Oracle fixes vulnerability used in NATO and White House hacks
Zero-day click-to-play Pawn Storm bug squashed
Oracle has patched up a flaw in Java that allowed hackers to breach targets such as NATO and the White House in an operation known as Pawn Storm.
The vulnerability was used in attacks on web assets belonging the military organisation as well as a number of prominent companies, according to Trend Micro threat analyst Jack Tang.
Oracle also patched 154 flaws as part of a wide-reaching security update for a number of its applications, 25 of which affect Java.
The flaw in question (CVE-2015-4902) managed to evade Java's Click-to-Play protection, which requires the user to click the space where the Java app would normally be displayed before it is executed. In effect, it asks the user if they are really sure they want to run any Java code.
"Bypassing click-to-play protection allows for malicious Java code to run without any alert windows being shown," he said in a blog post.
"This was quite useful in Pawn Storm, as it used exploits targeting these vulnerabilities to carry out targeted attacks against North Atlantic Treaty Organization (NATO) members and the White House earlier this year."
Tang noted that Pawn Storm frequently used zero-day exploits. "Just last week it was discovered to be using an unpatched flaw in Adobe Flash as part of its attacks. (This vulnerability has since been fixed by Adobe)," he said.
To mount an attack, a hacker adds the HTML code to a malicious web site and then creates a RMI registry server which has a public IP address as well as creating another web server to hold the malicious Java code, which also has a public IP address.
The flaw would have executed Java applets or Java Web Start applications without the user's knowledge.
"If Java was still in widespread use today, the effects of a bypass of click-to-play protection would be far-reaching. Any zero-day vulnerability discovered down the road would allow for drive-by downloads to be carried out," said Tang.
"This case also highlights the importance of ensuring that when new security features (such as click-to-play) are introduced to a complex system like Java, it is a must to audit the communications of existing components with the new features. This is to ensure that existing "good" features and security are not lost in the mix," he added.
Tang warned users to either update to the latest version or stop using the technology altogether if possible.
Trend Micro discovered the flaw and privately disclosed this to Oracle. Oracle also released fixes for products such as its databases, Fusion Middleware, Hyperion, Enterprise Manager, PeopleSoft Enterprise, Siebel CRM and MySQL in its security update.
Modern governance: The how-to guide
Equipping organisations with the right tools for business resilienceFree Download
Cloud operational excellence
Everything you need to know about optimising your cloud operationsWatch now
A buyer’s guide to board management software
How the right software can improve your board’s performance
The real world business value of Oracle autonomous data warehouse
Lead with a 417% five-year ROIDownload now