Now it is time to get rid of Java. Get rid of Java on your web browser now. You need to do it if you care your security at all. Finnish Communications Regulatory Authority Cert-Fi site and Security company F-Secure’s Chief Research Officer Mikko Hypponen calls for removal of Java software from browsers. Most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable. Older versions are not vulnerable to this specific security hole, but they have other holes so using then got around this is not recommended either.
A recent bug in Java open a hole in your computer against the invaders. The situation is serious. Attackers Pounce on Zero-Day Java Exploit. The hole is used for real aim is to use machines. The attackers hit the popular sites. The vulnerability allows attackers to use a custom web page to force systems to download and run an arbitrary payload – for example, a keylogger or some other type of malware. The payload does not need to be a Java app itself. A Metasploit module is now available to attack the flaw, and word in the underground is that it will soon be incorporated into BlackHole, a widely used browser exploit pack.
It will be interesting to see when Oracle plans for a patch, until then most of the Java users are at the mercy of this exploit. The Oracle patch cycle is 4 months (middle of February, June, October) with bugfixes 2 months after the patch. The next patch day is October 16 – almost two months away. There is a 3rd-Party Patch For New Java Zero-Day, but you know what would be better idea than patching Java? Uninstalling it.
Disable Java in your browser is the best solution. Users urged to disable Java as new exploit emerges. How to Unplug Java from the Browser article tells you how to do that. In Mozilla Firefox this is easy: From the main menu select Add-ons, and then disable any plugins with the word “Java” in them. Restart the browser. I did that to my browser to be safe.
Although Java is almost each and every computer, you can in most cases live very well without it. Mikko Hypponen has for some time recommended to get rid of Java in browser because “there will always be bugs in Java” that cause serious security issues quite often.
If you have to use an on-line service that absolutely need Java (some on-line banking systems for example), then I would suggest a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it.
UPDATE August 31: Oracle has been quick in trying to solve this Java security issue. Oracle has just released an updated version of the Java software (Java 7 update 7). It has a fixed four vulnerabilities. Update your Java to that newest version immediately. And I think it is still good idea to keep the Java turned off in your browser unless you absolutely need it.
92 Comments
Tomi Engdahl says:
IT giant Oracle has known recently found on the Java security hole already since last April, claims to Polish security company.
Java was revealed last weekend, a serious zero-day vulnerability through which an attacker to run malicious code to a victim’s computer.
Polish Security Explorations Idgns tells the news service for its reporting, Oracle security hole 2 April.
According to security company Immunity this week, the Java problem is caused by two separate issue, and not one as previously believed.
Both of these holes were found and reported in April.
Source: http://www.tietoviikko.fi/kaikki_uutiset/oracle+tiesi+vakavasta+javahaavoittuvuudesta+jo+kuukausia/a833247?s=r&wtm=tietoviikko/-30082012&
Tomi Engdahl says:
Why Java would still stink even if it wasn’t security swiss cheese
Nuke it from orbit – it’s the only way to be sure
http://www.theregister.co.uk/2012/08/30/i_hate_java/
Sysadmin blog Java is horrible and I hate it.
For starters, this notion of “write once, run anywhere” never really worked. Junior developers don’t test their apps for cross-platform functionality. Even senior developers can and do make the mistake of developing entirely for their environment.
One solution is to deploy a containerised version of a Java VM with the application. Most devs don’t do this,
For reasons incomprehensible, companies exist today still utterly reliant on Java applets coded just slightly after the world-altering technological advancement of bashing two rocks together.
Bear in mind that Java likes to compete with Flash for the least secure mainstream web browser extension ever created – and a patch for the latest JVM flaws isn’t due until mid-October from Oracle.
It is thus absolutely ridiculous to me that there are developers today designing new applications relying on Java in the browser.
It is possible to code Java applications that are excellent. The ubiquity of the language as a primary educational tool has unfortunately made these the exception rather than the rule.
So I hate Java; not because there’s anything inherently wrong with the language, but because of a decade’s worth of people who still haven’t figured out how to use it as designed.
