But, I do have some concern about this one.
-----------------------------------------------
Is anyone else as confused about the JAVA 'Zero Day' malware threath? I read so many conflicting and seeming erroneous reports. I'd like to have a clear understanding (if there is one).
1. It can effect LINUX. (Can it?)
http://www.v3.co.uk/v3-uk/news/2201420/ ... rs-at-riskThousands of computer users - whether they favour Windows, Mac or Linux operating systems - are at risk from a newly discovered Java vulnerability for which there is currently no fix.
It appears the flaw allows the Blackhole exploit kit to target the Java system using a Pre.jar file that lets it install malware, in this case a banking Trojan, onto users machines, through a variety of methods.
Security firm FireEye warned that criminals have already begun targeting the flaw using the Blackhole exploit kit. Some versions of the malware toolkit were updated to include the ability to exploit the vulnerability earlier this week, the company claimed.
"This morning we started getting the first indication of a large scale attack. So far we have observed over a dozen domains actively attacking systems with this exploit, and the count is increasing rapidly," read FireEye's blog.
"After seeing the reliability of this attack, I have no doubt in my mind that within hours the casualties will be in the thousands."
FireEye went on to criticise Oracle - which owns Java - for its lack of action regarding the flaw.
"It's very disappointing that Oracle hasn't come forward and announced a date for an emergency update patch," wrote FireEye's Atif Mushtaq.
At the time of publishing Oracle had not responded to V3's request for comment on the exploit or when a patch may be released.
The flaw was uncovered earlier in August and reportedly works on Windows, Linux and OSX operating systems, according to Errata security.
"I have tested the following operating systems: Windows7, Ubuntu 12.04, OSX 10.8.1. I have tested the following browsers: Firefox 14.0.1 (Windows, Linux, OSX), IE 9, Safari 6. The same exploit worked on all of them," an Errata representative wrote on a company blog.
The Blackhole exploit kit is an automated attack kit available for sale in several online black markets. It allows cyber criminals without sophisticated IT skills to mount automated cyber campaigns.
http://threatpost.com/en_us/blogs/nasty ... -it-011013
2. Its only JAVA, not javascripts? (So, the tips of using NO SCRIPTS is not effective?)
http://noscript.net/
3. Protect by disabling JAVA in your browser?
http://www.computerweekly.com/news/2240 ... t-zero-day
In Chrome/Chromium
chrome://plugins/ > Java > Disable
------
In Firefox: Tools > Addons > Plugins > IcedTea > Disable
4. Do we really need JAVA? I thought we did, but I disabled it in Google-Chrome and the sites I tried work fine?
5. Today I just recieved an update to Oracle JAVA.
From this repo
http://www.duinsoft.nl/packages.php?t=en
Code: Select all
gene@lmdexfce-rc:~$ java -version
java version "1.7.0_11"
Java(TM) SE Runtime Environment (build 1.7.0_11-b21)
Java HotSpot(TM) Server VM (build 23.6-b04, mixed mode)
http://arstechnica.com/security/2013/01 ... s-that-is/
Earlier this week, a security hole in the latest version of Java was being "massively exploited in the wild." Hackers were turning compromised websites into platforms for installing silent keyloggers or other malicious software. And at the time news broke, even fully patched Java installations were at risk.
Today however, KrebsOnSecurity reporter Brian Krebs is reporting Oracle finally shipped its critical security update. Java 7 Update 11 fixes this sticky situation and it's available both via Oracle’s website and through the Java Control Panel in an active program.
========================================
EDIT:
I changed the title to "FACTS" from "QUESTIONS", as sound explanations were given by "Mockturtle" and Zerorzero"
The Kreb's Blog is most informative.
http://krebsonsecurity.com/2013/01/what ... a-exploit/
Just to quote some key points from Krebs...Update, Jan. 13, 8:14 p.m. ET: Oracle just released a patch to fix this vulnerability. Read more here.
http://krebsonsecurity.com/2013/01/orac ... -for-java/
Q: What is Java, anyway?
A: Java is a programming language and computing platform that powers programs including utilities, games, and business applications. According to Java maker Oracle Corp., Java runs on more than 850 million personal computers worldwide, and on billions of devices worldwide, including mobile and TV devices. It is required by some Web sites that use it to run interactive games and applications.
Q: So what is all the fuss about?
