Corrine 2,755 Posted January 10, 2013 Share Posted January 10, 2013 Once again there are reports of a Java zero-day vulnerability being actively exploited in the wild. All versions of Java are impacted, including the most recent release, JRE 7, Update 10. With any version of Java installed on your computer, visiting a malicious link can result in a serious malware infection. Significantly, the exploit is not operating system and, although currently targeting Windows systems, can also run the same code on Mac OS X or Linux. Recommendations in my blog post at Java Zero-Day (Again), Time To Disable/Remove Java 1 Link to post Share on other sites
zlim 1,250 Posted January 11, 2013 Share Posted January 11, 2013 (edited) I enable then update. I disable, shortly after the update is discovered as ineffective. Over and over and over. Fortunately, I only have it installed on one computer because one website I visit needs it. <sigh> I forgot to say thanks, Corrine for letting us know it is disable time again. Edited January 11, 2013 by zlim Link to post Share on other sites
V.T. Eric Layton 6,697 Posted January 11, 2013 Share Posted January 11, 2013 I'm sure this is a serious threat to MS Windows, and possibly MacOS systems, but I'm not seeing any documentation anywhere to show that this exploit can affect Linux systems. Link to post Share on other sites
Corrine 2,755 Posted January 11, 2013 Author Share Posted January 11, 2013 You're welcome, Liz. Eric, HD Moore is quoted at Threat Post as saying the exact code can be run on all three operating systems, even though it is currently targeting just Windows: Nasty New Java Zero Day Found; Exploit Kits Already Have It | threatpost 1 Link to post Share on other sites
Guest LilBambi Posted January 11, 2013 Share Posted January 11, 2013 Thanks Corrine for pointing that out. I was coming back in to say that! Link to post Share on other sites
V.T. Eric Layton 6,697 Posted January 11, 2013 Share Posted January 11, 2013 You're welcome, Liz. Eric, HD Moore is quoted at Threat Post as saying the exact code can be run on all three operating systems, even though it is currently targeting just Windows: Nasty New Java Zero Day Found; Exploit Kits Already Have It | threatpost Yes, I saw that quote, Corrine, but what I'm saying is that the ability to run a script outside of the Java sandbox within a Linux system is not going to be able to do much. It will not be able to obtain administrator rights to the OS. The most it could do is maybe... maybe corrupt some user's home directory; and even that is doubtful. But anyway... I'll definitely be checking on this in my Win XP and 7 installations later this weekend. Thanks, as always, for the prompt alerts regarding all these baddies out there. Link to post Share on other sites
Temmu 1,931 Posted January 11, 2013 Share Posted January 11, 2013 corrine, thanks again for keeping us abreast of the sometimes hostile environment in which we compute! i'm about to walk into my boss' office and discuss java in our environment, and have already sent him a link to your blog's post on java 7's hole. Link to post Share on other sites
Corrine 2,755 Posted January 11, 2013 Author Share Posted January 11, 2013 You're welcome, Temmu. More and more are joining on the bandwagon to recommend disabling or uninstalling Java, including the Department of Homeland Security and US-CERT. Apple has disabled Java in OS X Snow Leopard and newer via an updated malware definition list for their XProtect pseudo-antivirus. Mozilla blacklisted the Java plug-in by adding it to the "Click-to-Play" function. This means that if you receive a prompt at a website you are visiting that Java is needed, if you have any doubts, get out of there! More: Apple and Mozilla – ‘Just say no to Java’ | Naked Security Protecting Users Against Java Vulnerability | Mozilla Security Blog Link to post Share on other sites
Temmu 1,931 Posted January 13, 2013 Share Posted January 13, 2013 wow! that's a gutsy move for ff! but good for them! when i told my co-workers about yet another java hole, they groaned along with me... sigh. Link to post Share on other sites
Guest LilBambi Posted January 13, 2013 Share Posted January 13, 2013 Yes, I think it's great that Mozilla did that in Firefox. It is very similar to what Google has done in Chrome. The difference from what they were both doing before is that, now, Mozilla has blacklisted the current version of Java as well due to the security risk. Definitely gutsy move and I applaud them for that. I have updated by blog posting about this Java issue. Thanks Corrine!!! Link to post Share on other sites
Corrine 2,755 Posted January 14, 2013 Author Share Posted January 14, 2013 Although the Java update was scheduled for Tuesday, January 15, 2013, it has already been released. If you uninstalled Java, consider waiting to find out if you really need it before reinstalling it. Advice and update information in my blog post: Out-of-Band Oracle Java Critical Security Update Released Link to post Share on other sites
Guest LilBambi Posted January 14, 2013 Share Posted January 14, 2013 Thanks Corrine! Link to post Share on other sites
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now