background preloader

Java security threat

Facebook Twitter

How To Quarantine Java Like The Disease That It's Become. Graduate Software Developer - Technojobs. Apple issues Java update to tackle zero day.

A new security threat after Oracle patch

Thanks ever so much Java, for that biz-wide rootkit infection. High performance access to file storage Sysadmin blog Right on cue, Java has responded to my hatred in kind.

Thanks ever so much Java, for that biz-wide rootkit infection

Shortly after I awoke to discover my previous article denouncing the language had been published, a client called to inform me his computer had contracted some malware. Java has, if you'll forgive the anthropomorphization of a bytecode virtualization engine, decided to exact its revenge. Closer inspection of the infection revealed deep network penetration that the installed antivirus applications were completely unable to cope with. The chief financial officer of the company relies on cloudy applications that require Java-in-the-web-browser. I have no idea what the initial vector was beyond the swift appearance and disappearance of some malicious Java archive files; the primary delivery mechanism scrubbed itself clean (along with significant chunks of the browser history) right after it downloaded its payload onto the compromised Microsoft Windows PC.

Zeroaccess is a nightmare. Java security flaw: yada yada yada. Java is at an unusual state.

Java security flaw: yada yada yada

Oracle, the company behind Java, is currently maintaining both version 6 and 7 with bug fixes. Version 7 has more features, but anyone that doesn't need these features can safely use version 6. Back in June, when I blogged about Defensive Computing with Java, I suggested sticking with version 6 because of its maturity. From a Defensive Computing perspective, new software is always suspect. Since it had been around longer, I argued that version 6 was less likely to have compatibility issues with existing software that required Java. It turned out that some of the new features in version 7 were not sufficiently debugged. Today, after a flood of bad press, Oracle released updates to both Java 6 and 7, with assorted bug fixes.

Researchers find critical vulnerability in Java 7 patch hours after release. News By Lucian Constantin August 31, 2012 12:08 PM ET IDG News Service - Security researchers from Poland-based security firm Security Explorations claim to have discovered a vulnerability in the Java 7 security update released Thursday that can be exploited to escape the Java sandbox and execute arbitrary code on the underlying system.

Researchers find critical vulnerability in Java 7 patch hours after release

Security Explorations sent a report about the vulnerability to Oracle on Friday together with a proof-of-concept exploit, Adam Gowdiak, the security company's founder and CEO said Friday via email. The company doesn't plan to release any technical details about the vulnerability publicly until Oracle addresses it, Gowdiak said. Oracle publie un patch de sécurité pour Java 7. Java zero-day exploit goes mainstream, 100+ sites serve malware. News August 29, 2012 12:58 PM ET Computerworld - Attackers using two recently-uncovered Java unpatched vulnerabilities, or "zero-days," have quickly expanded their reach by going mainstream, security experts said today.

Java zero-day exploit goes mainstream, 100+ sites serve malware

And on Tuesday, Mozilla, maker of Firefox, joined the chorus of advice that users should disable the current version of Oracle's Java. The company is also ready to automatically block the plug-in from running in its browser, although it has not yet pulled the trigger. The exploit's breakout followed the addition of attack code to the notorious Blackhole exploit toolkit. Multiple security firms, including FireEye and Websense, said late Tuesday that the Java exploit had been added to Blackhole, a popular hacker's tool that bundles numerous exploits and tries each in turn until it finds one that will work against a personal computer.

Today, Patrik Runald, director of security research at Websense, said his team had found more than 100 unique domains serving the Java exploit. Six ways to protect against the latest Java vulnerability. News By Lucian Constantin August 28, 2012 04:32 PM ET IDG News Service - Security researchers have proposed several methods for users to protect their computers from ongoing attacks that target a new and yet-to-be-patched vulnerability in all versions of Java Runtime Environment 7.

Six ways to protect against the latest Java vulnerability

Most of the proposed solutions have drawbacks or are applicable only to certain system configurations and environments. However, the hope is that in the absence of an official patch from Oracle users will be able to use one or a combination of them in order to reduce the risk of their systems being compromised. Researchers from security firm FireEye announced the existence of the new Java vulnerability on Sunday and reported that it's being exploited in limited targeted attacks. A working proof-of-concept exploit appeared online the next day and was integrated into Metasploit, an open-source security testing tool used by many penetration testers.

Reprinted with permission from IDG.net. Microsoft: Update Java or kill it. Microsoft has decided is enough is enough: Java-based malware sees no end and it's time to do something about it.

Microsoft: Update Java or kill it

The software giant points to two type-confusion vulnerabilities (CVE-2012-0507 and CVE-2012-1723) that have been very actively exploited in recent months. Redmond thus wants you to do one of three things: update Java, disable it, or uninstall it. First, some background. Désactiver Java est fortement recommandé. Si vous avez installé Java 7 (1.7) d'Oracle sur votre ordinateur, il est fortement recommandé de le désinstaller ou, au minimum, de le désactiver dans le navigateur.

Désactiver Java est fortement recommandé

C'est en tout la recommandation unanime de plusieurs firmes spécialisées en sécurité informatique, dont Kapersky, Sophos, ou F-Secure. Il a en effet été découvert qu'au moins depuis le 22 août dernier, une faille de l'interpréteur Java est exploitée pour obliger le navigateur à télécharger en silence n'importe quel programme (y compris non Java), qui est ensuite exécuté. Le problème a été découvert pour la première fois en Chine, avec une page qui activait un exécutable sous Windows permettant l'installation de Poison Ivy RAT, un outil qui donne accès à l'ordinateur infecté.

Unpatched Java flaw hit in targeted attacks, researchers say. News By Lucian Constantin August 27, 2012 12:41 PM ET IDG News Service - Attackers are exploiting a new and unpatched vulnerability that affects the latest version of Java -- Java 7 Update 6 -- in order to infect computers with malware, according to researchers from security vendor FireEye.

Unpatched Java flaw hit in targeted attacks, researchers say

So far, the vulnerability has been exploited in limited targeted attacks, FireEye's senior staff scientist Atif Mushtaq said Sunday in a blog post. "Most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable. " The exploit is hosted on a website that resolves to an Internet Protocol address in China and its payload is a piece of malware that connects to a command and control server located in Singapore. The malware installed in the attacks seen so far appears to be a variant of Poison Ivy, Jaime Blasco, a researcher with security firm AlienVault, said Monday in a blog post. Reprinted with permission from IDG.net. Une faille Zero Day dans Java menace tous les ordinateurs. 01net.

Une faille Zero Day dans Java menace tous les ordinateurs