A: Researchers have discovered that cybercrooks are attacking a previously unknown security hole in Java 7 that can be used to seize control over a computer if a user visits a compromised or malicious Web site.
Q: Yikes. How do I protect my computer?
A: The version of Java that runs on most consumer PCs includes a browser plug-in. According to researchers at Carnegie Mellon University‘s CERT, unplugging the Java plugin from the browser essentially prevents exploitation of the vulnerability. Not long ago, disconnecting Java from the browser was not straightforward, but with the release of the latest version of Java 7 — Update 10 — Oracle included a very simple method for removing Java from the browser. You can find their instructions for doing this here.
Q: How do I know if I have Java installed, and if so, which version?
A: The simplest way is to visit this link and click the “Do I have Java” link, just below the big red “Download Java” button.
Q: I’m using Java 6. Does that mean I don’t have to worry about this?
A: There have been conflicting findings on this front. The description of this bug at the National Vulnerability Database (NVD), for example, states that the vulnerability is present in Java versions going back several years, including version 4 and 5. Analysts at vulnerability research firm Immunity say the bug could impact Java 6 and possibly earlier versions. But Will Dormann, a security expert who’s been examining this flaw closely for CERT, said the NVD’s advisory is incorrect: CERT maintains that this vulnerability stems from a component that Oracle introduced with Java 7. Dormann points to a detailed technical analysis of the Java flaw by Adam Gowdiak of Security Explorations, a security research team that has alerted Java maker Oracle about a large number of flaws in Java. Gowdiak says Oracle tried to fix this particular flaw in a previous update but failed to address it completely.
Either way, it’s important not to get too hung up on which versions are affected, as this could become a moving target. Also, a new zero-day flaw is discovered in Java several times a year. That’s why I’ve urged readers to either uninstall Java completely or unplug it from the browser no matter what version you’re using.
Q: A site I use often requires the Java plugin to be enabled. What should I do?
A: You could downgrade to Java 6, but that is not a very good solution. Oracle will stop supporting Java 6 at the end of February 2013, and will soon be transitioning Java 6 users to Java 7 anyway. If you need Java for specific Web sites, a better solution is to adopt a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site(s) that require(s) it.
Q: I am using a Mac/Linux, so I should be okay, right?
A: Not exactly. Experts have found that this flaw in Java 7 can be exploited to foist malware on Mac and Linux systems, in addition to Microsoft Windows machines. Java is made to run programs across multiple platforms, which makes it especially dangerous when new flaws in it are discovered. For instance, the Flashback worm that infected more than 600,000 Macs wiggled into OS X systems via a Java flaw. Oracle’s instructions include advice on how to unplug Java from Safari. I should note that Apple has not provided a version of Java for OS X beyond 6, but users can still download and install Java 7 on Mac systems. However, it appears that in response to this threat, Apple has taken steps to block Java from running on OS X systems.
Q: Okay, I think I’m covered on Java. But what about Javascript?
A: Because of the unfortunate similarity of their names, many people confuse Java with Javascript. But these are two completely different things. Most Web sites use JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. To protect yourself, it is critically important to have an easy method of selecting which sites should be allowed to run JavaScript in the browser. It is true that selectively allowing JavaScript on known, “safe” sites won’t block all malicious scripting attacks: Even legitimate sites sometimes end up running malicious code when scammers figure out ways to sneak tainted, bogus ads into the major online ad networks. But disallowing JavaScript by default and selectively enabling it for specific sites remains a much safer option than letting all sites run JavaScript unrestricted all the time.
Firefox has many extensions and add-ons that make surfing the Web a safer experience. One extension that I have found indispensable is NoScript. This extension lets the user decide which sites should be allowed to run JavaScript, including Flash Player content. Users can choose to allow specific exceptions either permanently or for a single browsing session.
Chrome also includes similar script- and Flash blocking functionality that seems designed to minimize some of these challenges by providing fewer options. If you tell Chrome to block JavaScript on all sites by default, when you browse to a site that uses JavaScript, the upper right corner of the browser displays a box with a red “X” through it. If you click that and select “Always allow JavaScript on [site name]” it will permanently enable JavaScript for that site, but it doesn’t give you the option to block third-party JavaScript content on the site as Noscript does. In my testing, I had to manually refresh the page before Chrome allowed scripting on a site that I’d just whitelisted. In addition, there is a very handy add-on for Chrome called NotScripts that works very much like Noscript.
(more on Krebs web site)