Oracle aware of Java vulnerabilities for months
Researcher blows whistle on apparent delays on delivering patch
Tech4Biz | 31 Aug 2012 :
Today (31 August) marks the end of an era, as outgoing VMware CEO Paul Maritz hands the reins to incoming CEO Pat Gelsinger.
"I'm very happy to today formally hand over the custodianship of this community to Pat Gelsinger," Maritz told the audience during the opening keynote to VMworld 2012 on Monday as he ceremonially passed leadership of the virtualisation titan to Gelsinger. He noted that Gelsinger, formerly the president and chief operating officer of EMC (owner of a majority stake in VMware) and before that a 30-year veteran of Intel, has been a friend and colleague for 30 years.
Turning to Gelsinger, Maritz gestured to the audience and told him, "Take good care of them."
Maritz left the stage to a standing ovation led by Gelsinger.
Filling Maritz's shoes will be no easy task. Maritz has long been a luminary of the industry. He was president and general manager of EMC's Cloud Computing Division before his appointment as CEO of VMware in 2008. Prior to that, he spent 14 years at Microsoft and was widely regarded as the third-ranking executive at the software behemoth, behind Bill Gates and Steve Ballmer. He was in charge of Microsoft's desktop and server software, overseeing the development of Windows 95, Windows NT and Internet Explorer.
During his four years as CEO of VMware, Maritz helped dramatically increase the company's fortunes. When he took charge in 2008, about 25% of the world's Intel-based applications were running on a virtualised base. Four years later, that figure is 60%. In that same period, the number of VMware certified professionals has risen from 25,000 to 125,000.
"Back in 2008, we were asking ourselves what the hell is it," Maritz said of cloud computing. "Now we're asking ourselves: What do we do about it? How do we actually implement it? How do you transform your operations to take full advantage of it? What's going to happen in four years' time? Where are we going with this technology?"
"Where we are going is influenced by an enormous set of forces that are affecting our industry," he added. "We're coming to the mature stages of a very successful 50-year journey to automate most of the paper-based processes in the world. Businesses are absolutely dependent on these capabilities and they're not going to go away. At this point they're just table stakes. What's happening now is the imperative to deliver fundamentally new experiences to both end users and end customers."
But these new experiences can't be delivered on today's IT infrastructure, he said. To meet the future, he said, IT needs to be even more efficient and more agile.
"We are going to see an equal transition in IT over the next four years that we've seen over the past four years," he said. Maritz believes that to deliver the agility and efficiency required to meet the future, transformation is required at every level of IT from infrastructure to applications to access.
Oracle knew since April about the existence of the two unpatched Java 7 vulnerabilities that are currently being exploited in malware attacks, according to Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations.
Security Explorations reported 19 Java 7 security issues to Oracle on 2 April. Those issues included the two zero-day vulnerabilities that attackers are exploiting to infect computers with malware, Gowdiak said.
The company continued to report Java 7 vulnerabilities to Oracle in the following months until the total number reached 29. "We demonstrated 16 full Java SE 7 sandbox compromises with the use of our bugs," Gowdiak said.
According to security researchers from security firm Immunity, the Java exploit published online earlier this week and integrated into the Blackhole attack toolkit makes use of two Java vulnerabilities not one, as it was previously believed.
"The first bug was used to get a reference to sun.awt.SunToolkit class that is restricted to applets while the second bug invokes the getField public static method on SunToolkit using reflection with a trusted immediate caller bypassing a security check," Immunity developer Esteban Guillardoy said.
While both of those vulnerabilities, one in the ClassFinder class and one in the MethodFinder class, were found and reported by Security Explorations in April, the proof-of-concept exploits supplied by the company to Oracle combined them with other bugs, not together, Gowdiak said.
"The way in which SunToolkit class and its getField method is used to achieve a complete JVM [Java Virtual Machine] sandbox bypass is different from what we have demonstrated to Oracle," Gowdiak said.
Because of this, the researcher believes that the new exploit is likely the result of someone else independently discovering the same vulnerabilities, rather than a leak of information somewhere in the vulnerability report handling process.
However, nothing can be excluded with 100% certainty, Gowdiak said. "We don't know with whom and in what form or detail Oracle is sharing vulnerability information."
According to a status report received on Aug. 23 from Oracle, the company was planning to fix the two vulnerabilities in its October Critical Patch Update (CPU), together with 17 other Java 7 flaws reported by Security Explorations, Gowdiak said.
Oracle releases security patches every four months. The last Java CPU was released in June and only addressed three of the security issues reported by Polish security firm.
"Although we stay in touch with Oracle and the communication process has been quite flawless so far, we don't know why Oracle left so many serious bugs for the Oct. CPU," Gowdiak said.
Security Explorations is not aware of any changes in Oracle's patching plans at this time, Gowdiak said. "But, we hope they will stand up to the task and release a Java CPU fixing the security issues as soon as possible."
Oracle did not immediately return a request for comment regarding the vulnerability reports received from Security Explorations. The company has not publicly commented about the two actively exploited vulnerabilities either.
IDG News Service