Incident Details

Incident: Java Zero-Day Vulnerability Exploited in Web Browsers.

Published Date: 2012-08-29

Postmortem Analysis
Timeline	1. The software failure incident regarding the Java vulnerability happened in August 2012 [Article 14217].
System	1. Java 7 Update 10 and earlier versions [16774] 2. Java version 7 (1.7, updates 0 to 6) [14217]
Responsible Organization	1. Security researchers who spotted the vulnerability in Java software [16774] 2. Hackers who exploited the vulnerability to execute arbitrary code [16774] 3. Oracle for not issuing a fix promptly to address the vulnerability [16774, 14217]
Impacted Organization	1. Users who had Java 7 Update 10 and earlier versions installed on their computers were impacted by the software failure incident [16774, 14217]. 2. Websites that were visited by users with the vulnerable Java software were also impacted as attackers could exploit the vulnerability through malicious code on these sites [16774].
Software Causes	1. The software failure incident was caused by a zero-day vulnerability in Java 7 Update 10 and earlier versions, allowing remote, unauthenticated attackers to execute arbitrary code [16774]. 2. The flaw affected versions of Java version 7 (identified as 1.7, for updates 0 to 6) but not version 6 and below, leading to the exploitation of the vulnerability by hackers [14217].
Non-software Causes	1. Lack of timely response and patch deployment by Oracle to address the identified vulnerability [16774, 14217] 2. Users' delay in updating Java software, with nearly half taking more than 60 days to do so [14217]
Impacts	1. The software failure incident involving a zero-day vulnerability in Java software allowed attackers to execute arbitrary code on users' computers, potentially compromising their security and privacy [16774, 14217]. 2. The exploit was being actively used "in the wild" by hackers, indicating a real-world threat to users who had not yet disabled Java or applied patches [16774, 14217]. 3. Security experts advised users to disable Oracle's Java software in web browsers to protect themselves from the vulnerability until Oracle provided an update [14217]. 4. The flaw affected Java version 7 (1.7, updates 0 to 6), highlighting the specific versions at risk and the importance of timely updates and patches [14217]. 5. Oracle's move to quarterly fixes for Java meant that the next update addressing the vulnerability was not due until October, leaving users potentially exposed for an extended period [14217].
Preventions	1. Timely Patching: The software failure incident could have been prevented if Oracle had provided timely patches to address the identified vulnerabilities in Java 7 Update 10 and earlier versions [16774, 14217]. 2. Regular Updates: Users could have prevented the incident by ensuring they regularly update their Java software to receive patches and security fixes [14217]. 3. Disabling Java: As a temporary measure, users could have prevented the incident by disabling Java in their web browsers until a fix was made available by Oracle [16774, 14217].
Fixes	1. Oracle needs to issue a fix for the vulnerability in Java 7 Update 10 and earlier versions to address the unspecified vulnerability that allows remote attackers to execute arbitrary code [16774]. 2. Users are advised to disable Java in their web browsers until Oracle provides a patch to mitigate the zero-day vulnerability [16774]. 3. Oracle should provide an update for Java to close the security hole that has been exploited by hackers to spread malware and gain unauthorized access to computer systems [14217].
References	1. Security researchers 2. US-CERT group 3. Oracle 4. Blogger named Kafeine at the site Malware don't need Coffee 5. AlienVault Labs 6. BitDefender 7. Web security company FireEye 8. Security company Rapid7 9. Atif Mushtaq of FireEye 10. Security writer Brian Krebs

