Java security threat

waltky · Jan 11, 2013

Java security weakness...

U.S. warns on Java software as security concerns escalate
11 Jan.`13 - The U.S. Department of Homeland Security urged computer users to disable Oracle Corp's Java software, amplifying security experts' prior warnings to hundreds of millions of consumers and businesses that use it to surf the Web.

Hackers have figured out how to exploit Java to install malicious software enabling them to commit crimes ranging from identity theft to making an infected computer part of an ad-hoc network of computers that can be used to attack websites. "We are currently unaware of a practical solution to this problem," the Department of Homeland Security's Computer Emergency Readiness Team said in a posting on its website late on Thursday. "This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered," the agency said. "To defend against this and future Java vulnerabilities, disable Java in Web browsers." Oracle declined to comment on the warning on Friday.

Java is a computer language that enables programmers to write software utilizing just one set of code that will run on virtually any type of computer, including ones that use Microsoft Corp's Windows, Apple Inc's OS X and Linux, an operating system widely employed by corporations. Computer users access Java programs through modules, or plug-ins, that run Java software on top of browsers such as Internet Explorer and Firefox. The U.S. government's warning on Java came after security experts warned earlier on Thursday of the newly discovered flaw.

It is relatively rare for government agencies to advise computer users to completely disable software due to a security bug, particularly in the case of widely used programs such as Java. They typically recommend taking steps to mitigate the risk of attack while manufacturers prepare an update, or hold off on publicizing the problem until an update is prepared. In September, the German government advised the public to temporarily stop using Microsoft's Internet Explorer browser to give it time to patch a security vulnerability that opened it to attacks.

The Department of Homeland Security said attackers could trick targets into visiting malicious websites that would infect their PCs with software capable of exploiting the bug in Java. It said an attacker could also infect a legitimate website by uploading malicious software that would infect machines of computer users who trust that site because they have previously visited it without experiencing any problems.

MORE
Click to expand...

See also:

Critical Patch Updates, Security Alerts and Third Party Bulletin

Ctrl · Jan 12, 2013

Always has been. Terrible, terrible environment. Fun to program... but... yeah.

waltky · Jan 13, 2013

Thanks to MMC over at Political Bullpen...

How to Disable Java
January 11, 2013 - Java is a handy, cross-platform language that's been mightily abused by hackers. With the discovery of a new Java vulnerability that affects even the most up-to-date version, many experts advise everyone to simply disable Java. Here's how.

Java was once touted as the "write once, run anywhere" language. In theory, a single Java program could run on any Java-supporting platform. That dream never quite came to perfection, though, and these days Java is a favorite attack vector for hackers. The Flashback Trojan breached Macintosh computers via a Java vulnerability last year, for example. In August, researchers at FireEye reported another zero-day vulnerability in Java. The most recent Java vulnerability affects all versions of Java 7, including the most current version. Unless you absolutely need it, you should disable Java now. Fortunately, Oracle offers a Web page with straightforward instructions on how to turn off Java.

Disable Java in All Browsers

Last month Oracle released a new Java version, Update 10, that includes a one-stop option for disabling Java in all browsers in the Java Control Panel. Open Control Panel and launch the Java applet. If you don't see it, switch to Classic View (in XP) or small icons (in Vista or Windows 7). Click the Security tab. In previous versions this tab just allowed advanced users to manage Java-related certificates. It now displays a security-level slider and, more important, a single checkbox titled "Enable Java content in the browser." Un-check this box, click OK, and you're done.

Disable Java in One Browser

For security's sake you really should be using the very latest Java version. If you're not, or if you need to enable Java in some browsers but disable it in others, you can do that too.

Using Chrome? Enter chrome://plugins in the browser's address bar. Scroll down to Java and click the link to disable it. That was easy, and a bit simpler than Oracle's recommended steps. The process is similar in Opera, which Oracle's page doesn't mention. First, enter about:config in the address bar. Click the Java heading to expand that section, un-check the checkbox, and click the Save button. In Safari, choose Preferences, choose Security, and deselect Enable Java.

The only way to disable Java in Internet Explorer is through the Java Control Panel. Launch it as described above, click the Advanced tab and expand the item titled Default Java for browsers. Un-check the boxes for Microsoft Internet Explorer. You may need to click the item and press spacebar in order to clear the checkmarks.

Firefox users can click the Firefox button at the top (or click Tools in the top menu bar) and choose Add-ons from the resulting menu. On the Plugins tab, click the Disable button next to "Java(TM) Platform." You can also disable Java for all Mozilla family browsers by un-checking the Mozilla family box in the Java control panel.

