Jump to content


Update Released for Java Zero-Day Exploit!

java linux mac os x windows

  • Please log in to reply
11 replies to this topic

#1 OFFLINE   Corrine

Corrine

    The Mystical Rose

  • Forum Admins
  • 4,217 posts

Posted 10 January 2013 - 07:43 PM

Once again there are reports of a Java zero-day vulnerability being actively exploited in the wild.  All versions of Java are impacted, including the most recent release, JRE 7, Update 10.

With any version of Java installed on your computer, visiting a malicious link can result in a serious malware infection.  Significantly, the exploit is not operating system and, although currently targeting Windows systems, can also run the same code on Mac OS X or Linux.

Recommendations in my blog post at Java Zero-Day (Again), Time To Disable/Remove Java
Posted Image

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

#2 OFFLINE   zlim

zlim

    It's me, plodr

  • Forum MVP
  • 7,109 posts

Posted 10 January 2013 - 08:06 PM

I enable then update. I disable, shortly after the update is discovered as ineffective. Over and over and over.
Fortunately, I only have it installed on one computer because one website I visit needs it. <sigh>

I forgot to say thanks, Corrine for letting us know it is disable time again.

Edited by zlim, 10 January 2013 - 08:06 PM.

Liz
Registered Linux User # 401459
Posted Image

#3 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 21,321 posts

Posted 10 January 2013 - 08:56 PM

I'm sure this is a serious threat to MS Windows, and possibly MacOS systems, but I'm not seeing any documentation anywhere to show that this exploit can affect Linux systems.

#4 OFFLINE   Corrine

Corrine

    The Mystical Rose

  • Forum Admins
  • 4,217 posts

Posted 10 January 2013 - 11:15 PM

You're welcome, Liz.

Eric, HD Moore is quoted at Threat Post as saying the exact code can be run on all three operating systems, even though it is currently targeting just Windows:  Nasty New Java Zero Day Found; Exploit Kits Already Have It | threatpost
Posted Image

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

#5 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,545 posts

Posted 11 January 2013 - 09:04 AM

Thanks Corrine for pointing that out. I was coming back in to say that! :thumbsup:
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#6 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 21,321 posts

Posted 11 January 2013 - 11:55 AM

View PostCorrine, on 10 January 2013 - 11:15 PM, said:

You're welcome, Liz.

Eric, HD Moore is quoted at Threat Post as saying the exact code can be run on all three operating systems, even though it is currently targeting just Windows:  Nasty New Java Zero Day Found; Exploit Kits Already Have It | threatpost

Yes, I saw that quote, Corrine, but what I'm saying is that the ability to run a script outside of the Java sandbox within a Linux system is not going to be able to do much. It will not be able to obtain administrator rights to the OS. The most it could do is maybe... maybe corrupt some user's home directory; and even that is doubtful.

But anyway... I'll definitely be checking on this in my Win XP and 7 installations later this weekend. Thanks, as always, for the prompt alerts regarding all these baddies out there. :yes:

#7 OFFLINE   Temmu

Temmu

    The Assimilator

  • Forum MVP
  • 12,542 posts

Posted 11 January 2013 - 12:42 PM

corrine, :rose:

thanks again for keeping us abreast of the sometimes hostile environment in which we compute!
i'm about to walk into my boss' office and discuss java in our environment, and have already sent him a link to your blog's post on java 7's hole.
Posted Image

#8 OFFLINE   Corrine

Corrine

    The Mystical Rose

  • Forum Admins
  • 4,217 posts

Posted 11 January 2013 - 07:54 PM

You're welcome, Temmu.  More and more are joining on the bandwagon to recommend disabling or uninstalling Java, including the Department of Homeland Security and US-CERT.

Apple has disabled Java in OS X Snow Leopard and newer via an updated malware definition list for their XProtect pseudo-antivirus.  

Mozilla blacklisted the Java plug-in by adding it to the "Click-to-Play" function.  This means that if you receive a prompt at a website you are visiting that Java is needed, if you have any doubts, get out of there!  :)

More:

Apple and Mozilla – ‘Just say no to Java’ | Naked Security

Protecting Users Against Java Vulnerability | Mozilla Security Blog
Posted Image

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

#9 OFFLINE   Temmu

Temmu

    The Assimilator

  • Forum MVP
  • 12,542 posts

Posted 13 January 2013 - 02:08 AM

wow! that's a gutsy move for ff! but good for them!

when i told my co-workers about yet another java hole, they groaned along with me... sigh.
Posted Image

#10 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,545 posts

Posted 13 January 2013 - 09:57 AM

Yes, I think it's great that Mozilla did that in Firefox. It is very similar to what Google has done in Chrome. The difference from what they were both doing before is that, now, Mozilla has blacklisted the current version of Java as well due to the security risk. Definitely gutsy move and I applaud them for that.

I have updated by blog posting about this Java issue. Thanks Corrine!!! :thumbsup:
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#11 OFFLINE   Corrine

Corrine

    The Mystical Rose

  • Forum Admins
  • 4,217 posts

Posted 13 January 2013 - 08:12 PM

Although the Java update was scheduled for Tuesday, January 15, 2013, it has already been released.  

If you uninstalled Java, consider waiting to find out if you really need it before reinstalling it.

Advice and update information in my blog post:  Out-of-Band Oracle Java Critical Security Update Released
Posted Image

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

#12 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,545 posts

Posted 13 January 2013 - 09:18 PM

Thanks Corrine! :thumbsup:
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)





Also tagged with one or more of these keywords: java, linux, mac os x, windows

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users