background preloader

Java security threat

Facebook Twitter

How To Quarantine Java Like The Disease That It's Become. Graduate Software Developer - Technojobs. Apple issues Java update to tackle zero day.

A new security threat after Oracle patch

Thanks ever so much Java, for that biz-wide rootkit infection. High performance access to file storage Sysadmin blog Right on cue, Java has responded to my hatred in kind. Shortly after I awoke to discover my previous article denouncing the language had been published, a client called to inform me his computer had contracted some malware. Java has, if you'll forgive the anthropomorphization of a bytecode virtualization engine, decided to exact its revenge.

Closer inspection of the infection revealed deep network penetration that the installed antivirus applications were completely unable to cope with. The chief financial officer of the company relies on cloudy applications that require Java-in-the-web-browser. I have no idea what the initial vector was beyond the swift appearance and disappearance of some malicious Java archive files; the primary delivery mechanism scrubbed itself clean (along with significant chunks of the browser history) right after it downloaded its payload onto the compromised Microsoft Windows PC. Zeroaccess is a nightmare. Java security flaw: yada yada yada. Java is at an unusual state. Oracle, the company behind Java, is currently maintaining both version 6 and 7 with bug fixes. Version 7 has more features, but anyone that doesn't need these features can safely use version 6. Back in June, when I blogged about Defensive Computing with Java, I suggested sticking with version 6 because of its maturity.

From a Defensive Computing perspective, new software is always suspect. Since it had been around longer, I argued that version 6 was less likely to have compatibility issues with existing software that required Java. It turned out that some of the new features in version 7 were not sufficiently debugged. As a result, anyone running Java 7 could get infected with a virus simply by viewing a malicious web page. Today, after a flood of bad press, Oracle released updates to both Java 6 and 7, with assorted bug fixes. Anyone running Java on Windows should now be at either version 6 Update 35 or version 7 Update 7. If you don't need Java, remove it. Researchers find critical vulnerability in Java 7 patch hours after release. News By Lucian Constantin August 31, 2012 12:08 PM ET IDG News Service - Security researchers from Poland-based security firm Security Explorations claim to have discovered a vulnerability in the Java 7 security update released Thursday that can be exploited to escape the Java sandbox and execute arbitrary code on the underlying system.

Security Explorations sent a report about the vulnerability to Oracle on Friday together with a proof-of-concept exploit, Adam Gowdiak, the security company's founder and CEO said Friday via email. The company doesn't plan to release any technical details about the vulnerability publicly until Oracle addresses it, Gowdiak said. Oracle broke out of its regular four-month patching cycle on Thursday to release Java 7 Update 7, an emergency security update that addressed three vulnerabilities, including two that were being exploited by attackers to infect computers with malware since last week. "Independent discoveries can never be excluded," Gowdiak said. Oracle publie un patch de sécurité pour Java 7. Oracle a avancé son calendrier de mises à jour de Java pour répondre à la découverte d'une faille de sécurité majeure qui permettait d'exécuter n'importe quel code (y compris non Java) depuis les navigateurs web accédant à des applets Java malveillantes.

La firme a mis en ligne Java SE 7u7 qui corrige la faille, dont une société polonaise affirmait hier qu'elle était connue d'Oracle depuis le mois d'avril. "Du fait de la gravité de ces vulnérabilités, de la divulgation au public des détails techniques et de l'exploitation rapportée [de la faille] "dans la nature", Oracle recommande fortement que les consommateurs appliquent les mises à jour fournies dès que possible", indique l'éditeur dans une alerte de sécurité. Oracle précise que les problèmes corrigés affectent aussi bien le Java Runtime Environment (JRE) 7 à partir de la version 6, que Java 6 à partir de la mise à jour 34. Java zero-day exploit goes mainstream, 100+ sites serve malware. News August 29, 2012 12:58 PM ET Computerworld - Attackers using two recently-uncovered Java unpatched vulnerabilities, or "zero-days," have quickly expanded their reach by going mainstream, security experts said today.

And on Tuesday, Mozilla, maker of Firefox, joined the chorus of advice that users should disable the current version of Oracle's Java. The company is also ready to automatically block the plug-in from running in its browser, although it has not yet pulled the trigger. The exploit's breakout followed the addition of attack code to the notorious Blackhole exploit toolkit. Multiple security firms, including FireEye and Websense, said late Tuesday that the Java exploit had been added to Blackhole, a popular hacker's tool that bundles numerous exploits and tries each in turn until it finds one that will work against a personal computer. Today, Patrik Runald, director of security research at Websense, said his team had found more than 100 unique domains serving the Java exploit.