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	one_organization, multiple_organization	(a) The software failure incident having happened again at one_organization: - Oracle's Java software has been affected by a zero-day vulnerability that allows attackers to execute arbitrary code [16774]. - Oracle had previously faced a similar incident with Java software, as indicated by the need for emergency updates and the delay in providing patches to close security holes [14217]. (b) The software failure incident having happened again at multiple_organization: - The vulnerability in Java software has been exploited by hackers, indicating a recurring issue in the software industry [16774]. - Security experts have warned users to disable Java in web browsers due to the zero-day flaw, suggesting a broader impact on various organizations and their products and services [14217].
Phase (Design/Operation)	design, operation	(a) The software failure incident related to the design phase can be seen in the articles as a vulnerability in the widely used Java software that could give attackers access to computers. The vulnerability in Java 7 Update 10 and earlier versions allows a remote, unauthenticated attacker to execute arbitrary code when someone visits a malicious website [16774]. This vulnerability was exploited in the wild and incorporated into exploit kits, indicating a design flaw in the Java software that allowed attackers to take advantage of the system [16774]. (b) The software failure incident related to the operation phase is evident in the articles as users being advised to disable Oracle's Java software in web browsers due to a zero-day flaw that was being actively used by hackers to break into computer systems and spread malware [14217]. The flaw affected Java version 7 and was actively being used to install malware on Windows users' machines [14217]. Additionally, the articles highlight that many users do not promptly update their Java software, leaving them vulnerable to attacks due to operational factors such as delayed patch installations [14217].
Boundary (Internal/External)	within_system, outside_system	(a) within_system: - The software failure incident reported in the articles is primarily due to a vulnerability within the Java software itself. The vulnerability allows attackers to execute arbitrary code and has been confirmed by security researchers [16774, 14217]. - Oracle, the supplier of Java software, acknowledged the flaw in Java software integrated with web browsers and mentioned that the flaw is limited to JDK7 [16774]. - The exploit has been actively used in the wild by attackers and is being incorporated into exploit kits, indicating that the vulnerability is a real-world threat originating from within the Java software [16774, 14217]. (b) outside_system: - The software failure incident also involves contributing factors originating from outside the system, such as malicious websites that have been set up with code to take advantage of the vulnerability in Java software [16774]. - Security experts have warned users to disable Java in web browsers to protect against the exploit, highlighting the external threat posed by hackers utilizing the vulnerability [14217].
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident occurring due to non-human actions: - The software vulnerability in Java was identified as a zero-day flaw that could allow remote, unauthenticated attackers to execute arbitrary code [16774]. - The exploit was being actively used "in the wild" by attackers and incorporated into exploit kits to facilitate attacks [16774]. - Oracle had not issued a fix for the vulnerability at the time of the articles, leaving users advised to disable Java temporarily [16774]. - The flaw affected Java version 7 (1.7, updates 0 to 6) but not version 6 and below [14217]. (b) The software failure incident occurring due to human actions: - Security experts advised users to disable Oracle's Java software in web browsers due to the zero-day flaw that was actively being exploited by hackers [14217]. - Oracle was criticized for not providing timely updates and for moving to quarterly fixes for Java, with the next update not scheduled until October [14217]. - Data suggested that a significant portion of Java users did not promptly update their software even when security patches were issued [14217].
Dimension (Hardware/Software)	software	(a) The software failure incident occurring due to hardware: - The articles do not mention any hardware-related issues contributing to the software vulnerability or exploit. Therefore, there is no information available regarding hardware-related factors in this software failure incident. (b) The software failure incident occurring due to software: - The software failure incident reported in the articles is primarily due to a vulnerability in the widely used Java software. Security researchers identified a zero-day flaw in Java 7 Update 10 and earlier versions that could allow attackers to execute arbitrary code [16774, 14217]. - Oracle, the supplier of Java, acknowledged the flaw in the Java software integrated with web browsers and mentioned that a fix would be available shortly [16774]. - The exploit was being actively used in the wild by attackers and was being incorporated into exploit kits to facilitate attacks [16774]. - Security experts advised users to disable Java in web browsers until Oracle provided an update to address the vulnerability [14217]. - The flaw affected Java version 7 but not version 6 and below, and it was being used to install malware on users' machines [14217]. - Oracle's Java blog had not been updated with information about the vulnerability at the time of publication [14217].
Objective (Malicious/Non-malicious)	malicious	(a) The software failure incident reported in the articles is malicious in nature. Security researchers discovered a vulnerability in Java software that could allow attackers to execute arbitrary code on users' computers. This vulnerability was actively being exploited "in the wild" by attackers who were incorporating it into exploit kits to facilitate attacks [16774]. Additionally, the exploit was being used to install malware on users' machines through hacked websites [14217]. The attack was intentional and aimed at compromising the security of systems. (b) The software failure incident is also non-malicious in nature. The vulnerability in the Java software was not intentionally introduced by the developers or maintainers of the software. It was a flaw in the software that could be exploited by attackers for malicious purposes. Oracle, the supplier of Java, acknowledged the flaw and stated that it was limited to JDK7 and did not exist in other releases of Java. Oracle assured users that a fix would be available shortly [16774]. The flaw was a result of a technical issue in the software rather than a deliberate act to harm the system.
Intent (Poor/Accidental Decisions)	poor_decisions, accidental_decisions	(a) The intent of the software failure incident related to poor_decisions: - The software failure incident related to the Java vulnerability was due to poor decisions made by Oracle in terms of software development and security practices. Oracle had not provided timely updates and had moved to quarterly fixes for Java, leaving users vulnerable to attacks [14217]. - Oracle's delay in issuing a fix for the vulnerability in Java 7 Update 10 and earlier versions allowed attackers to exploit the weakness, leading to a real-world threat that was being incorporated into exploit kits [16774]. (b) The intent of the software failure incident related to accidental_decisions: - The software failure incident related to the Java vulnerability was also influenced by accidental decisions or unintended consequences. For example, the discovery of the zero-day flaw that was already being used by hackers to spread malware highlighted the unintended consequences of the vulnerability [14217]. - Users who were at the mercy of the exploit due to Oracle's delay in providing an update for Java were unintentionally exposed to the risk of having their systems compromised [14217].
Capability (Incompetence/Accidental)	development_incompetence	(a) The software failure incident related to development incompetence can be seen in the articles. The vulnerability in the widely used Java software was due to a flaw in Java 7 Update 10 and earlier versions that allowed a remote, unauthenticated attacker to execute arbitrary code [16774]. This vulnerability was being actively exploited "in the wild" and was incorporated into exploit kits, indicating a serious security lapse that could have been prevented with better development practices. (b) The software failure incident related to accidental factors is evident in the articles as well. The zero-day flaw in Oracle's Java software was discovered by security experts, and it was already being used by hackers to break into computer systems and spread malware [14217]. The exploit was being actively used against systems, highlighting the accidental nature of the vulnerability that was being taken advantage of by malicious actors.
Duration	temporary	(a) The software failure incident described in the articles is temporary. This is evident from the fact that the vulnerability in Java software was identified, and security experts advised users to disable Java in web browsers until Oracle provided an update to fix the flaw. The articles mention that Oracle was aware of the flaw and stated that a fix would be available shortly [16774, 14217]. Additionally, the articles discuss the need for users to check whether their browsers are vulnerable and provide advice on how to disable Java temporarily to mitigate the risk of exploitation [14217].
Behaviour	omission, value, other	(a) crash: - The articles do not mention a crash where the system loses state and does not perform any of its intended functions. (b) omission: - The articles mention a zero-day flaw in Java software that has been used to break into computer systems and spread malware, indicating a failure of the system to prevent unauthorized access and malware distribution [Article 14217]. (c) timing: - The articles do not mention a timing failure where the system performs its intended functions but at the wrong time. (d) value: - The articles mention a vulnerability in Java software that allows attackers to execute arbitrary code, indicating a failure of the system to correctly perform its intended functions [Article 16774]. (e) byzantine: - The articles do not mention a byzantine failure where the system behaves erroneously with inconsistent responses and interactions. (f) other: - The other behavior observed in the articles is a security vulnerability in Java software that is being actively exploited by attackers, leading to a significant security risk for users [Article 14217, Article 16774].

