Yesterday, Oracle recently released a new round of updates for Java. Two of these vulnerabilities (CVE-2013-5809 and CVE-20135778) and one in-depth defense issue were discovered by Trend Micro researchers and were privately reported to Oracle. All of these are now patched, and we do not believe they are in use or were earlier discovered by threat actors.
All of these vulnerabilities were in Java’s native layer code, which could lead to remote code execution or information leakage. For example, one of the vulnerabilities we found was a heap overflow issue. An attacker could craft a malicious Java applet targeting this flaw on a malicious web site. When the user visits the malicious web site, if his browser has Java enabled, he may get infected by malware.
Java native vulnerabilities, also known as “Java memory corruption vulnerabilities”, are vulnerabilities which exist in the JRE’s native code (C/C++ code). Other than the sandbox-bypassing vulnerabilities in the JRE’s Java code, native vulnerabilities can cause memory corruptions (e.g. buffer overflows) directly, which could lead to code execution.
Earlier, my colleague Jack Tang talked about the trend of increasing Java native vulnerabilities. What I want to add here is that it is still possible to exploit Java native vulnerabilities, even with the latest exploit mitigation techniques such as DEP and ASLR.
The vulnerabilities we reported also affect Java version 6, which Oracle already stopped supporting since early this year. This can be a problem, in particular to users who are still using the said version as Oracle will not be providing any security update for them. Thus, it is important for users to migrate to use the latest version of the software the soonest possible.
Last month, as SyScan 360 in Beijing, I introduced several methods to exploit Java native vulnerabilities even when DEP and ASLR are both turned on. At the end of the presentation, I also demonstrated remote code execution vulnerability on a fully patched Java install on Windows 8, using a native zero-day vulnerability. (To protect our users, I did not publish the details of this security flaw.)
We urge users to carefully evaluate their usage of Java as necessary and ensure that copies of Java that are used are up-to-date, to reduce exposure to present and future Java flaws.
Trend Micro Deep Security protects users from the exploits targeting the vulnerabilities cited in this blog via the following rules:
- 1005724 – Oracle JRE JPEG.DLL Heap Buffer Overflow Vulnerability
- 1005722 – Oracle Java mlib_image!cvtCustomToDefault Array Out Of Bound Read Vulnerability
- 1005723 – Oracle Java True Type Font Processing Vulnerability
For more information on the other vulnerabilities and corresponding solution, users may also visit Oracle’s page.