Critical Java bug being exploited in the wild

Mousey

Ueber Meister Mouse
Joined
Sep 12, 2004
Location
Up$hitCreek
You do not have permission to view link Log in or register now.

Your fully patched installation of Java isn't safe.

by Dan Goodin - Jan 10 2013, 10:05am CST

....
A previously unknown and currently unpatched security hole in the latest version of the Java software framework is under attack online, according to security researchers and bloggers.

Attack code that exploits the vulnerability has been added to the Blackhole, Cool, Nuclear Pack, and Redkit exploit kits, according to the Malware Don't Need Coffee blog, prompting its author to say that the bug is being "massively exploited in the wild." Miscreants use these products to turn compromised websites into platforms for silently installing keyloggers and other types of malicious software on the computers of unsuspecting visitors. KrebsOnSecurity reporter Brian Krebs said the curators of both Blackhole and Nuclear Pack have taken to the underweb to boast
....
 

Mousey

Ueber Meister Mouse
Joined
Sep 12, 2004
Location
Up$hitCreek
Java security concerns escalate

Heads up, people...


You do not have permission to view link Log in or register now.

(Reuters) - The U.S. Department of Homeland Security urged computer users to disable Oracle Corp's Java software, amplifying security experts' prior warnings to hundreds of millions of consumers and businesses that use it to surf the Web.

Hackers have figured out how to exploit Java to install malicious software enabling them to commit crimes ranging from identity theft to making an infected computer part of an ad-hoc network of computers that can be used to attack websites.

"We are currently unaware of a practical solution to this problem," the Department of Homeland Security's Computer Emergency Readiness Team said in a posting on its website late on Thursday.

"This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered," the agency said. "To defend against this and future Java vulnerabilities, disable Java in Web browsers."

Oracle declined on Friday to comment on the warning.

Java is a computer language that enables programmers to write software....
 

The Viking

Paleo Meister (means really, really old)
CAG
MM
Joined
Oct 3, 2010
Location
Faroe Islands
Yep they have been warning people on the radio here today, be careful when using your homebank .
 

vinylweatherman

You type well loads
Joined
Oct 14, 2004
Location
United Kingdom
The problem is that this could make many sites unuseable.

There is the same issue with Flash and Apple products. Apple prevent Flash from working, but this means that Apple devices can only access a subset of the internet, and cannot use many websites and applications. The workarounds for this seem less secure than just allowing Flash to be installed locally.

Many users don't even know when they are using Java, or even Flash. They just see a website.

The other problem is that many websites will tell the user they have to install one of these products just to view the content, and so would find themselves reinstalling a product that had been disabled or removed by an administrator just to get on with their daily tasks.

What is needed is a tool that can be widely publicised that users can run to check whether or not they have picked up this exploit. The FBI did this with a previous exploit that messed up routing so that users visited malicious sites instead of the ones intended. As well as shutting down the exploit, they developed a tool that users could use to check whether they had been compromised.

A device that connects to the internet can never be safe. The difference here is that the authorities have discovered this exploit to be in use. There may be something else in use yet to be discovered by the authorities or security software firms.

The only sure way to clean up after such a mess is to format the OS drive and reinstall everything from scratch.
 

Mousey

Ueber Meister Mouse
Joined
Sep 12, 2004
Location
Up$hitCreek
Update!! Fix released

You do not have permission to view link Log in or register now.


...And at the time news broke, even fully patched Java installations were at risk.

Today however, KrebsOnSecurity reporter Brian Krebs is reporting Oracle finally shipped its critical security update. Java 7 Update 11 fixes this sticky situation and it's available both via Oracle’s website and through the Java Control Panel in an active program.

Krebs reports this update changes the way Java handles Web applications
 
Top