Java

Browsers under attack

July 26th, 2014

Hackers have focused their attacks on browsers which ultimately has common theme for benefiting from the end users. As old versions of the Java Runtime Environment (JRE) are typically now blocked in the browser by default, Java applets require explicit activation from users.

Bromium Labs researchers said, “so this attack vector becomes harder and harder to leverage” and “It’s evident that attackers continue to shift focus in between ubiquitous internet facing applications, but there’s a common theme throughout – attacking the end users.” It leaves hackers looking to other popular applications to exploit.

According to the reports by the lab, Microsoft’s IE was one of the most patched and one of the most exploited applications in 2014’s first half, targeted more often than Mozilla’s Firefox, Google Chrome, Java, Adobe Flash, Adobe Reader or Microsoft Office.

The lab also mentioned different techniques used in the attacks which are given below –

  • Zero day techniques in which attackers used Adobe Flash to launch action script virtual machine (ASVM) attacks.
  • Action script spray facilitates the use of return-oriented programming (ROP), which allows attackers to execute malicious code in the presence of security defenses

“This technique leverages the way dense arrays are allocated in memory,” wrote Bromium researchers. “If a vulnerability allows an attacker to control the size of a vector, they could make it as big as the whole memory space and then search for the necessary API calls and ROP gadgets.”

“Traditional heap spray was supposed to deal with early address randomization techniques implemented in various operating systems. Nowadays defenses are much more sophisticated. Malicious code must ‘know’ addresses of crucial libraries and API functions in order to execute,” said Vadim Kotov, Bromium’s senior security researcher. “Actionscript spray provides this ‘knowledge,’ while its ancestor doesn’t even address this issue.”

“Action heap spray — as well as traditional heap spray — is merely an instrument to exploit security vulnerabilities,” Kotov said. “If you want to reduce the probability of being compromised, you need to have reasonable patching policy and invest in protection software.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

University of Delaware’s system hacked

July 29th, 2013

University of Delaware is a major research institution, and one of the oldest universities in the US. UD has become the victim of recent data breach incidents, as personal information of more than 72,000 past and present employees was compromised from the university’s system.

Email had been sent by the university to ensure that those affected are properly informed. To pin down the scale of the breach and to identify any other risk, investigators have been called in.

A system was set up for the employees to check if they were affected or not, all the affected employees were offered credit monitoring services to keep an eye out for potential identity theft.

The risk of identity theft is high as the data stolen included names, addresses, university IDD numbers and Social Security Numbers.

The FBI and forensic teams are probing further, but so far few specifics have emerged, beyond the rather vague statement in the official announcement that the breach was down to “a vulnerability in software acquired from a vendor” – basically saying the fault was with some piece of software not created internally, which doesn’t really narrow the field very much.

However, local news sources claim the flaw was in Struts2 software, which suggests the hack is related to Java.

“The University will not contact you and ask to confirm any of your personal information. If an unknown person contacts you and claims that he or she can help you if you would just confirm your personal information, do not surrender any information,” the university stated.

The university is working with FBI officials on the issue, and is trying to make sure something like this doesn’t happen again. Local news report suggested that the breach was first spotted more than a week ago, leading to sections of the university website being inaccessible for a time.

Get your personal as well as office laptops encrypted by Alertsec

With so much vulnerability on public networks unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen. Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Java Update Plugs 42 Security Holes

April 24th, 2013

Oracle Corp. today released an update for its Java SE software that fixes at least 42 security flaws in the widely-installed program and associated browser plug-in. The Java update also introduces new features designed to alert users about the security risks of running certain Java content.

Java 7 Update 21 contains 42 new security fixes for Oracle Java SE. A majority of these flaws are browse-to–a-hacked-site-and-get-infected vulnerabilities. According to Oracle, “39 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password”.

There does not appear to be any update for Java 6. Oracle was to stop shipping security fixes for Java 6 in February, but it broke from that schedule last month when it shipped an emergency update for Java 6 to fix a flaw that was being used in active attacks. When I updated a machine running the latest Java 6 version (Update 43) it prompted me to install Java 7 Update 21.

Java 7 Update 21 also introduces some new security warnings and message prompts for users who keep the program plugged into a Web browser (on installation and updating, Java adds itself as an active browser plug-in). Oracle said the messages that will be presented depend upon different risk factors, such as using old versions of Java or running applet code that is not signed from a trusted Certificate Authority.

Apps that present a lower risk display a simple informational message. This includes an option to prevent showing similar messages for apps from the same publisher in the future. Java applications considered to be higher risk — such as those that use an untrusted or expired certificate — will be accompanied by a prompt with a yellow exclamation point in a yellow warning triangle.

