New Java Security Exploit: What is it All About?
Adobe Reader, Flash and Java are used in millions of devices across the globe and are hence a ripe target for security breaches. Security experts have cautioned people to disable Java in their web-browsers completely (and if unnecessary, uninstall Java altogether) following the discovery of a newly spreading serious security flaw that allows hackers to install malware on Windows, Mac and Linux machines. Cybercriminals seem to be taking advantage of a loophole in Java version 7 (or rather 1.7) to indulge in widespread malware attacks (referred as Blackhole exploit toolkit) when users visit an infected website. The exploit has been hosted on an internet domain based out of Taiwan. You can read more about this here, here and here.
So far Oracle has not released an emergency patch to fix the zero-day vulnerability (a security attack that happens on the day the vulnerability is discovered, meaning there are 'zero days' to address the issue). The company now releases fixes on a quarterly basis and the next update is due October. A security firm claims the exploit was known way back in April when it submitted a list of 31 java security issues to Oracle and that the company had not issued a fix in the previous quarterly critical patch update cycle in June.
You can check if your browser is liable for this attack at http://www.isjavaexploitable.com/ (of course, every browser is). Further, if you want to disable Java from your browser follow the steps given by Brian Krebs or the US Computer Emergency Readiness Team. Mozilla too has advised its users to turn-off the Java plug-in from Firefox browser until there is a patch from Oracle. Users have also been warned off to not click suspicious emails, which when opened can download the malware onto their PCs.
Update: Oracle has issued an emergency patch ahead of its October critical update cycle to address the zero-day vulnerability in Java that could have exposed PCs to hack attacks. The company is also urging computer users to install the latest version as soon as possible, according to a report from Reuters. The fix is available as an automatic update on Windows platform or can be downloaded from the following link: java.com/en/download/index.jsp.
Yet another update: Though Oracle has issued a patch for the security loophole months later it was identified, it seems the fix is ‘half-baked’. According to Andy Greenberg, security reporter for Forbes, security researchers have found a bug in the critical update and cyber-criminals are currently taking advantage of the flaw to indulge in email phishing campaigns. The article goes on to mention two specific examples that mimic a mail from Microsoft (regarding its updated services agreement) and Amazon. The phishing techniques make use of the Blackhole exploit that was modified earlier to exploit the Java vulnerability. Oracle is already facing a whirlpool of criticism for issuing an update so late, and this ‘half-baked’ fix further exacerbates the situation. You may once again want to consider disabling Java on your browsers until further notice.
First published: Aug 30, 2012
Later updated with details on the fix: Aug 31, 2012
So far Oracle has not released an emergency patch to fix the zero-day vulnerability (a security attack that happens on the day the vulnerability is discovered, meaning there are 'zero days' to address the issue). The company now releases fixes on a quarterly basis and the next update is due October. A security firm claims the exploit was known way back in April when it submitted a list of 31 java security issues to Oracle and that the company had not issued a fix in the previous quarterly critical patch update cycle in June.
You can check if your browser is liable for this attack at http://www.isjavaexploitable.com/ (of course, every browser is). Further, if you want to disable Java from your browser follow the steps given by Brian Krebs or the US Computer Emergency Readiness Team. Mozilla too has advised its users to turn-off the Java plug-in from Firefox browser until there is a patch from Oracle. Users have also been warned off to not click suspicious emails, which when opened can download the malware onto their PCs.
Update: Oracle has issued an emergency patch ahead of its October critical update cycle to address the zero-day vulnerability in Java that could have exposed PCs to hack attacks. The company is also urging computer users to install the latest version as soon as possible, according to a report from Reuters. The fix is available as an automatic update on Windows platform or can be downloaded from the following link: java.com/en/download/index.jsp.
Yet another update: Though Oracle has issued a patch for the security loophole months later it was identified, it seems the fix is ‘half-baked’. According to Andy Greenberg, security reporter for Forbes, security researchers have found a bug in the critical update and cyber-criminals are currently taking advantage of the flaw to indulge in email phishing campaigns. The article goes on to mention two specific examples that mimic a mail from Microsoft (regarding its updated services agreement) and Amazon. The phishing techniques make use of the Blackhole exploit that was modified earlier to exploit the Java vulnerability. Oracle is already facing a whirlpool of criticism for issuing an update so late, and this ‘half-baked’ fix further exacerbates the situation. You may once again want to consider disabling Java on your browsers until further notice.
First published: Aug 30, 2012
Later updated with details on the fix: Aug 31, 2012
Comments
Post a Comment