The Briefing Room

General Category => Science, Technology and Knowledge => Topic started by: mystery-ak on January 13, 2013, 01:30:43 pm

Title: Feds issue warning on Java security
Post by: mystery-ak on January 13, 2013, 01:30:43 pm

http://dyn.politico.com/printstory.cfm?uuid=03EA6980-4B43-49CC-AAC9-99114838F6ED (http://dyn.politico.com/printstory.cfm?uuid=03EA6980-4B43-49CC-AAC9-99114838F6ED)

 Feds issue warning on Java security
By: Tal Kopan
January 12, 2013 12:11 PM EST

The U.S. Department of Homeland Security is recommending that Internet users disable Java in their Web browsers after pinpointing vulnerability in the Oracle software.

According to a Thursday afternoon post on the U.S. Computer Emergency Readiness Team’s website, Java 7 Update 10 and earlier could allow a remote user to “execute arbitrary code on vulnerable systems,” putting it at risk for malware. A cyberattacker could exploit the risk to either direct a user to visit a website that would download malicious software to their computer or to access a legitimate website and compromise it with a  malicious applet (a “drive-by download”), CERT said.



The vulnerability is already being exploited, according to the post, and is reportedly being incorporated into publicly available exploit kits.

Oracle declined to comment on the warning.

CERT vulnerability analyst Will Dormann says the flaw could affect all of Java’s users, which, according to Oracle, reaches 1.1 billion.

“Some users may be running Java 6, which is unaffected by this vulnerability. However, Oracle has reported that it will be automatically updating Java 6 users to Java 7, starting in December 2012. So before long, that would mean that 1.1 billion desktop systems could be vulnerable, assuming that Oracle's numbers are correct,” Dormann said in an email to POLITICO.

Dormann said making matters worse is the fact that the vulnerability is true for most operating systems, including Windows, OS X and Linux, and browser-level protections will not work against it.

“When you combine these aspects together, you get a very attractive target for an attacker,” he said.

CERT says it recommends disabling Java altogether, as it is unaware of a solution to the issue.

The agency credited user Kafeine on the blog “Malware don’t need Coffee” for pointing out the flaw.

Title: Re: Feds issue warning on Java security
Post by: Atomic Cow on January 14, 2013, 02:55:13 am

Java 7.11 was released today.  This should patch the security hole.

Title: Re: Feds issue warning on Java security
Post by: Oceander on January 14, 2013, 04:52:20 am

Not sure if I believe anything that comes out of the federal government; however, if there's a new update available, I see no harm in installing it now rather than waiting.

Title: Re: Feds issue warning on Java security
Post by: Atomic Cow on January 14, 2013, 05:16:29 am

Quote from: Oceander on January 14, 2013, 04:52:20 am

Not sure if I believe anything that comes out of the federal government; however, if there's a new update available, I see no harm in installing it now rather than waiting.

The exploit in 7.10 was known for a while and the security companies like Symantec and such tried to warn people, but it didn't get press coverage out of the tech world until the feds said something.