to be taken to granted. This week, Oracle have issued their Q3 wave of critical patch updates (154 in all), with 25 directed at Java.
Along with plugs for a series of library issues, the CPU contains fixes targeting security and deployment sub-components, Java CORBA (Common Object Request Broker Architecture), Remote Method Invocation (Java RMI), Java FX, serialisation, 2D, Java API for XML Processing (JAXP), and Java Generic Security Services (JGSS).
Whilst this year has been notably quiet on the security front for Java, there have been a few nasties which have cropped up over the past few months. Notably, this summer, security specialists Trend Micro identified CVE-2015-2590 – a zero day exploit which was discovered by chance as part of their ongoing investigation and monitoring initiative into targeted attack campaign “Pawn Storm.” Oracle subsequently issued a fix for this as part of an earlier quarterly Critical Patch Update on July 14th.
Alongside CVE-2015-2590, the team identified a secondary flaw which allowed attackers to bypass the click-to-play-protection used by Java: CVE-2015-4902. Circumventing the click-to-play protection means that Java code can run freely, unabated by any alert windows popping up. The way it goes about this is, as the saying goes, cunning as a fox who’s just been appointed Professor of Cunning at Oxford University – as you can see in the infographic below (created by the Trend Micro Team).
Fortunately, this hole has now been filled in Oracle’s latest CPU drop. Whilst Trend Micro urges users to migrate away from the language where possible, Java is certainly not alone in its vulnerability to the dastardly Pawn Storm. In the past week, it’s been revealed that Pawn Storm has also been actively targeting Adobe Flash, further denting the reputation of platform.
Whilst none of the vulnerabilities identified in this update have been targeted to date, it’s always better to make updating a priority – you can put a patch on your Java by visiting the official Oracle download page.