Stay Updated

When writing this article, I had a hard time viewing the new feature that Oracle added in Update 10. Why? Because I had disabled Java and figured I didn't need to update it. That was lazy thinking; I've reformed. At any time you might find you need Java, perhaps for a Web meeting, or a remote-control tech support session. If you don't want to let Java update automatically, you can check for updates from the Java Control Panel at any time.

Whichever method you choose, visit the Java test page at http://java.com/en/download/testjava.jsp to confirm that Java is disabled. Yes, you'll occasionally run across a website that relies on Java. If necessary, you can temporarily enable Java for those sites. But you may be surprised at how little you miss it.

http://www.pcmag.com/article2/0,2817,2414191,00.asp
Click to expand...

waltky · Jan 13, 2013

Dey workin' onna fix...

Oracle Corp to fix Java security flaw "shortly"
12 Jan.`12 - Oracle Corp said it is preparing an update to address a flaw in its widely used Java software after the U.S. Department of Homeland Security urged computer users to disable the program in web browsers because criminal hackers are exploiting a security bug to attack PCs.

"A fix will be available shortly," the company said in a statement released late on Friday. Company officials could not be reached on Saturday to say how quickly the update would be available for the hundreds of millions of PCs that have Java installed. The Department of Homeland Security and computer security experts said on Thursday that hackers figured out how to exploit the bug in a version of Java used with Internet browsers to install malicious software on PCs. That has enabled them to commit crimes from identity theft to making an infected computer part of an ad-hoc computer network that can be used to attack websites.

Java is a computer language that enables programmers to write software utilizing just one set of codes that will run on virtually any type of computer, including ones that use Microsoft Corp's Windows, Apple Inc's OS X and Linux, an operating system widely employed by corporations. It is installed in Internet browsers to access web content and also directly on PCs, server computers and other devices that use it to run a wide variety of computer programs. Oracle said in its statement that the recently discovered flaw only affects Java 7, the program's most-recent version, and Java software designed to run on browsers.

Java is so widely used that the software has become a prime target for hackers. Last year, Java surpassed Adobe Systems Inc's Reader software as the most frequently attacked piece of software, according to security software maker Kaspersky Lab. Java was responsible for 50 percent of all cyber attacks last year in which hackers broke into computers by exploiting software bugs, according to Kaspersky. That was followed by Adobe Reader, which was involved in 28 percent of all incidents. Microsoft Windows and Internet Explorer were involved in about 3 percent of incidents, according to the survey.

The Department of Homeland Security said attackers could trick targets into visiting malicious websites that would infect their PCs with software capable of exploiting the bug in Java. It said an attacker could also infect a legitimate website by uploading malicious software that would infect machines of computer users who trust that site because they have previously visited it without experiencing any problems. They said developers of several popular tools, known as exploit kits, used by criminal hackers to attack PCs, have added software that allows hackers to exploit the newly discovered bug in Java.

Security experts have been scrutinizing the safety of Java since a similar security scare in August, which prompted some of them to advise using the software only on an as-needed basis. At the time, they advised businesses to allow their workers to use Java browser plug-ins only when prompted for permission by trusted programs such as GoToMeeting, a Web-based collaboration tool from Citrix Systems Inc. Java suffered another setback in October when Apple began removing old versions of the software from Internet browsers of Mac computers after its customers installed new versions of its OS X operating system. Apple did not provide a reason for the change and both companies declined to comment at the time.

http://news.yahoo.com/oracle-corp-fix-java-security-flaw-shortly-002106043--finance.html
Click to expand...

waltky · Jan 15, 2013

Just to be on the safe side - think I'll keep it disabled till the 'all clear' is sounded...

Oracle says Java is fixed; feds maintain warning
Jan 14,`13 -- Oracle Corp. said Monday it has released a fix for the flaw in its Java software that raised an alarm from the U.S. Department of Homeland Security last week. Even after the patch was issued, the federal agency continued to recommend that users disable Java in their Web browsers.

"This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered," DHS said Monday in an updated alert published on the website of its Computer Emergency Readiness Team. "To defend against this and future Java vulnerabilities, consider disabling Java in Web browsers until adequate updates are available." The alert follows on the department's warning late Thursday. Java allows programs to run within websites and powers some advertising networks. Users who disable Java may not be able to see portions of websites that display real-time data such as stock prices, graphical menus, weather updates and ads. Vulnerability in the latest version, Java 7, was "being actively exploited," the department said.

