Oracle issues patch for Java loopholes

V_R

¯\_(ツ)_/¯
Moderator
Joined
Jan 31, 2005
Messages
13,573
Reaction score
1,888
Oracle has issued a patch for loopholes in its Java program that was being actively abused by cyber-thieves.
The software giant took the unusual step of issuing the patch well before the usual date for security updates.
The patch closes loopholes that together left users of almost every operating system vulnerable to infection by viruses.
Tens of thousands of machines are believed to have been infected by viruses that exploit the bugs.
Oracle typically issues security patches for Java every quarter but it tore up the usual schedule because the bugs were being increasingly abused.
Security firms said code to exploit the loopholes had been recently added to the popular Blackhole crimeware kit. This software package is an all-in-one computer crime kit that makes it easy for those with little technical knowledge to become cyber-thieves.
Adding code to the kit would hugely boost the numbers of malicious hackers trying to compromise computers running Java.
Java is a widely-used programming language designed to let developers write programs once that can then be run, with minimal changes, on any computer. Oracle claims Java is used on more than one billion desktop computers.
Some sites use it to add extras to their webpages that can be used via a browser add-on or plug-in. Some games, including Runescape and Minecraft, are built around Java.
Security expert Brian Krebs said the safest way to avoid any trouble was to remove it from a computer system.
"If you don't need Java, uninstall it from your system," he wrote in a blogpost about the security updates.
http://www.bbc.co.uk/news/technology-19434927

That said.....

Polish security firm Security Explorations has sent an advisory, with a proof-of-concept exploit, to Oracle today (Friday 31 AUG) specific to a vulnerability they discovered in the Java 7 security update released Thursday. This newly reported vulnerability can be exploited to escape the Java sandbox and execute arbitrary code on the underlying system.
Standby for more on this one, no word yet from Oracle regarding their remediation plans.
As Rapid7's Tod Beardsley has said: "As it happens, very few websites rely on Java for dynamic content. Java isn't relied on nearly as much as Javascript and Flash. Most people can disable their Java browser plugin and not really notice the difference."
What mitigations are you utilizing to protect yourselves? Going so far as disabling Java all together? Feedback welcome via comments.
See Scott's post from yesterday for the original advisory details.
https://isc.sans.edu/diary.html?storyid=14017&rss
 
Back
Top