IoT System Layer

Layer	Option	Rationale
Perception	None	None
Communication	None	None
Application	None	None

Other Details

Category	Option	Rationale
Consequence	property, non-human, theoretical_consequence, other	(a) death: People lost their lives due to the software failure - There is no mention of any deaths resulting from the software failure incident reported in the articles [16774, 14217]. (b) harm: People were physically harmed due to the software failure - There is no mention of any physical harm to individuals due to the software failure incident reported in the articles [16774, 14217]. (c) basic: People's access to food or shelter was impacted because of the software failure - There is no mention of people's access to food or shelter being impacted by the software failure incident reported in the articles [16774, 14217]. (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident led to the spread of malware and the installation of malicious code on users' machines, impacting their data security [16774, 14217]. (e) delay: People had to postpone an activity due to the software failure - There is no mention of people having to postpone activities due to the software failure incident reported in the articles [16774, 14217]. (f) non-human: Non-human entities were impacted due to the software failure - The software failure incident affected computer systems and devices that had Java software installed, leading to security vulnerabilities [16774, 14217]. (g) no_consequence: There were no real observed consequences of the software failure - The software failure incident had real-world consequences, including the exploitation of the vulnerability by attackers to execute arbitrary code and spread malware [16774, 14217]. (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The articles discuss the potential consequences of the software failure, such as the vulnerability being used by hackers to compromise systems and spread malware, as well as the delay in Oracle providing an update patch to address the flaw [16774, 14217]. (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The articles highlight the significant impact on data security and the potential risk posed to users due to the exploitation of the Java software vulnerability [16774, 14217].
Domain	information, finance, government	(a) The software failure incident related to a vulnerability in Java software impacted the industry of information as it allowed attackers to potentially access users' computers by exploiting the security flaw in Java [16774, 14217]. (b) The transportation industry was not directly impacted by the Java software vulnerability incident reported in the articles. (c) The natural resources industry was not directly impacted by the Java software vulnerability incident reported in the articles. (d) The sales industry was not directly impacted by the Java software vulnerability incident reported in the articles. (e) The construction industry was not directly impacted by the Java software vulnerability incident reported in the articles. (f) The manufacturing industry was not directly impacted by the Java software vulnerability incident reported in the articles. (g) The utilities industry was not directly impacted by the Java software vulnerability incident reported in the articles. (h) The finance industry was indirectly impacted by the Java software vulnerability incident as it could potentially affect financial transactions and security if exploited by attackers [16774, 14217]. (i) The knowledge industry, encompassing education and research, was not directly impacted by the Java software vulnerability incident reported in the articles. (j) The health industry was not directly impacted by the Java software vulnerability incident reported in the articles. (k) The entertainment industry was not directly impacted by the Java software vulnerability incident reported in the articles. (l) The government sector, particularly in terms of public services and defense, could be indirectly impacted by the Java software vulnerability incident if government systems or services were targeted by attackers exploiting the Java flaw [16774, 14217]. (m) The Java software vulnerability incident did not directly relate to an industry outside of the options provided in (a) to (l).

Sources

Java flaw draws Web attacks, reports say - CNET - Published on: 2013-01-12
Article ID: 16774
Java exploit: security experts warn of malware flaw - The Guardian - Published on: 2012-08-29
Article ID: 14217

Back to List