Java 7 was released in 2011. Oracle said installing its "Update 11" will fix the problem. Security experts said that special code to take advantage of the weakness is being sold on the black market through so-called "Web exploit packs" to Internet abusers who can use it to steal credit card data, personal information or cause other harm. The packs, sold for upwards of $1,500 apiece, make complex hacker codes available to relative amateurs. This particular flaw even enables hackers to compromise legitimate websites by taking over ad networks. The result: users are redirected to malicious sites where damaging software can be loaded onto their computers.

The sale of the packs means malware exploiting the security gap is "going to be spread across the Internet very quickly," said Liam O'Murchu, a researcher with Symantec Corp. "If you have the opportunity to turn it off, you should." Oracle said it released two patches - to address the flaw highlighted by the government, as well as another flaw that the government said was "different but equally severe." As well, the patches set Java's default security level to "high" so that users will automatically be shown a prompt and given a chance to decline malicious software before it loads onto their computers.

Disabling Java completely in browsers has a similar effect, however. When websites appear without crucial functions, users can click a button to turn Java back on. Making users aware when Java programs are about to be installed gives users a 50/50 chance of avoiding malware, said Kurt Baumgartner, a senior security researcher with Kaspersky Lab. Many programmers are avoiding Java altogether, and its use in Web browsers is on the decline, he said. Kaspersky Lab estimated that last year 50 percent of all website exploitations were due to vulnerabilities in Java. Adobe's Acrobat Reader accounted for another 28 percent of vulnerabilities.

Source
Click to expand...

Indofred · Jan 15, 2013

or just use Avira anti virus.
That cures the problem.

mutmekep · Jan 15, 2013

Indofred said: ↑

or just use Avira anti virus.
That cures the problem.
Click to expand...

Antivirals can never solve all problems , blackhats are as good in their job as commercial programmers .
I was trying to remove a highjacker from boss 's computer yesterday , superantispyware, avira and malwarebytes couldn't find anything so i googled and there was like 6 updates of removal instructions since July !
I am using scriptblock addon for firefox only and never had an issue with web security (if you don't have it just disable java) , of course there is no such thing as a perfectly safe environment .

Ctrl · Jan 15, 2013

mutmekep said: ↑

Antivirals can never solve all problems , blackhats are as good in their job as commercial programmers .
I was trying to remove a highjacker from boss 's computer yesterday , superantispyware, avira and malwarebytes couldn't find anything so i googled and there was like 6 updates of removal instructions since July !
I am using scriptblock addon for firefox only and never had an issue with web security (if you don't have it just disable java) , of course there is no such thing as a perfectly safe environment .
Click to expand...

Cough... linux... cough...

mutmekep · Jan 16, 2013

Ctrl said: ↑

Cough... linux... cough...
Click to expand...

There is malware for linux but even if we consider it safe who will teach +55 year old bosses how to use it ?

Ctrl · Jan 16, 2013

mutmekep said: ↑

There is malware for linux but even if we consider it safe who will teach +55 year old bosses how to use it ?
Click to expand...

This isn't malware. This is a polymorphic java trojan. It has 0 effect on linux. Viruses, trojans... these have no affect on linux. Linux uses role based security to do everything. Nothing launches with root permissions... unless you specifically open a terminal and launch it as such... which is a really stupid thing to do. You can make the decision to install something wicked, and provide credentials... but that is how it would have to be done.

"malware" is a catchall for anything that "does not behave as you desire" that is not a virus or a trojan.

Malware can affect active sessions in a browser. It does not affect the OS. You might get a browser redirect/hijack.. and the ultimate solution to any such nonsense is to open your package manager and click reinstall.

You pick a desktop environment that looks similar to windows... and show them that if they want a program they open the package manager and search for a term related to what they want to do, and click the install button. Oh and everything is free and there is no loss of productivity due to viruses.

I do it just about every week.

Ctrl · Jan 16, 2013

Take a look at this thread.

http://www.politicalforum.com/other-off-topic-chat/284479-so-what-all-linux-crap-i-hear-about.html

Log in or Sign up

Java security threat

waltky Well-Known Member

Ctrl Well-Known Member Past Donor

waltky Well-Known Member

waltky Well-Known Member

waltky Well-Known Member

Indofred Banned at Members Request

mutmekep New Member

Ctrl Well-Known Member Past Donor

mutmekep New Member

Ctrl Well-Known Member Past Donor

Ctrl Well-Known Member Past Donor

Share This Page

Log in or Sign up

Java security threat

waltky Well-Known Member

Ctrl Well-Known Member Past Donor

waltky Well-Known Member

waltky Well-Known Member

waltky Well-Known Member

Indofred Banned at Members Request

mutmekep New Member

Ctrl Well-Known Member Past Donor

mutmekep New Member

Ctrl Well-Known Member Past Donor

Ctrl Well-Known Member Past Donor

Share This Page

Useful Searches