Oracle

Java Update Plugs 42 Security Holes

April 24th, 2013

Oracle Corp. today released an update for its Java SE software that fixes at least 42 security flaws in the widely-installed program and associated browser plug-in. The Java update also introduces new features designed to alert users about the security risks of running certain Java content.

Java 7 Update 21 contains 42 new security fixes for Oracle Java SE. A majority of these flaws are browse-to–a-hacked-site-and-get-infected vulnerabilities. According to Oracle, “39 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password”.

There does not appear to be any update for Java 6. Oracle was to stop shipping security fixes for Java 6 in February, but it broke from that schedule last month when it shipped an emergency update for Java 6 to fix a flaw that was being used in active attacks. When I updated a machine running the latest Java 6 version (Update 43) it prompted me to install Java 7 Update 21.

Java 7 Update 21 also introduces some new security warnings and message prompts for users who keep the program plugged into a Web browser (on installation and updating, Java adds itself as an active browser plug-in). Oracle said the messages that will be presented depend upon different risk factors, such as using old versions of Java or running applet code that is not signed from a trusted Certificate Authority.

Apps that present a lower risk display a simple informational message. This includes an option to prevent showing similar messages for apps from the same publisher in the future. Java applications considered to be higher risk — such as those that use an untrusted or expired certificate — will be accompanied by a prompt with a yellow exclamation point in a yellow warning triangle.

It’s a shortcoming that makes it easy for attackers to bypass the protection. That’s because it presents certificates as trustworthy even when they’ve been reported as stolen and added to publicly available revocation databases. The failure of Java to check certificate revocation lists came to light last month after Java gave the green light to a malicious app even though the digital certificate signing it had been revoked by the company that owned it.

I’ve long urged end users to uninstall Java unless they have a specific use for it (this advice does not scale for businesses, which often have complex custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a favorite target of malware writers and miscreants. Rather than ask users to discern the safety of applications using yellow triangles, blue shields, green clovers or orange stars, I’ll keep telling users to get rid of Java entirely.

If you do need it, unplug it from the browser unless and until you need it. Java 7 lets users disable Java content in web browsers through the Java control panel applet. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Critical Java Update Fixes 50 Security Holes

February 7th, 2013

Oracle Corp. has issued an update for its Java SE software that plugs at least 50 security holes in the software, including one the company said was actively being exploited in the wild.

The original Critical Patch Update for Java SE – February 2013 had been scheduled to be released on February 19th, but Oracle said it decided to accelerate the release of this update because of active exploitation in the wild of one of the vulnerabilities.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply…fixes as soon as possible,” the company wrote in an advisory.

I couldn’t find a definitive account of which zero-day vulnerability in Java had caused Oracle to move up its patch schedule, but recently researchers have uncovered flaws in a mechanism that the company shipped with the previous version of Java that was designed to thwart attacks on the program. With Java 7 Update 10, Oracle introduced a mechanism that would require users to manually allow the execution of Java code not digitally signed by a trusted authority. Some security experts praised Oracle for adding the feature because it promised to drastically reduce the success of attacks that exploit security bugs in Java, but researchershave shown that the new feature can be easily bypassed.

The latest versions — Java 7 Update 13 and Java 6 to Update 39 – are available either through the updater built into Java (accessible from the Windows control panel), or by visiting Java.com. If you’re not sure which version you have or whether you’ve got the program installed at all, click the “Do I have Java” link below the red download button on the Java.comhomepage.

Most end users who have Java on their systems probably don’t need it and can safely remove it (this advice does not scale for users of corporate systems, which may have specific applications that rely on Java). This is a buggy program that seems to produce a reliable stream of zero-day exploit opportunities for malware writers. So, if you don’t need it, junk it.

If you do need it, unplug it from the browser unless and until you need it. Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Apple has been taking steps to block Java on OS X systems when new unpatched vulnerabilities have been detected. According to MacRumors, for the second time in a month, Apple blacklisted the current version of the Java Web plugin on OS X, using the “Xprotect” anti-malware system built into OS X to enforce a minimum version number that had yet to be released. However, 9to5Mac.com now writes that Java 7 Update 13 for Mac OS X brings Java on the Mac to the correct version number enforced by Xprotect, meaning Mac users who need Java can use it again without having to monkey with Terminal command-line workarounds.

This is the final set of updates for Java 6 — Oracle is phasing it out and has already taken steps to begin migrating Java 6 users to

Java 7. Overall, this probably a good thing. Lawrence Garvin, the self-described “head geek” at Austin, Texas based network management and monitoring firm SolarWinds, said that while media attention to Java 7′s security issues may be influencing the decision by some organizations to delay upgrading their Java 6 installations, only 18 of the security issues identified since Java 7′s release are unique to Java 7.

“Of the 84 vulnerabilities identified since Java 7’s release, we found that 66 of these existed in Java 6, while 40 existed in Java 5,” Garvin said. “Press coverage around Java 7’s security issues may be influencing some organizations to fail to upgrade their Java 6 installations to Java 7, thinking that Java 7 is flawed, when in fact the entire core of theJava platform has vulnerabilities. Oracle has announced that no new updates will be forthcoming for Java 6 after February 2013, so that any additional vulnerability discovered in Java 7 – and also existing in Java 6 – will never be patched.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta