Topic: You were once again urged to disable Java to avoid 0day xploit(sss)

Quote:
"Users urged to disable Java as new exploit emerges
All operating systems, browsers vulnerable

By Neil McAllister in San Francisco

A new browser-based exploit for a Java vulnerability that allows attackers to execute arbitrary code on client systems has been spotted in the wild – and because of Oracle's Java patch schedule, it may be some time before a fix becomes widely available."

http://www.theregister.co.uk/2012/08/27 … k_exploit/

Last edited by TechDud (2013-01-17 17:46:56)

Re: You were once again urged to disable Java to avoid 0day xploit(sss)

Thanks very much!!!

Re: You were once again urged to disable Java to avoid 0day xploit(sss)

You're welcome.

Re: You were once again urged to disable Java to avoid 0day xploit(sss)

JRE7u7 is now released which addresses the bugs.

Re: You were once again urged to disable Java to avoid 0day xploit(sss)

Neil McAllister in San Francisco for The Register wrote:

"Oracle rushes out patch for critical 0-day Java exploit
'Everything's fine now, please don't delete us'  lol

By Neil McAllister in San Francisco"

"Maurice said that the vulnerabilities patched only affect Java running in browsers, and not standalone desktop Java applications or Java running on servers. According to Oracle's official advisory on the flaws:

    These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user's system.

That certainly matches the description of the vulnerabilities first spotted on a rogue website by security firm FireEye on Sunday. Exploits for the flaws have since been incorporated into the notorious Blackhole malware toolkit and the Metasploit penetration testing tool.

On Wednesday, Adam Gowdiak of Polish startup Security Explorations revealed that his company had disclosed details of the vulnerabilities in question – along with 29 others – to Oracle in April of this year, but that the database giant still had not fixed the flaws as of its June Critical Patch Update (CPU).

Oracle told Security Explorations that it had developed fixes for most of the other vulnerabilities it had submitted and that they would be ready for the next Java CPU. Unfortunately, however, that patch kit wasn't scheduled to be released until October 16."

from http://www.theregister.co.uk/2012/08/30 … day_patch/

additional reading:
"Oracle knew about critical Java flaws since April  Could have issued patches, but didn't 
By Neil McAllister in San Francisco"
http://www.theregister.co.uk/2012/08/30 … out_flaws/  sad

"Super-critical Java zero-day exploits TWO bugs  Write Once, Exploit Everywhere 
By John Leyden"
http://www.theregister.co.uk/2012/08/30 … ay_latest/
Quote:

"Sean Sullivan, a security adviser at F-Secure, commented: "The perpetual vulnerability machine that is Oracle's Java Runtime Environment (JRE) has yet another highly exploitable vulnerability (CVE-2012-4681). And it's being commoditised at this very moment. There being no latest patch against this, the only solution is to totally disable Java.""

"Why Java would still stink even if it weren't security swiss cheese  Nuke it from orbit - it's the only way to be sure 
By Trevor Pott"
http://www.theregister.co.uk/2012/08/30/i_hate_java/


Personally, i like Java; albeit in a non-internet-enabled environment.
Would Java be better suited to Virtualized Systems for an Internet-enabled environment?

Last edited by TechDud (2012-08-31 17:53:26)

Re: You were once again urged to disable Java to avoid 0day xploit(sss)

Oops.

Re: You were once again urged to disable Java to avoid 0day xploit(sss)

Indeed.

Michael Mimoso wrote:

"Oracle Leaves Fix for Java SE Zero Day Until February Patch Update"
http://threatpost.com/en_us/blogs/oracl … ate-101712

"Researcher Develops Patch for Java Zero-Day, Puts Pressure on Oracle to Deliver its Fix"
"A security researcher has submitted to Oracle a patch he said took him 30 minutes to produce that would repair a zero-day vulnerability currently exposed in Java SE. He hopes his actions will spur Oracle to issue an out-of-band patch for the sandbox-escape vulnerability, rather than wait for the February 2013 Critical Patch Update as Oracle earlier said it would."
http://threatpost.com/en_us/blogs/resea … fix-102212  sad

Last edited by TechDud (2013-01-17 17:49:41)

Re: You were once again urged to disable Java to avoid 0day xploit(sss)

1) "Calling all java-enabled 'mobe users:",
... maybe all at once on a special 900 number from a Caymen Island, nowhere near YOU for 5 quid a minute?
At least the black hats are not pushing the "reset code #", yet afik.

John Leyden from The Register wrote:

"A new Java zero-day security vulnerability is already being actively exploited to compromise PCs. The best way to defend against the attacks is to disable any Java browser plugins on your systems."
http://www.theregister.co.uk/2013/01/10/java_0day/

see also http://phys.org/news/2013-01-java-software-peril.html
This may be a sign of how bad the situation truly is.
  It made for a headline in Phys.org, a Physics news site!

    That article originates from SecureList; quoted below.
https://www.securelist.com/en/blog/2081 … stribution

Kurt Baumgartner, a Kaspersky Lab Expert wrote:

"One of the best statements that I have seen in regards to the fairly impractical "just uninstall it" approach was presented by one of the handlers at the ISC Storm Center in today's issue of SANS NewsBites: It seems each time a zero day exploit is found in software, be that Java or otherwise, the industry pundits recommend that people stop using that software. New vulnerabilities will always be discovered in the software we use. If our best defence to a threat is to cause a denial-of-service on ourselves then this in the long term is a no-win strategy for us as an industry. We need to be looking at better ways to defend our systems and data, one good place to start is the 20 Critical Security Controls http://www.sans.org/critical-security-controls/"

2) Tangentially, Firefox20 development builds render Flash content with the built-in HTML5 engine.  That will allow many to say goodbye to the official product with it's questionable oft-communicating auto-updater that doesn't auto-update, nor has it had to for some time now (until today that is).
For now, if you absolutely have to render these documents in a browser, they can be rendered via HTML5 & JavaScript (sadly not controllable with NoScript, afik) on Firefox with this mozilla plugin, which is reviewed here.

Krzysztof Kowalczyk's SumatraPDF offers a free standalone application.

John Leyden wrote:

"'Better than Adobe' Foxit PDF plugin hit by worse-than-Adobe 0-day
New security hole: How an evil URL will ruin your day"
http://www.theregister.co.uk/2013/01/11 … ugin_vuln/


3) Also, here is a thought-provoking article by Alexander Gostev, via SecureList, & Kaspersky Labs.  Every DriverPack member should become aware of what the issues are.  I reason that it is one based upon "collisions" with existing Security Catalogs and other Certificates, though i have no examples.  Correct me if i am wrong.
https://www.securelist.com/en/analysis/ … er_Weapons


4) Even Canonical's Ubuntu (& therefore distro's built upon Ubuntu - incl. linuxMint) is now reportedly spying upon users:
http://www.neowin.net/news/richard-stal … g-on-users
I've got my eye on LinuxMint Debian Xfce, so-to-speak, not literally that is.


5) In the ilk of "only Nixon could go to China",
only Google Chairman Eric Schmidt could go to North Korea!
       "Stone-Cold State Dept. said so"
http://allthingsd.com/20130112/north-ko … k-on-dude/


6) It all reminds me, in a abstract sense, of the 300+ tonne "slipped" vessel, the alleged outlaw carjacking, gold bar transmuting, fleet-footed Senior Nuclear Operator currently allegedly on the lam, or the tanker's meeting with San Francisco's Bay Bridge!


7) Alright, break's over; we know what we're up against.  Let's get Krakken!
After all, it's far better to be proactive, than reactive.
  Like with electricity (no pun intended or harmed)
       http://www.theregister.co.uk/2013/01/09 … n_rations/.
   1.5 kiloWatts?  What would Doc. Emmet Brown think?

Slow news week?  I think not!


Edit:  Now that's how i celebrate a thousandth post!   smile

Last edited by TechDud (2013-01-15 12:43:29)

Re: You were once again urged to disable Java to avoid 0day xploit(sss)

Comments I've read today say update 11 is not a good 'fix' but merely a patch pending a better solution by Oracle

http://d1syubgj0w3cyv.cloudfront.net/cdn/farfuture/ajoHKH618C_cS2O6V00_aY3Cse0ggjzP4uxI8Hk5viw/perpetual:forever/userbar/donator-3.png

Re: You were once again urged to disable Java to avoid 0day xploit(sss)

Respectfully, Oracle is not the only organization where one might demand progress.

  http://markey.house.gov/sites/markey.ho … pMetal.pdf

from http://enenews.com/gundersen-u-s-govt-t … tems-audio

Last edited by TechDud (2013-01-15 19:17:22)

Re: You were once again urged to disable Java to avoid 0day xploit(sss)

Neil McAllister of TheReg wrote:

"Surprised? Old Java exploit helped spread Red October spyware
New Java exploit can be yours for $5,000"

...

"Metasploit founder HD Moore claims it will likely take Oracle two years to get its Java security house in order, given its past track record."

   Quoted from:  http://www.theregister.co.uk/2013/01/16 … onnection/

Last edited by TechDud (2013-01-17 17:45:48)