It’s a shortcoming that makes it easy for attackers to bypass the protection. That’s because it presents certificates as trustworthy even when they’ve been reported as stolen and added to publicly available revocation databases. The failure of Java to check certificate revocation lists came to light last month after Java gave the green light to a malicious app even though the digital certificate signing it had been revoked by the company that owned it.

I’ve long urged end users to uninstall Java unless they have a specific use for it (this advice does not scale for businesses, which often have complex custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a favorite target of malware writers and miscreants. Rather than ask users to discern the safety of applications using yellow triangles, blue shields, green clovers or orange stars, I’ll keep telling users to get rid of Java entirely.

If you do need it, unplug it from the browser unless and until you need it. Java 7 lets users disable Java content in web browsers through the Java control panel applet. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

What You Need to Know About the Java Exploit

February 11th, 2013
Image representing Oracle Corporation as depic...

Image via CrunchBase

On Thursday, the world learned that attackers were breaking into computers using a previously undocumented security hole in Java, a program that is installed on hundreds of millions of computers worldwide. This post aims to answer some of the most frequently asked questions about the vulnerability, and to outline simple steps that users can take to protect themselves.

Q: What is Java, anyway?
A: Java is a programming language and computing platform that powers programs including utilities, games, and business applications. According to Java makerOracle Corp., Java runs on more than 850 million personal computers worldwide, and on billions of devices worldwide, including mobile and TV devices. It is required by some Web sites that use it to run interactive games and applications.

Q: So what is all the fuss about?
A: Researchers have discovered that cybercrooks are attacking a previously unknown security hole in Java 7 that can be used to seize control over a computer if a user visits a compromised or malicious Web site.

Q: Yikes. How do I protect my computer?
A: The version of Java that runs on most consumer PCs includes a browser plug-in. According to researchers at Carnegie Mellon University‘s CERT, unplugging the Java plugin from the browser essentially prevents exploitation of the vulnerability. Not long ago, disconnecting Java from the browser was not straightforward, but with the release of the latest version ofJava 7 — Update 10 — Oracle included a very simple method for removing Java from the browser. You can find their instructions for doing this here.

Q: How do I know if I have Java installed, and if so, which version?
A: The simplest way is to visit this link and click the “Do I have Java” link, just below the big red “Download Java” button.

Q: I’m using Java 6. Does that mean I don’t have to worry about this?
A: There have been conflicting findings on this front. The description of this bug at theNational Vulnerability Database (NVD), for example, states that the vulnerability is present in Java versions going back several years, including version 4 and 5. Analysts at vulnerability research firm Immunity say the bug could impact Java 6 and possibly earlier versions. ButWill Dormann, a security expert who’s been examining this flaw closely for CERT, said the NVD’s advisory is incorrect: CERT maintains that this vulnerability stems from a component that Oracle introduced  with Java 7. Dormann points to a detailed technical analysis of the Java flaw by Adam Gowdiak of Security Explorations, a security research team that has alerted Java maker Oracle about a large number of flaws in Java. Gowdiak says Oracle tried to fix this particular flaw in a previous update but failed to address it completely.

Either way, it’s important not to get too hung up on which versions are affected, as this could become a moving target. Also, a new zero-day flaw is discovered in Java several times a year. That’s why I’ve urged readers to either uninstall Java completely or unplug it from the browser no matter what version you’re using.

Q: A site I use often requires the Java plugin to be enabled. What should I do?
A: You could downgrade to Java 6, but that is not a very good solution. Oracle will stop supporting Java 6 at the end of February 2013, and will soon be transitioning Java 6 users to Java 7 anyway. If you need Java for specific Web sites, a better solution is to adopt a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site(s) that require(s) it.

Q: I am using a Mac, so I should be okay, right?
A: Not exactly. Experts have found that this flaw in Java 7 can be exploited to foist malware on Mac and Linux systems, in addition to Microsoft Windows machines. Java is made to run programs across multiple platforms, which makes it especially dangerous when new flaws in it are discovered. For instance, the Flashback worm that infected more than 600,000 Macs wiggled into OS X systems via a Java flaw. Oracle’s instructions include advice on how to unplug Java from Safari. I should note that Apple has not provided a version of Java for OS X beyond 6, but users can still download and install Java 7 on Mac systems. However, it appears that in response to this threat, Apple has taken steps to block Java from running on OS X systems.

Q: I don’t browse random sites or visit dodgy porn sites, so I shouldn’t have to worry about this, correct?
A: Wrong. This vulnerability is mainly being exploited by exploit packs, which are crimeware tools made to be stitched into Web sites so that when visitors come to the site with vulnerable/outdated browser plugins (like this Java bug), the site can silently install malware on the visitor’s PC. Exploit packs can be just as easily stitched into porn sites as they can be inserted into legitimate, hacked Web sites. All it takes is for the attackers to be able to insert one line of code into a compromised Web site.