Tomi says:
Researchers: Java Zero-Day Leveraged Two Flaws
http://krebsonsecurity.com/2012/08/java-exploit-leveraged-two-flaws/
The latest figures suggest that these vulnerabilities have exposed more than a billion users to attack.
Esteban Guillardoy, a developer at the security firm Immunity Inc., said the underlying vulnerability has been around since July 28, 2011.
Unfortunately, this latest Java exploit has been shown to work flawlessly to compromise browsers on all three operating systems: Windows, OS X and Linux
Rapid7 said the exploit has been successfully tested to work against nearly all browser configurations on Windows systems, and against Safari on OS X 10.7.4 and Mozilla Firefox on Ubuntu Linux 10.04.
The BlackHole author said he intended to (and did, it appears) fold the exploit into his kit
evidence suggesting this Java exploit was first wielded in targeted espionage attacks of the sort used to extract corporate and government secrets.
In the meantime, it’s a good idea to either unplug Java from your browser or uninstall it from your computer completely.
you can still dramatically reduce the risk from Java attacks just by disabling the plugin in your Web browser.
Tomi Engdahl says:
Oracle issued a patch for Java vulnerability
Oracle has released an updated version of the Java software. The update can install the program on your own update mechanism or download the corrected version from the manufacturer’s site.
Fixed updated version Java software version number is 7 (update 7). It has a fixed four vulnerabilities.
Source: https://www.cert.fi/tietoturvanyt/2012/08/ttn201208302352.html
Tomi Engdahl says:
Oracle rushes out patch for critical 0-day Java exploit
‘Everything’s fine now, please don’t delete us’
http://www.theregister.co.uk/2012/08/30/oracle_issues_java_0day_patch/
In an uncommon break with its thrice-annual security update schedule, Oracle has released a patch for three Java 7 security flaws that have recently been targeted by web-based exploits.
“Due to the high severity of these vulnerabilities, Oracle recommends that customers apply this Security Alert as soon as possible,” Eric Maurice, the company’s director of software security assurance, said in a blog post published on Thursday.
Maurice said that the vulnerabilities patched only affect Java running in browsers, and not standalone desktop Java applications or Java running on servers.
According to Maurice, Java users who run Windows can use the Java Automatic Update feature to get the latest, patched version, which is officially dubbed Java SE 7 Update 7.
Tomi Engdahl says:
Java SE 7u7 AND SE 6u35 Released
http://www.f-secure.com/weblog/archives/00002415.html
Oracle has released an update for Java, version 1.7.0_07. Also of note, there’s a version 1.6.0_35 that also patches vulnerabilities.
Social Exchange says:
Amazing thank yοu for this informаtіve post.
Yοu might be a gοod aгticle author and dеsсribe
eѵеrything perfeсtly.
Tomi Engdahl says:
Here we go again: Critical flaw found in just-patched Java
Emergency fix rushed out half-baked
http://www.theregister.co.uk/2012/08/31/critical_flaw_found_in_patched_java/
Security Explorations, the Polish security startup that discovered the Java SE 7 vulnerabilities that have been the targets of recent web-based exploits, has spotted a new flaw that affects the patched version of Java released this Thursday.
the defect does affect Java SE 7 Update 7, which Oracle released this week as a rare out-of-band patch.
“The bug is related to some of our previous bugs reported to Oracle in April 2012 (and not yet patched) in such a way so that it allows to exploit them again,” Gowdiak told El Reg in an email.
Tomi Engdahl says:
Thanks ever so much Java, for that biz-wide rootkit infection
http://www.theregister.co.uk/2012/09/03/java_cleanup/
Contrary to early reports that we should only fear Java 7, this beauty crawled in through a fully up-to-date Java 6 browser plugin and installed some friends.
I have no idea what the initial vector was
The purpose of Sirefef is to serve as the staging component for the coup de grace: the highly sophisticated Zeroaccess rootkit
Zeroaccess is a nightmare.
Zeroaccess knows all the standard tricks
This incident should serve to underscore exactly how serious the Java exploits in question are. If you can, uninstall Java. If you must use Java, keep it as up-to-date as possible and see if you can disable or remove the plugins for your browsers.
If you absolutely must use Java-in-the-browser then it’s time to start taking security very seriously; break out the tinfoil and start making some shiny hats.
