Unofficial patches released for Java flaws disclosed by Google Project Zero

Unofficial security patches have been released for two Oracle Java Runtime Environment (RE) flaws yet to be fixed discovered by Google Project Zero researcher.

Unofficial security patches have been released for two Oracle Java Runtime Environment (RE) vulnerabilities discovered by Google Project Zero researcher Mateusz Jurczyk. The company hasn’t yet released an official update to address the two vulnerabilities.

On February 18, Google Project Zero experts publicly disclosed the details of four Java RE vulnerabilities caused by heap-based out-of-bounds read issues. Project Zero experts internally tracked them as 1779, 1780, 1781 and 1782 and rated them as “medium severity.”

The experts used a fuzzing technique to test TrueType and OpenType fonts.

The security holes were discovered during fuzz testing aimed at the processing of TrueType and OpenType fonts.

Google Project Zero reported the flaws to Oracle on February 12, it decided to publicly disclose technical details of the issues after Oracle said it would only address the issues in a future release of Java. Oracle said that “scenario described does not provide a way for an attacker to exploit the user system directly.” In mid-March Oracle announced that and decided that it will patch them in a future release of Java RE.

ACROS Security’s 0patch announced the availability of its own patches for two of the flaws discovered by Google Project Zero, Java users can obtain for them for free. The company will release the patches for the remaining bugs very soon.

The patches were developed to avoid exploitation of the vulnerabilities by terminating the execution of java.exe when out-of-bounds access is detected.

“Both vulnerabilities are micropatched in a similar way: when out-of-bounds access is detected, execution of java.exe is terminated and “Exploit Blocked” reported. We felt trying to sanitize malicious input was too risky and could just move the vulnerability elsewhere. ” reads a Tweet published by 0patch.

The patches only work on Java 8 update 202.

“Note that these patches only apply to Java 8 update 202, which is a “PSU” (“Patch Set Update”, see (link: https://www.oracle.com/technetwork/java/javase/cpu-psu-explained-2331472.html) oracle.com/technetwork/ja…), since this is the version Project Zero’s @j00ru did his analysis on. Most Java users who update regularly are expected to be on “CPU” update 201.” continues 0patch.

Experts agree that the exploitation of these vulnerabilities doesn’t pose a serious risk to Java RE users.

Oracle plans to release next CPU on April 16, let’s see if it will include patches for these vulnerabilities.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Java RE, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.