IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Oracle fixes vulnerability used in NATO and White House hacks

Zero-day click-to-play Pawn Storm bug squashed

The Capitol Building

Oracle has patched up a flaw in Java that allowed hackers to breach targets such as NATO and the White House in an operation known as Pawn Storm.

The vulnerability was used in attacks on web assets belonging the military organisation as well as a number of prominent companies, according to Trend Micro threat analyst Jack Tang.

Oracle also patched 154 flaws as part of a wide-reaching security update for a number of its applications, 25 of which affect Java.

The flaw in question (CVE-2015-4902) managed to evade Java's Click-to-Play protection, which requires the user to click the space where the Java app would normally be displayed before it is executed. In effect, it asks the user if they are really sure they want to run any Java code.

"Bypassing click-to-play protection allows for malicious Java code to run without any alert windows being shown," he said in a blog post.

"This was quite useful in Pawn Storm, as it used exploits targeting these vulnerabilities to carry out targeted attacks against North Atlantic Treaty Organization (NATO) members and the White House earlier this year."

Tang noted that Pawn Storm frequently used zero-day exploits. "Just last week it was discovered to be using an unpatched flaw in Adobe Flash as part of its attacks. (This vulnerability has since been fixed by Adobe)," he said.

To mount an attack, a hacker adds the HTML code to a malicious web site and then creates a RMI registry server which has a public IP address as well as creating another web server to hold the malicious Java code, which also has a public IP address.

The flaw would have executed Java applets or Java Web Start applications without the user's knowledge.

"If Java was still in widespread use today, the effects of a bypass of click-to-play protection would be far-reaching. Any zero-day vulnerability discovered down the road would allow for drive-by downloads to be carried out," said Tang.

"This case also highlights the importance of ensuring that when new security features (such as click-to-play) are introduced to a complex system like Java, it is a must to audit the communications of existing components with the new features. This is to ensure that existing "good" features and security are not lost in the mix," he added.

Tang warned users to either update to the latest version or stop using the technology altogether if possible.

Trend Micro discovered the flaw and privately disclosed this to Oracle. Oracle also released fixes for products such as its databases, Fusion Middleware, Hyperion, Enterprise Manager, PeopleSoft Enterprise, Siebel CRM and MySQL in its security update.

Featured Resources

Three ways manual coding is killing your business productivity

...and how you can fix it

Free Download

Goodbye broadcasts, hello conversations

Drive conversations across the funnel with the WhatsApp Business Platform

Free Download

Winning with multi-cloud

How to drive a competitive advantage and overcome data integration challenges

Free Download

Talking to a business should feel like messaging a friend

Managing customer conversations at scale with the WhatsApp Business Platform

Free Download

Most Popular

How to secure your hybrid workforce
Advertisement Feature

How to secure your hybrid workforce

23 Sep 2022
Vodafone UK confirms talks to merge with Three are underway
mergers and acquisitions

Vodafone UK confirms talks to merge with Three are underway

3 Oct 2022
What your hybrid workforce needs from their laptops
Advertisement Feature

What your hybrid workforce needs from their laptops

21 Sep 2022