Java-in-the-browser absolutely must be treated as “already compromised”. There is no wiggle room here. Do not under any circumstances run Java in the browser on any production system or any client system in which any other application is used.
Java-in-the-browser is a live grenade and you can’t afford to have it go off inside your network.
Go buy another Windows licence and put Java inside a virtual machine.
If you can, deploy the virtual machine from a managed template; the ability to destroy it at the end of the day and revert to a “known good” is a huge advantage when dealing with a threat of this magnitude.
Tomi Engdahl says:
Firefox, Opera allow crooks to hide an entire phish site in a link
Watch out for the tinyurl that isn’t
http://www.theregister.co.uk/2012/09/03/phishing_without_hosts_peril/
A shortcoming in browsers including Firefox and Opera allows crooks to easily hide an entire malicious web page in a clickable link
the malicious web pages can be stored in data URIs
once shortened using a service such as TinyURL, the URI can be reduced to a small URL perfect for passing around social networks, online chats and email.
URI trick can sidestep traditional scam defences, such as web filtering. Data URIs may also contain a potentially malicious Java applet, a major concern following last week’s Java-related security flap, a post on Sophos’s Naked Security blog notes.
counter-strike says:
Eveгy ωeekеnd i used to pаy
a quick νiѕіt this web site, foг the reason thаt i want еnjοymеnt, for the reason thаt this thiѕ ѕіte conatіons
actually fastiԁiouѕ funny matеrial too.
Tomi Engdahl says:
Hackers create bogus Microsoft Services Agreement email to exploit users
http://www.theinquirer.net/inquirer/news/2202663/hackers-create-bogus-microsoft-services-agreement-email-to-exploit-users
HACKERS are using a recent Microsoft email notification regarding changes in its Services Agreement to trick people into installing malicious programs based on an exploit in Oracle’s Java software.
The SANS Institute’s Internet Storm Centre issued warnings about the rogue emails at the weekend, saying that they are based on a 27 August communication from Microsoft about popular products such as Hotmail and Skydrive.
“The evil version of this email will subject [the] victim to a hyperlink that will send them to a Blackhole-compromised website, which will in turn deliver a fresh Zeus variant.”
Do not click through the links in the email if you are not sure it is safe.
Tomi Engdahl says:
Attacks on Java security hole hidden in bogus Microsoft Services Agreement email
http://nakedsecurity.sophos.com/2012/09/03/java-security-hole-microsoft/
Online scammers are using a recent email from Microsoft as bait in a widespread spam campaign that exploits vulnerabilities in Oracle’s Java software to install malicious programs on vulnerable systems.
According to SANS, the malicious email is based on an August 27 communication from Microsoft titled “Important Changes to Microsoft Services Agreement and Communication Preferences.”
The phishing email replaces links in the original messages with malicious links that send unwitting readers to websites that install a new variant of the Zeus malware, ISC handler Russ McRee warned in a post on September 1st.
This isn’t the first phishing email that has been linked to attacks on the Java vulnerability.
Database giant Oracle acquired Java when it bought Sun Microsystems in 2009 and has faced criticism from security experts for failing to respond quickly to security vulnerabilities in the ubiquitous web technology before.
The latest security holes haven’t improved the company’s image.
The company’s image was further damaged when the patch Oracle released to fix the flaw failed to fully close the security hole.
ISC and others are advising users to disable Java until the next update is ready.
SANS ISC said that email recipients should scrutinize the hyperlinks in any email messages
Tomi Engdahl says:
Instructions how to disable Java on different browsers (in Finnish)
http://www.tietoviikko.fi/kaikki_uutiset/java+kannattaa+kytkea+pois+paalta+nain/a835006?s=r&wtm=tietoviikko/-05092012&
Tomi Engdahl says:
Apple Java update fails to address mega-flaw – researcher
http://www.theregister.co.uk/2012/09/06/apple_java_update/
Apple released a Java update on Wednesday but it does not tackle a high-profile flaw that has become the target of attacks over recent weeks.
