Oracle releases 154 fixes, plugs click-to-play bypass Java flaw used in attacks

Oracle has released its quarterly patch update that contains 154 security fixes for its various products.

What will interest end users the most are the fixes released for Java, a plugin often targeted by cyber attackers.

“Oracle Java SE receives 25 new security fixes, 24 of which are remotely exploitable without authentication. The highest reported CVSS Base Score for these Java SE vulnerabilities is 10.0,” Oracle software security assurance director Eric Maurice noted.

“20 of the Java SE vulnerabilities only affect client deployment of Java SE (e.g., Java in the browser). The remaining 5 vulnerabilities affect client and server deployments of Java SE. Java home users should visit the java.com web site, to ensure that they are using the most recent version of Java and remove obsolete JAVA SE versions from their desktop if they are not needed.”

If you don’t think you need Java, it’s a good idea to uninstall it altogether.

Among the fixed Java flaws is one (CVE-2015-4902) that was used to bypass the Java click-to-play protection by the Pawn Storm attackers when they targeted NATO members and the White House earlier this year.

“Oracle acknowledged this vulnerability once we privately disclosed [it]. The method used to bypass this protection was quite ingenious,” Trend Micro threats analyst Jack Tang noted, and explained how the attackers did it.

“If Java was still in widespread use today, the effects of a bypass of click-to-play protection would be far-reaching. Any zero-day vulnerability discovered down the road would allow for drive-by downloads to be carried out,” he pointed out.

“This case also highlights the importance of ensuring that when new security features (such as click-to-play) are introduced to a complex system like Java, it is a must to audit the communications of existing components with the new features.”

Oracle’s next Critical Patch Update is scheduled to be released on 19 January 2016.

For more details, check out Eric Maurice’s blog post.

Don't miss