But, I do have some concern about this one.
Is anyone else as confused about the JAVA 'Zero Day' malware threath? I read so many conflicting and seeming erroneous reports. I'd like to have a clear understanding (if there is one).
1. It can effect LINUX. (Can it?)
Thousands of computer users - whether they favour Windows, Mac or Linux operating systems - are at risk from a newly discovered Java vulnerability for which there is currently no fix.
It appears the flaw allows the Blackhole exploit kit to target the Java system using a Pre.jar file that lets it install malware, in this case a banking Trojan, onto users machines, through a variety of methods.
Security firm FireEye warned that criminals have already begun targeting the flaw using the Blackhole exploit kit. Some versions of the malware toolkit were updated to include the ability to exploit the vulnerability earlier this week, the company claimed.
"This morning we started getting the first indication of a large scale attack. So far we have observed over a dozen domains actively attacking systems with this exploit, and the count is increasing rapidly," read FireEye's blog.
"After seeing the reliability of this attack, I have no doubt in my mind that within hours the casualties will be in the thousands."
FireEye went on to criticise Oracle - which owns Java - for its lack of action regarding the flaw.
"It's very disappointing that Oracle hasn't come forward and announced a date for an emergency update patch," wrote FireEye's Atif Mushtaq.
At the time of publishing Oracle had not responded to V3's request for comment on the exploit or when a patch may be released.
The flaw was uncovered earlier in August and reportedly works on Windows, Linux and OSX operating systems, according to Errata security.
"I have tested the following operating systems: Windows7, Ubuntu 12.04, OSX 10.8.1. I have tested the following browsers: Firefox 14.0.1 (Windows, Linux, OSX), IE 9, Safari 6. The same exploit worked on all of them," an Errata representative wrote on a company blog.
The Blackhole exploit kit is an automated attack kit available for sale in several online black markets. It allows cyber criminals without sophisticated IT skills to mount automated cyber campaigns.
http://www.v3.co.uk/v3-uk/news/2201420/ ... rs-at-risk
http://threatpost.com/en_us/blogs/nasty ... -it-011013
3. Protect by disabling JAVA in your browser?
http://www.computerweekly.com/news/2240 ... t-zero-day
chrome://plugins/ > Java > Disable
In Firefox: Tools > Addons > Plugins > IcedTea > Disable
4. Do we really need JAVA? I thought we did, but I disabled it in Google-Chrome and the sites I tried work fine?
5. Today I just recieved an update to Oracle JAVA.
From this repo
- Code: Select all
gene@lmdexfce-rc:~$ java -version
java version "1.7.0_11"
Java(TM) SE Runtime Environment (build 1.7.0_11-b21)
Java HotSpot(TM) Server VM (build 23.6-b04, mixed mode)
Its supposed to address the threat, but maybe not?
http://arstechnica.com/security/2013/01 ... s-that-is/
Earlier this week, a security hole in the latest version of Java was being "massively exploited in the wild." Hackers were turning compromised websites into platforms for installing silent keyloggers or other malicious software. And at the time news broke, even fully patched Java installations were at risk.
Today however, KrebsOnSecurity reporter Brian Krebs is reporting Oracle finally shipped its critical security update. Java 7 Update 11 fixes this sticky situation and it's available both via Oracle’s website and through the Java Control Panel in an active program.
I changed the title to "FACTS" from "QUESTIONS", as sound explanations were given by "Mockturtle" and Zerorzero"
The Kreb's Blog is most informative.
http://krebsonsecurity.com/2013/01/what ... a-exploit/
Just to quote some key points from Krebs...Update, Jan. 13, 8:14 p.m. ET: Oracle just released a patch to fix this vulnerability. Read more here.
http://krebsonsecurity.com/2013/01/orac ... -for-java/
Q: What is Java, anyway?
A: Java is a programming language and computing platform that powers programs including utilities, games, and business applications. According to Java maker Oracle Corp., Java runs on more than 850 million personal computers worldwide, and on billions of devices worldwide, including mobile and TV devices. It is required by some Web sites that use it to run interactive games and applications.
Q: So what is all the fuss about?
A: Researchers have discovered that cybercrooks are attacking a previously unknown security hole in Java 7 that can be used to seize control over a computer if a user visits a compromised or malicious Web site.
Q: Yikes. How do I protect my computer?
A: The version of Java that runs on most consumer PCs includes a browser plug-in. According to researchers at Carnegie Mellon University‘s CERT, unplugging the Java plugin from the browser essentially prevents exploitation of the vulnerability. Not long ago, disconnecting Java from the browser was not straightforward, but with the release of the latest version of Java 7 — Update 10 — Oracle included a very simple method for removing Java from the browser. You can find their instructions for doing this here.
Q: How do I know if I have Java installed, and if so, which version?
A: The simplest way is to visit this link and click the “Do I have Java” link, just below the big red “Download Java” button.
Q: I’m using Java 6. Does that mean I don’t have to worry about this?
A: There have been conflicting findings on this front. The description of this bug at the National Vulnerability Database (NVD), for example, states that the vulnerability is present in Java versions going back several years, including version 4 and 5. Analysts at vulnerability research firm Immunity say the bug could impact Java 6 and possibly earlier versions. But Will Dormann, a security expert who’s been examining this flaw closely for CERT, said the NVD’s advisory is incorrect: CERT maintains that this vulnerability stems from a component that Oracle introduced with Java 7. Dormann points to a detailed technical analysis of the Java flaw by Adam Gowdiak of Security Explorations, a security research team that has alerted Java maker Oracle about a large number of flaws in Java. Gowdiak says Oracle tried to fix this particular flaw in a previous update but failed to address it completely.
Either way, it’s important not to get too hung up on which versions are affected, as this could become a moving target. Also, a new zero-day flaw is discovered in Java several times a year. That’s why I’ve urged readers to either uninstall Java completely or unplug it from the browser no matter what version you’re using.
Q: A site I use often requires the Java plugin to be enabled. What should I do?
A: You could downgrade to Java 6, but that is not a very good solution. Oracle will stop supporting Java 6 at the end of February 2013, and will soon be transitioning Java 6 users to Java 7 anyway. If you need Java for specific Web sites, a better solution is to adopt a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site(s) that require(s) it.
Q: I am using a Mac/Linux, so I should be okay, right?
A: Not exactly. Experts have found that this flaw in Java 7 can be exploited to foist malware on Mac and Linux systems, in addition to Microsoft Windows machines. Java is made to run programs across multiple platforms, which makes it especially dangerous when new flaws in it are discovered. For instance, the Flashback worm that infected more than 600,000 Macs wiggled into OS X systems via a Java flaw. Oracle’s instructions include advice on how to unplug Java from Safari. I should note that Apple has not provided a version of Java for OS X beyond 6, but users can still download and install Java 7 on Mac systems. However, it appears that in response to this threat, Apple has taken steps to block Java from running on OS X systems.
(more on Krebs web site)