Oracle fixes vulnerability used in NATO and White House hacks

The Capitol Building

Oracle has patched up a flaw in Java that allowed hackers to breach targets such as NATO and the White House in an operation known as Pawn Storm.

The vulnerability was used in attacks on web assets belonging the military organisation as well as a number of prominent companies, according to Trend Micro threat analyst Jack Tang.

Oracle also patched 154 flaws as part of a wide-reaching security update for a number of its applications, 25 of which affect Java.

The flaw in question (CVE-2015-4902) managed to evade Java's Click-to-Play protection, which requires the user to click the space where the Java app would normally be displayed before it is executed. In effect, it asks the user if they are really sure they want to run any Java code.

"Bypassing click-to-play protection allows for malicious Java code to run without any alert windows being shown," he said in a blog post.

"This was quite useful in Pawn Storm, as it used exploits targeting these vulnerabilities to carry out targeted attacks against North Atlantic Treaty Organization (NATO) members and the White House earlier this year."

Tang noted that Pawn Storm frequently used zero-day exploits. "Just last week it was discovered to be using an unpatched flaw in Adobe Flash as part of its attacks. (This vulnerability has since been fixed by Adobe)," he said.

To mount an attack, a hacker adds the HTML code to a malicious web site and then creates a RMI registry server which has a public IP address as well as creating another web server to hold the malicious Java code, which also has a public IP address.

The flaw would have executed Java applets or Java Web Start applications without the user's knowledge.

"If Java was still in widespread use today, the effects of a bypass of click-to-play protection would be far-reaching. Any zero-day vulnerability discovered down the road would allow for drive-by downloads to be carried out," said Tang.

"This case also highlights the importance of ensuring that when new security features (such as click-to-play) are introduced to a complex system like Java, it is a must to audit the communications of existing components with the new features. This is to ensure that existing "good" features and security are not lost in the mix," he added.

Tang warned users to either update to the latest version or stop using the technology altogether if possible.

Trend Micro discovered the flaw and privately disclosed this to Oracle. Oracle also released fixes for products such as its databases, Fusion Middleware, Hyperion, Enterprise Manager, PeopleSoft Enterprise, Siebel CRM and MySQL in its security update.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.