Strategic Security Survey: Global Threat, Local Pain

SANS Institute security researcher Daniel Wesemann on Thursday warned Java users to wake up and patch their Java, especially in light of Oracle's recently released critical patch update bulletin. All told, last month Oracle released 29 security fixes for Java SE and Java for Business products.

The good news for anyone who's previously delayed patching is that "the latest Critical Patch Update includes all fixes from the previous Critical Patch Updates," said Oracle.

But the bad news for anyone who has yet to patch is that many of the vulnerabilities leave your PC open to malicious attacks. Visit a website that's been poisoned by attackers, and your vulnerable Java code could be exploited to automatically add a virus to your PC, or your PC to a botnet.

Last month, Microsoft issued a similar Java update appeal, warning of an "unprecedented wave" of Java exploits. Interestingly, most of those exploits targeted just three vulnerabilities, which Adobe had long since patched.

According to Wesemann, "it doesn't look like the situation has improved since, and the bad guys are taking advantage."

For example, the third most popular Java Help Center support issue was "Virus found in my Java Cache Directory." It's preceded by two other security concerns: "Can Java download be infected with a virus?" and "Why should I remove older versions of Java from my system?" (The short answer: for security and performance reasons.)

Java exploits can be just as damaging as any other type of malware attack. For example, the "bpac" family of exploits can arrive via drive-by attacks, and then download applets or a PDF, which then begin downloading executable files (EXEs).

"The EXEs pack quite a punch -- one recent sample submitted contained no less than 66 individual other malicious EXEs," said Wesemann. "Yes, a user would be bound to notice this deluge of badness, but he still wouldn't stand a chance to ever clean all of this crud off the system again."

Accordingly, "if you haven't done so yet, hunt down and patch every incarnation of Java on the PCs that you are responsible for," he said.

For organizations not able to immediately patch all Java installations, there are some workarounds. For example, security researcher David Sharpe recommends that organizations set their intrusion prevention systems to block seven exploits, since they're being seen in the wild and are utilized by some of the most popular crimeware toolkits.