Java flaw allows “complete” bypass of security [update]


Abarbarian

Acruncher
Joined
Sep 30, 2005
Messages
10,921
Reaction score
1,174
http://arstechnica.com/security/201...w-allows-complete-bypass-of-security-sandbox/

Researchers have discovered a Java flaw that would let hackers bypass critical security measures in all recent versions of the software. The flaw was announced today by Security Explorations, the same team that recently found a security hole in Java SE 7 letting attackers take complete control of PCs. But this latest exploit affects Java SE 5, 6, and 7—the last eight years worth of Java software.
Gowdiak and his team have found a total of 50 Java flaws. While this latest one apparently isn’t being exploited in the wild yet, another that was being exploited was patched by Oracle last month, reportedly four months after Oracle learned of the vulnerability.
We asked Oracle for comment this afternoon and have not heard back yet.
Oh the joys of computing
breakfast.gif
 
Ad

Advertisements

muckshifter

I'm not weird, I'm a limited edition.
Moderator
Joined
Mar 5, 2002
Messages
25,662
Reaction score
1,159
The original warning has been re-issued by the Homeland Security advisor's in America for people to not only disable Java in their web browser, but go as far as to strongly suggest uninstalling Java completely.

While update 11 should be considered an essential update for all Java users, researchers have warned that the new build is little more than a sticking plaster for the problem, and recommend users actually disable Java from running inside web browsers.

Update 11 specifically acts on a Java exploit in web browsers that the US Department of Homeland Security warned is being “actively exploited” by malware. This allows code to be executed outside of Java’s sandbox, allowing keyloggers and botnet code to be distributed through the Java exploit.

The update basically sets Java’s default security settings to “High”, which means all code from unknown sources will be flagged before running on the user’s say-so.
... and how many of us just click OK.

Researchers warn that despite this new setting, the security can be bypassed by hackers able to mask their code through “social engineering”, which allows them to mask its true origins and claim to be from a trusted source, encouraging users to accept the code even though it’s been flagged.

As a result, the Department of Homeland Security’s Computer Emergency Readiness Team has recommended users should actually disable Java from running in web browsers -- even after applying the latest update.
How to disable Java in your browsers

You can also use the Java Control Panel which is probably the easiest way for IE users ... :)

IcedTea anyone ?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top