|
|
Java 7 0day Actively Exploited In The Wild
January 10, 2013
There is a 0day vulnerability (identified flaw, with no patch available) being actively exploited across the Internet in Java. This 0day has already been incorporated into Cool Exploit Kit and Blackhole, in addition to Nuclear Pack and Redkit. Proof of concept code is already publicly available and we expect to see fully functioning exploit code incorporated into even more exploit frameworks within the next few days.
What does this mean to you?
� This vulnerability affects Java 7 versions up to and including the current version of Java, 7u10
� Even if you're only running Java 6, users will be forced to automatically upgrade to version 7 in February of this year. This means further exposure to this vulnerability.
What you can do now to avoid being exploited
� Disable Java entirely
� If you don't need Java, remove it from the system entirely
� Lower and manage desktop privileges with solutions like PowerBroker for Windows
� Scan and detect this vulnerability with Retina Network
|
|
|
(CNN) -- The critical Java vulnerability that is currently under attack was made possible by an incomplete patch Oracle developers issued last year to fix an earlier security bug, a researcher said.
The revelation, made Friday by Adam Gowdiak of Poland-based Security Explorations, is the latest black eye for Oracle's Java software framework which is installed on more than 1 billion PCs, smartphones, and other devices.
|
|
|
|
Firefox disabled mine automatically, will leave it like that until the fix
Im assuming there isnt any malicious code out there yet, just a possibility due to the exploit?
|
|
Register (or login) on our website and you will not see this ad.
|
|
|
|
I can't see why you'd make that assumption?
|
|
|
|
Actually yea sorry misread the article
|
|
|
Presume the vulnerability would only be exploited at malicious webpages? Eg. not at TBB Speed Test.
1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 19 Meg WBC
|
|
|
Firefox disabled mine automatically, will leave it like that until the fix
It's been this way for a long, long time. I can't remember the last time Firefox enabled it without a warning.
|
|
|
|
Mine hasnt been, think it did with version 6 but not with version 7 until now
|
|
|
|
Not necessarily according to articles ive read as even legit sites could have code injected into them. They will patch it in a few days anyway so best to just be safe until then
|
|
|
|
No, legit sites are compromised all the time. The only way to be safe is to uninstall Java or disable the web plug-in.
|
|
|
|
Out of curiosity, how would you put malicious code on a legit site? Do they need to hack into the web server to do it or is there other ways around it?
|
|
|
|
- Compromise the advert server, altering the javascript served by the advert
- Exploit a vulnerability in a script running on a webserver (Wordpress, Joomla, etc).
- Exploit a vulnerability in out-of-date software running on a server (Apache, PHP, etc)
Lots of points of entry.
|
|
|
In the latest Sophos newsletter there is an item :- Protect against latest Java zero-day vulnerability right now: Mal/JavaJar-B
http://nakedsecurity.sophos.com/2013/01/10/protect-y... which is in broad agreement with many other warnings.
I have un-installed Java and so far the only downside is not being able to use the usual tbb speedtest. The flash-based test seems just as good but I can't see how to log my results.
I miss the ability to view results as a graph which I find useful to get an over-view of results.
To add to our potential gloom, Sophos has posted this :-
"Vulnerability reported in Foxit PDF plugin for Firefox - how to mitigate it"
http://nakedsecurity.sophos.com/2013/01/11/vulnerabi...
We live in interesting times!
|
|
|
|
Thing is every piece of software will have vulnerability, but usually they're patched pretty quickly. Java release the next lot of regular fixes on the 15, so probably will have this issue fixed too...until the next time
|
|
|
|
|
|
|
|
Unlike Chrome, Adobe Flash & Reader, Java doesn't have a built-in automatic background update facility. This is why it is one of the most exploited pieces of software.
|
|
|
Just had Java 7 u11 installed. Is that OK?
1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 19 Meg WBC
|
|
|
|
|
|
|
Ahh, the old "I don't use it, so no one should" solution.
|
|
|
|
I'm using it though, but it's not safe.
|
|
|
Not you; the first article author.
|
|
|
|
It automatically checks for updates tho and tells you about them. Might not install automatically, but you do know when new versions are out. (although it only checks weekly i think)
|
|
|
|
Most people ignore the update icons in the Windows tray. Totally useless feature.
|
|
|
All software will have a bug or two, the problem here is that Oracle takes a while to fix them.
Best advice is, as always, be careful where you surf.
Virgin (ADSL) => Namesco => Newnet => O2 => Plusnet => Zen => Newnet => Zen => Freeola => Vivaciti (using O2 Wholesale DSL) => Xilo (C&W Wholesale) => Xilo (O2 Wholesale)
Note: I don't lay turf for anyone. astro or otherwise, all views and opinions expressed are my own based on experience.
Edited by techguy (Mon 14-Jan-13 17:30:10)
|
|
|
|
Thanks for stating the obvious. Other companies such as Microsoft, Google & Adobe have done the right thing by enabling automatic background updates. Java doesn't place nice with UAC, and favours a user account with full admin rights (XP style). It's such a mess.
|
|
|
A mess indeed when you get the US Dept for Homeland Security coming out with warning that even after the latest patch Java is very risky.
Just had this posting from ZDnet :-
"Homeland Security warns Java still poses risks after security fix"
"some security experts are warning that the new software -- Java 7 (Update 11), which was released on Sunday -- may not actually protect against hackers attempting to remotely execute code on user machines."
http://www.zdnet.com/homeland-security-warns-java-st...
I'm going to try to carry on without Java even though I found today I could not access parts of some sites like for example DHL where I found could not track an order. Not a big problem.
|
|
|
My only minor irritation is not being able to display the F1 live timing.
O2 Standard (8Mbps LLU)
|
|
|
|
Which part of the DHL website requires Java?
Please provide a link.
BTW, if you run Chrome, you can whitelist plug-ins to run on certain websites only.
|
|
|
|
Silly me! the problem I thought I had was due to disabled Java SCRIPT.
I do know it is not the same....mea culpa!
Still did not track my order but the goods are not urgent and I ain't going out in this weather
|
|
|
|
Is it possible via some virus/malware or whatever, for disabled java addons to be enabled again without the user knowing?
|
|
|
|
Maybe, but malware enabling disabled add-ons should be the least of your worries. Your system has already been compromised!
|
|
|
|
|
Pages in this thread: 
Print Thread
deleted
