Posted by: cgibney
Java, patch management
by Ron Condon, UK Bureau Chief
A timely reminder came from Daniel Wesemann today writing on the SANS Internet StormCenter blog about the need to make sure that Java is kept patched and up to date.
Oracle Corp. (which now owns Java, since buying Sun Microsystems last year) released a patch bundle for Java in October, which included a long list of security fixes, several for vulnerabilities that could allow drive-by exploits.
“And since Java is present on pretty much every Windows PC, and people don’t seem to do their Java updates quite as diligently as their Windows patches, there are a lot of vulnerable PCs out there,” says Wesemann.
He describes in detail one popular family of exploits doing the rounds at the moment, called “bpac”, which exploits the Hashmap vulnerability (CVE-2010-0840). A user only needs to browse an infected webpage, and the exploit pulls down a series of .exe files (in one case, up to 66 of them) that could be hard to clean up after the event.
Ironically, the attack would be stopped by a Java security fix issued in July, but, as Wesemann observes: “I guess the bad guys won’t start ‘burning’ their newest Java exploits while the old set is still going strong.”
His advice is short and sweet: “If you haven’t done so yet, hunt down and patch every incarnation of Java on the PCs that you are responsible for.”