Regardless, the attack,
first flagged in public last Sunday by researchers at the security firm
FireEye, identified it as a "zero-day" threat, for those not in
security circles, a zero-day (or zero-hour or day zero) attack or threat is an
attack that exploits a previously unknown vulnerability in a computer
application, meaning that the attack occurs on "day zero" of
awareness of the vulnerability. This
means that the developers have had zero days to address and patch the
vulnerability. This was so bad, that the recommendation was to disable the seldom
used Java from your browser.
Oracle to the rescue…
Oracle today released a new
version of Java, plugging security holes so severe that experts recommended
that Internet users disable the plug-in immediately. The fix is available for
download here for users and here for developers. “Due to the high severity of
these vulnerabilities, Oracle recommends that customers apply this Security
Alert as soon as possible,” the company wrote in a blog post.
Wow, a four-day turnaround suggests
Oracle was “Johnny on the spot”, right? Well, not so much, for IDG News
Service’s Lucian Constantin reported that Polish security researcher Adam
Gowdiak had actually notified the Redwood Shores-based company of the problem
way back in April, uh more that 4 months ago. Gowdiak said that the Oracle
status report dated Aug. 23 indicated the company was planning to fix the
vulnerabilities in its regularly scheduled October update. The latest update that happened in June,
fixed only three of 29 issues that Gowdiak said he had reported. Alex Lanstein of the security firm FireEye,
which publicly reported the Java attacks on Sunday, said after researching this
further, said that this exploit was being used much longer than that.
Anyway, ok, so all better
now? Should users enable their Java and
upgrade? Hmmmm probably not. The most prudent move here is to disable all
programs that are seldom or never used.
In short, if you don't really need it, don't enable/install it.”
One final point: This flaw does
not appear to affect the previous version of Java (Version 6, a.k.a. 1.6),
which is the default on most Macs. So while Mac users are theoretically as
vulnerable as Windows users, only those who have specifically installed Java
1.7 should be at risk.
The Bad News
The loophole appears to affect
Java Version 7 (also known as 1.7) on all browsers. So far the attacks have
been against PCs, but Mac users are vulnerable as well. Businesses should be
especially concerned about targeted attacks.
And on Tuesday, Mozilla, maker of Firefox, joined the chorus of
advice that users should disable the current version of Oracle's Java. The
company is also ready to automatically block the plug-in from running in its
browser, although it has not yet pulled the trigger. Multiple security firms,
including FireEye and Websense, said late Tuesday that the Java exploit had
been added to Blackhole, a popular hacker's tool that bundles numerous exploits
and tries each in turn until it finds one that will work against a personal
computer.
Today, Patrik Runald, director of security research at Websense,
said his team had found more than 100 unique domains serving the Java exploit.
"The number is definitely growing...and because
Blackhole has an updatable framework and already has a foothold on thousands of
sites, we anticipate that the number of sites compromised with this new
zero-day will escalate rapidly in the coming days," Runald said in an
email reply to questions Wednesday.
.jpg)
Given the potential seriousness
and pervasiveness of the attacks—experts say that everyday Internet users
should probably just disable Java entirely. Like, right now. "Java has been the most
exploited program for well over a year now and it simply isn't worth the
risk," Chet Wisniewski of the security firm Sophos told me in an email.
"I would recommend removing Java entirely, if you can."
Disabling Java for Dummies…
- In Firefox, select "Tools" from the main menu, then "Add-ons," then click the "Disable" button next to any Java plug-ins.
- In Safari, click "Safari" in the main menu bar, then "Preferences," then select the "Security" tab and uncheck the button next to "Enable Java."
- In Google Chrome, type "Chrome://Plugins" in your browser's address bar, then click the "Disable" button below any Java plug-ins.
Of course, for the Explorer user,
this is not intuitive, but you already know this, right? . The blog Krebs on
Security summarizes a procedure that "may or may not work."
Alternatively, you could uninstall Java from your system, provided you don't
need it for some particular application or website that's important to you.
Source(s)
- http://www.slate.com/blogs/future_tense/2012/08/30/oracle_java_update_latest_fix_available_for_download_but_do_you_really_need_it_.html
- http://www.computerworld.com/s/article/9230736/Java_zero_day_exploit_goes_mainstream_100_sites_serve_malware
So “Once more unto the breach, dear friends, once more;”
____________________________________________________________
About Rick Ricker
An IT professional with over 20 years experience in Information Security, wireless broadband, network and Infrastructure design, development, and support.
For more information, contact Rick at (800) 333-8394 x 689
No comments:
Post a Comment
Thanks for your input, your ideas, critiques, suggestions are always welcome...
- Wasabi Roll Staff