Q: I’ve read in several places that this is the first time that the U.S. government has urged computer users to remove or wholesale avoid using a particular piece of software because of a widespread threat. Is this true?
A: Not really. During previous high-alert situations, CERT has advised Windows users to avoid using Internet Explorer. In this case, CERT is not really recommending that users uninstall Java: just that users unplug Java from their Web browser.

Q: I’m pretty sure that my Windows PC has Java installed, but I can’t seem to locate the Java Control Panel from the Windows Start Menu or Windows Control Panel. What gives?
A: According to CERT’s Dormann, due to what appears to potentially be a bug in the Java installer, the Java Control Panel applet may be missing on some Windows systems. In such cases, the Java Control Panel applet may be launched by finding and executing javacpl.exe manually. This file is likely to be found in C:\Program Files\Java\jre7\bin or  C:\Program Files (x86)\Java\jre7\bin.

Q: I can’t remember the last time I used Java, and it doesn’t look like I even need this program anymore. Should I keep it?
A: Java is not as widely used as it once was, and most users probably can get by without having the program installed at all. I have long recommended that users remove Java unless they have a specific use for it. If you discover later that you really do need Java, it is trivial and free to reinstall it.

Q: This is all well and good advice for consumers, but I manage many PCs in a business environment. Is there a way to deploy Java but keep the plugin disconnected from the browser?
A: CERT advises that system administrators wishing to deploy Java 7 Update 10 or later with the “Enable Java content in the browser” feature disabled can invoke the Java installer with the WEB_JAVA=0 command-line option. More details are available in the Java documentation.

Q: Okay, I think I’m covered on Java. But what about Javascript?
A: Because of the unfortunate similarity of their names, many people confuse Java withJavascript. But these are two completely different things. Most Web sites use JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. To protect yourself, it is critically important to have an easy method of selecting which sites should be allowed to run JavaScript in the browser. It is true that selectively allowing JavaScript on known, “safe” sites won’t block all malicious scripting attacks: Even legitimate sites sometimes end up running malicious code when scammers figure out ways to sneak tainted, bogus ads into the major online ad networks. But disallowing JavaScript by default and selectively enabling it for specific sites remains a much safer option than letting all sites run JavaScript unrestricted all the time.

Firefox has many extensions and add-ons that make surfing the Web a safer experience. One extension that I have found indispensable is NoScript. This extension lets the user decide which sites should be allowed to run JavaScript, including Flash Player content. Users can choose to allow specific exceptions either permanently or for a single browsing session.

Chrome also includes similar script- and Flash blocking functionality that seems designed to minimize some of these challenges by providing fewer options. If you tell Chrome to block JavaScript on all sites by default, when you browse to a site that uses JavaScript, the upper right corner of the browser displays a box with a red “X” through it. If you click that and select “Always allow JavaScript on [site name]” it will permanently enable JavaScript for that site, but it doesn’t give you the option to block third-party JavaScript content on the site as Noscript does. In my testing, I had to manually refresh the page before Chrome allowed scripting on a site that I’d just whitelisted. In addition, there is a very handy add-on for Chrome called NotScripts that works very much like Noscript.

Selectively script blocking can take some getting used to. Most script-blocking add-ons will disable scripting by default on Web sites that you have not added to your trusted list. In some cases, it may take multiple tries to get a site that makes heavy use of Javascript to load properly.

Internet Explorer allows users to block scripts, but even the latest version of IE still doesn’t give the user much choice in handling JavaScript. In IE9, you can select among JavaScript on, off, or prompting you to load JavaScript. Turning JavaScript off isn’t much of an option, but leaving it completely open is unsafe. Choosing the “Prompt” option does nothing but serve incessant pop-up prompts to allow or disallow scripts (see the video below). The lack of a simpler approach to script blocking in IE is one of the main reasons I continue to steer readers toward Firefox and Chrome.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Critical Java Update Fixes 50 Security Holes

February 7th, 2013

Oracle Corp. has issued an update for its Java SE software that plugs at least 50 security holes in the software, including one the company said was actively being exploited in the wild.

The original Critical Patch Update for Java SE – February 2013 had been scheduled to be released on February 19th, but Oracle said it decided to accelerate the release of this update because of active exploitation in the wild of one of the vulnerabilities.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply…fixes as soon as possible,” the company wrote in an advisory.

I couldn’t find a definitive account of which zero-day vulnerability in Java had caused Oracle to move up its patch schedule, but recently researchers have uncovered flaws in a mechanism that the company shipped with the previous version of Java that was designed to thwart attacks on the program. With Java 7 Update 10, Oracle introduced a mechanism that would require users to manually allow the execution of Java code not digitally signed by a trusted authority. Some security experts praised Oracle for adding the feature because it promised to drastically reduce the success of attacks that exploit security bugs in Java, but researchershave shown that the new feature can be easily bypassed.