Security vulnerabilities in Java are an all-too-real danger for Mac fans, as illustrated by the spread of the infamous Flashback Trojan
The most straightforward advice in the midst of this confusion is for users to uninstall Java, or at minimum disable Java-related browser plugins, standard advice from many security firms before the arrival of Oracle’s emergency fix last week.
Most mainstream sites, with the exception of a few e-banking sites don’t need Java in order to work.
micro Jobs says:
I ԁо nоt wгite a leavе a reѕponѕe,
but I bгowsеd a great deal οf comments on this page Get rid of Java now!
Tomi Engdahl says:
Java kuolee – mitä sitten?
http://www.tietoviikko.fi/viisaat/tieturi/java+kuolee++mita+sitten/a828766
Tomi Engdahl says:
Yet another Java flaw allows “complete” bypass of security sandbox
http://arstechnica.com/security/2012/09/yet-another-java-flaw-allows-complete-bypass-of-security-sandbox/
Flaw in last three Java versions, 8 years worth, puts a billion users at risk.
Researchers have discovered a Java flaw that would let hackers bypass critical security measures in all recent versions of the software. The flaw was announced today by Security Explorations, the same team that recently found a security hole in Java SE 7 letting attackers take complete control of PCs. But this latest exploit affects Java SE 5, 6, and 7—the last eight years worth of Java software.
“The impact of this issue is critical—we were able to successfully exploit it and achieve a complete Java security sandbox bypass in the environment of Java SE 5, 6, and 7,” Adam Gowdiak of Security Explorations wrote, claiming the hole puts “one billion users” at risk.
Gowdiak wrote that Security Explorations successfully pulled off the exploit on a fully patched Windows 7 32-bit computer in Firefox, Chrome, Internet Explorer, Opera, and Safari.
The bug lets attackers violate the “type safety” security system in the Java Virtual Machine.
this latest one apparently isn’t being exploited in the wild yet
Tomi Engdahl says:
Critical security issue affecting Java SE 5/6/7
http://seclists.org/fulldisclosure/2012/Sep/170
We’ve recently discovered yet another security vulnerability
affecting all latest versions of Oracle Java SE software. The
impact of this issue is critical – we were able to successfully
exploit it and achieve a complete Java security sandbox bypass
in the environment of Java SE 5, 6 and 7. So far, we could only
claim such an impact with reference to Java 7 environment
The newly discovered bug is special for several reasons.
Tomi Engdahl says:
Java was originally designed for embedded systems and it seems that Oracle is still actively pushing Java for those applications:
Oracle Packages Java for Embedded Systems Design
http://www.designnews.com/author.asp?section_id=1394&doc_id=251396&cid=NL_Newsletters+-+DN+Daily
In an attempt to capitalize on the huge opportunity in the embedded systems market, and the dominance of the Java programming platform, Oracle has unwrapped a new set of offerings facilitating the design of applications across a wide range of embedded systems. These systems include network appliances, healthcare devices, home gateways and routers, and large multifunction printers.
The company unveiled a pair of offerings as part of its embedded systems push: Oracle Java Embedded Suite 7.0, which aims to speed development of embedded systems; and Oracle Java Micro Edition (ME) Embedded 3.2, a run-time version geared for microcontrollers with less than a megabyte of memory, and as little as 130K bytes of RAM and 350K bytes of ROM.
Citing stats such as 1 billion Java downloads annually, and the fact that more than 3 billion devices are powered by Java technology, Oracle officials said the market is ripe for more powerful development tools built on the programming language, and optimized for the design of embedded systems applications. Especially, they claim, in light of the growing interest in creating machine-to-machine applications (M2M), or what’s being called the “Internet of Things.”
Vacation says:
Hmm is anyone else experiencing problems with the pictures on this blog loading?
I’m trying to figure out if its a problem on my end or if it’s the blog.
Any suggestions would be greatly appreciated.
Time for Firefox Plugin Check « Tomi Engdahl’s ePanorama blog says:
[...] Old versions of Silverlight, Adobe Reader and Adobe Flash on Windows are covered by this. In addition to this Firefox also automatically disables outdated version of Java for your safety. [...]
Tomi Engdahl says:
Apple has started the leaning up the Macs from Java add-on. The company aims to destroy Java in your browser on next update.
A upgrade will remove Apple’s own Java applet (applet) Lion and Mountain Lion operating systems.
“This update removes the Apple-provided Java all Web browsers,” says Apple support site.
Source: http://www.tietoviikko.fi/kaikki_uutiset/applen+paivitys+tappaa+javan/a848643?s=r&wtm=tietoviikko/-19102012&
Tomi Engdahl says:
Java still has a crucial role to play—despite security risks
Many Ars readers block Java plugins, but say Java apps are important in business.
http://arstechnica.com/information-technology/2012/10/java-still-has-a-crucial-role-to-play-despite-security-risks/
Java has its security flaws, but it isn’t going away any time soon—after all, many important applications run on the technology, especially in business settings. Still, numerous users are worried enough about vulnerabilities that they restrict Java’s ability to run on their machines.
Some users have disabled or uninstalled Java entirely. But the most common solution for those worried about security risks is to leave the Java Runtime Environment in place on the desktop while disabling the browser plugins that allow Java applets to run on websites. Those plugins are often vulnerable to attacks involving remote code execution.
“Java as a desktop framework is not a big security risk,” writes commenter Stilgar. “It is the browser plugin that presents a problem. Avoiding desktop Java on purpose does not make any sense. On the other hand every browser plugin you install on any browser increases the attack surface.”
Numerous critical Java flaws have been identified recently.
Some users run Java plugins on a case-by-case basis, either by using a “click-to-play” browser feature, or by disabling Java in a primary browser while leaving it enabled in a secondary one.
But Java has lots of real-world use cases, enough that uninstalling or disabling the platform isn’t realistic for many users. Numerous people report keeping Java enabled in browsers because of banking, government, work, and school-related websites. “For some odd reason, enterprise environments like Java applets to transfer files,” writes commenter tycheung.
“Many mission-critical business applications still require Java Applets or Java Web Start, eg VPN and remote access clients or components for card-based electronic signatures,”
Tomi Engdahl says:
Microsoft’s security team is killing it: Not one product on Kaspersky’s top 10 vulnerabilities list
http://thenextweb.com/microsoft/2012/11/02/microsofts-security-team-is-killing-it-not-one-product-on-kasperskys-top-10-vulnerabilities-list/
Security firm Kaspersky has released its latest IT Threat Evolution report
Microsoft products no longer feature among the Top 10 products with vulnerabilities. This is because the automatic updates mechanism has now been well developed in recent versions of Windows OS.
this list of findings is for you:
28 percent of all mobile devices attacked run Android OS version 2.3.6, which was released in September 2011.
56 percent of exploits blocked in Q3 use Java vulnerabilities.
A total of 91.9 million URLs serving malicious code were detected, a 3% increase compared to Q2 2012.
That second one is brutal. It’s exactly why you shouldn’t have Java installed, unless you absolutely need it.
Tomi Engdahl says:
Java Zero-Day Exploit on Sale for ‘Five Digits’
http://krebsonsecurity.com/2012/11/java-zero-day-exploit-on-sale-for-five-digits/
Miscreants in the cyber underground are selling an exploit for a previously undocumented security hole in Oracle’s Java software that attackers can use to remotely seize control over systems running the program, KrebsOnSecurity has learned.
The flaw, currently being sold by an established member of an invite-only Underweb forum, targets an unpatched vulnerability in Java JRE 7 Update 9, the most recent version of Java (the seller says this flaw does not exist in Java 6 or earlier versions).
According to the vendor, the weakness resides within the Java class “MidiDevice.Info,” a component of Java that handles audio input and output.
The price of any exploit is ultimately whatever the market will bear, but this is roughly in line with the last Java zero-day exploit that was being traded and sold on the underground.
In August, I wrote about a newly discovered Java exploit being folded into the BlackHole exploit kit, quoting the author of that crimeware tool as saying that “the price of such an exploit if it were sold privately would be about $100,000.”
Computer technologies for 2013 « Tomi Engdahl’s ePanorama blog says:
[...] in Java will decrease compared to other languages for various reasons, recent security issues playing part on that. C Beats Java As Number One Language According To TIOBE Index. It happened [...]
Tomi Engdahl says:
New year, new Java zeroday!
http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
we reproduced the exploit in a fully patched new installation of Java
Right now the only way to protect your machine against this exploit is disabling the Java browser plugin.
Let’s see how long does it take for Oracle to release a patch.
Tomi Engdahl says:
New Java vulnerability is being exploited in the wild, disabling Java is currently your only option
http://thenextweb.com/insider/2013/01/10/new-java-vulnerability-is-being-exploited-in-the-wild-disabling-java-is-currently-your-only-option/
A new Java 0-day vulnerability has been discovered, and is already being exploited in the wild. Currently, disabling the plugin is the only way to protect your computer.
Tomi says:
Oracle Corp to fix Java security flaw “shortly”
http://www.reuters.com/article/2013/01/12/us-usa-java-security-idUSBRE90B0EX20130112
Oracle Corp said it is preparing an update to address a flaw in its widely used Java software after the U.S. Department of Homeland Security urged computer users to disable the program in web browsers because criminal hackers are exploiting a security bug to attack PCs.
Tomi says:
Oracle’s Java vulnerability left open since October 2012 ‘fix’, now being used to push ransomware
http://thenextweb.com/insider/2013/01/11/latest-java-vulnerability-possible-since-oracle-didnt-properly-fix-old-one-now-pushing-ransomware/
After news broke on Thursday that a new Java 0-day vulnerability had been discovered, and was already being included in multiple popular exploit kits, two new important tidbits have come in on Friday. Firstly, this whole fiasco could have been avoided if Oracle had properly patched a previous vulnerability. Furthermore, not only is the vulnerability being exploited in the wild, but it is being used to push ransomware.
The 0-day code would not have worked if Oracle had properly addressed an old vulnerability,
Back in late August 2012, the company informed Oracle about the insecure implementation of the Reflection API, dubbed Issue 32, and Oracle released a patch for it in October 2012, but the fix wasn’t a complete one.
This is not the first time Oracle fails to “sync” security of Core and new Reflection APIs. Just to mention the Reflection API filter. This is also not the first time Oracle’s own investigation / analysis of security issues turns out to be not sufficiently comprehensive.
We noted yesterday that the two most popular Web threat tools used by hackers to distribute malware, the BlackHole Exploit Kit (BHEK) and the Cool Exploit Kit (CEK), already included the latest Java exploit.
CEK has been used to distribute ransomware before, but now it’s also using this latest Java vulnerability to do so.
Tomi says:
Apple Blocks Java 7 Plug-in on OS X to Address Widespread Security Threat
http://www.macrumors.com/2013/01/11/apple-blocks-java-7-on-os-x-to-address-widespread-security-threat/
As noted by ZDNet, a major security vulnerability in Java 7 has been discovered, with the vulnerability currently being exploited in the wild by malicious parties. In response to threat, the U.S. Department of Homeland Security has recommended that users disable the Java 7 browser plug-in entirely until a patch is made available by Oracle.
Apple has, however, apparently already moved quickly to address the issue, disabling the Java 7 plug-in on Macs where it is already installed.
Security trends for 2013 « Tomi Engdahl’s ePanorama blog says:
[...] web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash. The drive-by download attacks are almost exclusively launched [...]
Tomi Engdahl says:
Oracle Ships Java 7 Update 11 With Vulnerability Fixes
http://developers.slashdot.org/story/13/01/14/0016200/oracle-ships-java-7-update-11-with-vulnerability-fixes
“Oracle on Sunday released Java 7 Update 11 to address the recently disclosed security vulnerability. If you use Java, you can download the latest update now from the Java Control Panel or directly from Oracle’s website”
Tomi Engdahl says:
Oracle ships Java 7 Update 11 with vulnerability fixes, increased security level for Java applets
http://thenextweb.com/apps/2013/01/14/oracle-ships-java-7-update-11-with-vulnerability-fixes-increased-security-level-for-java-applets/
Tomi says:
Latest Java patch is not enough, warns US gov: Axe plugins NOW
Metasploit boss says Oracle needs TWO years to make everything good
http://www.theregister.co.uk/2013/01/15/avoid_java_in_browsers/
Security experts advise users to not run Java in their web browsers despite a patch from Oracle that mitigates a widely exploited security vulnerability.
The database giant issued an emergency out-of-band patch on Sunday, but despite this the US Department of Homeland Security continues to warn citizens to disable Java plugins.
“Unless it is absolutely necessary to run Java in web browsers, disable it even after updating to [Java 7 update 11],” the US-CERT team said in an update yesterday. “This will help mitigate other Java vulnerabilities that may be discovered in the future.”
Ross Barrett, senior manager of security engineering at Metasploit developers Rapid7, said the update is worth applying but only goes so far: further zero-day security bugs in Java are likely if not inevitable.
“This fix changes the default Java browser security settings to require user consent to execute Java applets which are not digitally signed, or are self-signed, which indicates that Oracle has made a minor concession against ease-of-use to try to protect users from the next time a Java vulnerability is exploited in the wild,” Barrett said.
“Oracle has already spent a year working through these issues … but will likely need another two years to fix them completely,” he said.
Tomi Engdahl says:
Another Java Exploit For Sale
http://developers.slashdot.org/story/13/01/16/236215/another-java-exploit-for-sale
“Mere days after Oracle rolled out a fix for the latest Java zero-day vulnerabilities, an admin for an Underweb hacker forum put code for a purportedly new Java exploit up for sale for $5,000. Though unconfirmed, it’s certainly plausible that the latest Java patch didn’t do the job”
Tomi Engdahl says:
Confirmed: Java only fixed one of the two bugs.
http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html
Tomi Engdahl says:
A close look at how Oracle installs deceptive software with Java updates
http://www.zdnet.com/a-close-look-at-how-oracle-installs-deceptive-software-with-java-updates-7000010038/
Summary: Oracle’s Java plugin for browsers is a notoriously insecure product. Over the past 18 months, the company has released 11 updates, six of them containing critical security fixes. With each update, Java actively tries to install unwanted software. Here’s what it does, and why it has to stop.
Congratulations, Oracle.
Java is the new king of foistware, displacing Adobe and Skype from the top of the heap.
And it earned that place with a combination of software update practices that are among the most user-hostile and cynical in the industry.
Specifically:
When you use Java’s automatic updater to install crucial security updates for Windows , third-party software is always included. The two additional packages delivered to users are the Ask Toolbar and McAfee Security Scanner.
With every Java update, you must specifically opt out of the additional software installations. If you are busy or distracted or naïve enough to trust Java’s “recommendation,” you end up with unwanted software on your PC.
The reason, of course, is money: Oracle collects a commission every time that toolbar gets installed. And the Ask installer goes out of its way to hide its workings.
I’ve never seen a legitimate program with an installer that behaves this way. But spyware expert Ben Edelman notes that in the early part of the last decade this trick was business as usual for companies in the business of installing deceptive software. That list includes notorious bad actors like WhenU, Gator, and Claria.
Tomi Engdahl says:
Oracle has recently been strongly criticized the company’s inability to fix the Java security holes.
Recently, a number of security experts have urged everyone to take off Java in your browser. Among other things, the United States responsible for internal security authorities recommend removal of Java web browser.
Oracle’s Smith admits that most of the Java-based attacks are precisely targeted to browsers.
IT company Oracle promises to fix the Java technology found a security problem and improve the company’s communication with those using Java.
Source: http://www.tietoviikko.fi/kaikki_uutiset/oracle+yrittaa+korjata+surullisen+kuuluisan+javan+mainetta/a873992?s=r&wtm=tietoviikko/-28012013&
Tomi Engdahl says:
Danske Bank’s online banking renewed -
Java will be discontinued
Online banking reform has been pending for a long time, because the current online banking, a security solution based on Oracle’s Java software, has caused unfortunate compatibility problems with different browsers. As a result, some of our clients have had trouble signing in to online banking.
The new online banking is based on, among other things, banks commonly used SSL and other security solutions. It is no longer in the Java components.
Source: http://www.danskebank.fi/fi-fi/tietoa-danske-bankista/media/Tiedotteet/Pages/20130129_VerkkopankkiJavastaluovutaan.aspx
Tomi Engdahl says:
Apple has quietly set the OS X operating system, malware blocker XProtectin combat the Java 7 Update 11.
Here’s how Apple is trying to protect users from security threats, the corresponding Java software Oracle has not been able to manage Java’s shortcomings in order.
Source: http://www.tietoviikko.fi/kaikki_uutiset/apple+sai+tarpeeksi+estaa+javan/a875700?s=r&wtm=tietoviikko/-02022013&
Tomi Engdahl says:
Oracle Java SE Critical Patch Update Advisory – February 2013
http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
Note: The original Critical Patch Update for Java SE – February 2013 was scheduled to be released on February 19th, but Oracle decided to accelerate the release of this Critical Patch Update because active exploitation “in the wild” of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers, was addressed with this Critical Patch Update.
Workarounds
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by restricting network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from unprivileged users may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.
Oracle strongly recommends that customers apply these fixes as soon as possible.
Tomi Engdahl says:
Not done yet: Oracle to ship revised Java fix on February 19
Addresses flaws left open after February 1 patch
http://www.theregister.co.uk/2013/02/12/oracle_february_java_fix_redux/
If at first you don’t succeed, and all that… Oracle now says the emergency Java Critical Patch Update it rushed out the door on February 1 didn’t fix all of the issues it had originally intended to address, and that a revised patch including fixes for the remaining flaws will ship on February 19.
February 19 had been the original date for the February patch, but Oracle opted to push it out on an accelerated schedule after discovering that exploits for some of the vulnerabilities it addressed were operating in the wild.
Tomi Engdahl says:
Protecting People On Facebook
https://www.facebook.com/notes/facebook-security/protecting-people-on-facebook/10151249208250766
Last month, Facebook Security discovered that our systems had been targeted in a sophisticated attack. This attack occurred when a handful of employees visited a mobile developer website that was compromised. The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops. The laptops were fully-patched and running up-to-date anti-virus software. As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day.
After analyzing the compromised website where the attack originated, we found it was using a “zero-day” (previously unseen) exploit to bypass the Java sandbox (built-in protections) to install the malware. We immediately reported the exploit to Oracle, and they confirmed our findings and provided a patch on February 1, 2013, that addresses this vulnerability.
Tomi Engdahl says:
Exclusive: Apple, Macs hit by hackers who targeted Facebook
http://www.reuters.com/article/2013/02/19/us-apple-hackers-idUSBRE91I10920130219
Apple Inc was recently attacked by hackers who infected Macintosh computers of some employees, the company said Tuesday in an unprecedented disclosure describing the widest known cyber attacks targeting Apple computers used by corporations.
The same software, which infected Macs by exploiting a flaw in a version of Oracle Corp’s Java software used as a plug-in on Web browsers, was used to launch attacks against Facebook, which the social network disclosed on Friday.
Tomi Engdahl says:
After hack, Apple releases Java security update for Mac users
http://9to5mac.com/2013/02/19/after-hack-apple-releases-java-security-update-for-mac-users/
Tomi Engdahl says:
YAJ0: Yet Another Java Zero-Day
http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html
Through our Malware Protection Cloud (MPC), we detected a brand new Java zero-day vulnerability that was used to attack multiple customers. Specifically, we observed successful exploitation against browsers that have Java v1.6 Update 41 and Java v1.7 Update 15 installed.
Tomi Engdahl says:
28-Feb-2013
– Security Explorations provides Oracle with another example illustrating denied access for a similar condition as Issue 54. The company asks Oracle whether it still considers Issue 54 as a non-vulnerability demonstrating the “allowed behavior”.
– Oracle informs that the company is investigating the issue and will get back to us once the investigation is completed.
Source: http://www.security-explorations.com/en/SE-2012-01-status.html
Tomi Engdahl says:
Oracle investigating after two more Java 7 zero-day flaws found
http://www.zdnet.com/oracle-investigating-after-two-more-java-7-zero-day-flaws-found-7000011965/
Summary: Polish security researchers have discovered yet more zero-day vulnerabilities in Java, the beleaguered Web plug-in, that led to the successful intrusion of Facebook, Apple and Microsoft in recent weeks.