Six ways to protect against the latest Java vulnerability. News By Lucian Constantin August 28, 2012 04:32 PM ET IDG News Service - Security researchers have proposed several methods for users to protect their computers from ongoing attacks that target a new and yet-to-be-patched vulnerability in all versions of Java Runtime Environment 7. Most of the proposed solutions have drawbacks or are applicable only to certain system configurations and environments. However, the hope is that in the absence of an official patch from Oracle users will be able to use one or a combination of them in order to reduce the risk of their systems being compromised. Researchers from security firm FireEye announced the existence of the new Java vulnerability on Sunday and reported that it's being exploited in limited targeted attacks.

A working proof-of-concept exploit appeared online the next day and was integrated into Metasploit, an open-source security testing tool used by many penetration testers. Reprinted with permission from Microsoft: Update Java or kill it. Microsoft has decided is enough is enough: Java-based malware sees no end and it's time to do something about it.

The software giant points to two type-confusion vulnerabilities (CVE-2012-0507 and CVE-2012-1723) that have been very actively exploited in recent months. Redmond thus wants you to do one of three things: update Java, disable it, or uninstall it. First, some background. Type-confusion vulnerabilities are effective because they lead to a Sandbox compromise for Java. They occur when the type safety check in Java Runtime Environment (JRE) fails to verify wrong types supplied to instructions working with different types. If the classes' type safety is broken, you can access some methods that are not supposed to be opened to processes outside of the class. As a result, Microsoft's first recommendation is to update your Java installation. I did that in Chrome and IE9. No working Java was detected on your system.

After seeing Microsoft's warning, I chose to kill Java with fire. Désactiver Java est fortement recommandé. Si vous avez installé Java 7 (1.7) d'Oracle sur votre ordinateur, il est fortement recommandé de le désinstaller ou, au minimum, de le désactiver dans le navigateur. C'est en tout la recommandation unanime de plusieurs firmes spécialisées en sécurité informatique, dont Kapersky, Sophos, ou F-Secure.

Il a en effet été découvert qu'au moins depuis le 22 août dernier, une faille de l'interpréteur Java est exploitée pour obliger le navigateur à télécharger en silence n'importe quel programme (y compris non Java), qui est ensuite exécuté. Le problème a été découvert pour la première fois en Chine, avec une page qui activait un exécutable sous Windows permettant l'installation de Poison Ivy RAT, un outil qui donne accès à l'ordinateur infecté. La vulnérabilité touche exclusivement Java 7, et fonctionne avec l'ensemble des navigateurs : Chrome, Firefox, Internet Explorer, Safari, Opera...

Unpatched Java flaw hit in targeted attacks, researchers say. News By Lucian Constantin August 27, 2012 12:41 PM ET IDG News Service - Attackers are exploiting a new and unpatched vulnerability that affects the latest version of Java -- Java 7 Update 6 -- in order to infect computers with malware, according to researchers from security vendor FireEye. So far, the vulnerability has been exploited in limited targeted attacks, FireEye's senior staff scientist Atif Mushtaq said Sunday in a blog post. "Most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable. " The exploit is hosted on a website that resolves to an Internet Protocol address in China and its payload is a piece of malware that connects to a command and control server located in Singapore.

The malware installed in the attacks seen so far appears to be a variant of Poison Ivy, Jaime Blasco, a researcher with security firm AlienVault, said Monday in a blog post. Reprinted with permission from Une faille Zero Day dans Java menace tous les ordinateurs. 01net. le 31/08/12 à 10h07 Mise à jour du vendredi 31 août 2012 Oracle, qui prévoyait une mise à jour de Java en octobre, a finalement réagi devant l'ampleur de la faille. La société vient de publier un correctif (Java 7 Update 7) disponible sur cette page. Sous Windows, la mise à jour se fait normalement de manière automatique. Nous vous conseillons de l'installer si vous utilisez Java. Première publication le 28 août 2012 Après l’éradication de Grum, Atif Mushtaq, expert en sécurité du cabinet FireEye, se distingue une nouvelle fois.

A portée de tous... ou presque L’exploit a d’abord été utilisé par des pirates de haut vol, a priori, dans un but de cyberespionnage, pour déployer une variante de Poison Ivy, un cheval de Troie. Le mot d'ordre : désactivez Java ! Pour le moment, Oracle, l’éditeur de Java, n’a pas communiqué sur le sujet et aucun correctif n’est officiellement disponible.