The latest versions — Java 7 Update 13 and Java 6 to Update 39 – are available either through the updater built into Java (accessible from the Windows control panel), or by visiting Java.com. If you’re not sure which version you have or whether you’ve got the program installed at all, click the “Do I have Java” link below the red download button on the Java.comhomepage.

Most end users who have Java on their systems probably don’t need it and can safely remove it (this advice does not scale for users of corporate systems, which may have specific applications that rely on Java). This is a buggy program that seems to produce a reliable stream of zero-day exploit opportunities for malware writers. So, if you don’t need it, junk it.

If you do need it, unplug it from the browser unless and until you need it. Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Apple has been taking steps to block Java on OS X systems when new unpatched vulnerabilities have been detected. According to MacRumors, for the second time in a month, Apple blacklisted the current version of the Java Web plugin on OS X, using the “Xprotect” anti-malware system built into OS X to enforce a minimum version number that had yet to be released. However, 9to5Mac.com now writes that Java 7 Update 13 for Mac OS X brings Java on the Mac to the correct version number enforced by Xprotect, meaning Mac users who need Java can use it again without having to monkey with Terminal command-line workarounds.

This is the final set of updates for Java 6 — Oracle is phasing it out and has already taken steps to begin migrating Java 6 users to

Java 7. Overall, this probably a good thing. Lawrence Garvin, the self-described “head geek” at Austin, Texas based network management and monitoring firm SolarWinds, said that while media attention to Java 7′s security issues may be influencing the decision by some organizations to delay upgrading their Java 6 installations, only 18 of the security issues identified since Java 7′s release are unique to Java 7.

“Of the 84 vulnerabilities identified since Java 7’s release, we found that 66 of these existed in Java 6, while 40 existed in Java 5,” Garvin said. “Press coverage around Java 7’s security issues may be influencing some organizations to fail to upgrade their Java 6 installations to Java 7, thinking that Java 7 is flawed, when in fact the entire core of theJava platform has vulnerabilities. Oracle has announced that no new updates will be forthcoming for Java 6 after February 2013, so that any additional vulnerability discovered in Java 7 – and also existing in Java 6 – will never be patched.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Yahoo! Pushing Java Version Released in 2008

February 5th, 2013

At a time when AppleMozilla and other tech giants are taking steps to prevent users from browsing the Web with outdated versions of JavaYahoo! is pushing many of its users in the other direction: The free tool that it offers users to help build Web sites installs a dangerously insecure version of Java that is more than four years old.

Yahoo! users who decide to build a Web site within the Internet firm’s hosting environment are steered toward using a free tool called SiteBuilder, which is designed to make building simple Web sites a point-and-click exercise. Yahoo! has offered SiteBuilder to its millions of users for years, but unfortunately the tool introduces a myriad of security vulnerabilities on host PCs.

SiteBuilder requires Java, but the version of Java that Yahoo!  bundles with it is Java 6 Update 7. It’s not clear if this is just a gross oversight or if their tool really doesn’t work with more recent versions of Java. The company has yet to respond to requests for comment.

But this version of Java was first introduced in the summer of 2008 and is woefully insecure and out-of-date. Oracle just released Java 6, Update 39, meaning that SiteBuilder installs a version of Java that includes hundreds of known, critical security vulnerabilities that can be used to remotely compromise host PCs.

There are two reasons why this is a big deal: Java is the biggest source of malware infections across an entire industry of exploit packs — crimeware toolkits that are stitched into hacked and malicious Web sites and designed to exploit known browser flaws. Also, Yahoo! is a major Internet company that ought to know better. Sadly, this Yahoo! offering is aimed at small businesses, who are least likely to understand the importance of updating apps like Java and who are most frequently the targets of extremely costly cyberheists.

One final note about SiteBuilder: Building your site with this tool may not only be hazardous to the security of your PC, it may also make it harder for your site to get the recognition it deserves. A bit of searching on this tool turned up some less than flattering results suggestingthat sites built with SiteBuilder do not support an important type of Web site search optimization called “canonicalization.” I’ll leave it to Matt Cutts, a search guru and head of the anti-spam team at Google, to explain why this is such a fundamental pillar of search engine optimization (SEO).

Update, Feb. 13, 4:47 p.m. ET: Yahoo! finally got back to me, issuing the following spin-tastic statement: ““Yahoo! Web Hosting websites can be built and maintained using a variety of tools that give businesses the flexibility to develop sites according to their needs and technical comfort. We will continue to work on delivering the best experiences for our customers.” When asked what readers should take from the above statement, a spokesperson for the company said Yahoo! had tweaked SiteBuilder so that it is now bundled with Java 6 Update 39, and that it will be updated to Java 7 by the end of the month. Hopefully, it won’t be Java 7 Update 1.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta