Attackers Pounce on Zero-Day Java Exploit

Heads up:

http://news.softpedia.com/news/Java...ulnerability-to-Oracle-Exclusive-289249.shtml

One of the research groups that first reported the zero-day patched by Oracle yesterday (ref: J7 U7) reports a new zero day vulnerability.

The suggestion? Turn JAVA off again until this new issue is fixed...

 

Wow then Chromium rules, because it was configured by default to ask.

 

Same here. There are good suggestions listed on this thread for users who need Java. However, I still honestly feel that uninstalling Java from one's system is the best suggestion if one can afford it. Many a times I see Java (and outdated ones) on machines in which the users hardly have a need for it. Granted sometimes one may have a need for it but let's say if the need is a rare instance, it is in my opinion that the inconvenience of downloading/installing the latest version of Java for a 1-time use is worth it.

 

Because you enabled click-to-play? You can do that also in Firefox and Opera.

 

Chromium/Chrome always asks before running Java on a new website.

 

Thanks - I didn't know that (I had java disabled anyhow).

 

Researchers find critical vulnerability in Java 7 patch hours after release

https://www.computerworld.com/s/art...erability_in_Java_7_patch_hours_after_release

Security researchers from Poland-based security firm Security Explorations claim to have discovered a vulnerability in the Java 7 security update released Thursday that can be exploited to escape the Java sandbox and execute arbitrary code on the underlying system.


To be more clear the exploit does not make use of the patch ie: the patch did not introduce the vulnerability. The patch removed some areas that should have been protected initially. This was enough to stop the current vulnerabilities but not quite good enough to stop there others.

 

Back to disable.

 

Okay, I finally figured out how to protect against this exploit...
Adios, Java!
Took me a little longer than some other folks around here, but I eventually got it.

 

Java Java, non stop Palava

@ Coldmoon

Hello Sir, how ya doing

Does Returnil AV protect against this ?

 

How to secure Java?

To Moderators: Okay, I started a new topic because I would like to get specific answers on how to secure Java.

To everyone else: One of my critical applications relies on Java. How do I run it securely despite all those zero day attacks...

 

Oracle's Java Security Woes Mount As Researchers Spot A Bug In Its Critical Bug Fix

 

Words to the wise...

 

I didnt enable anything it was by default, luckily i always use "Just Once" so it never remembers any website.

 

To one degree or another, this has always been the case. ATM, it's Oracle and java. At varying times it's been Abode, both their PDF reader and flash. Microsoft has been there for multiple items, including the always popular Internet Explorer. They've had to patch their patches on more than a few occasions. They've all had and still have unpatched vulnerabilities, and these are only the ones we know about. Patching does not and never will make you secure. It's little more than closing individual holes in a screen door.

It's always been up to the user to recognize that attack surface apps are vulnerable and will always be vulnerable. The users security policy should acknowledge this by:

1. Removing or disabling the unnecessary attack surface components.
2. Reducing access to the more vulnerable parts of the attack surface, eg blocked by default, allowed by exception.
3. Hardening the attack surface apps, isolating them from the rest of the system, reducing privilege, etc.

 

But since this thread is about Java, we specify Oracle.
It's up to us, not them, to protect our machines.
Hopefully that becomes clearer all the time.
PS - Enjoyed the "closing individual holes in a screen door" line.

 

"Removing or disabling the unnecessary attack surface components."

This is how I look at the entire operation system on my PC

Entire Install Size of Windows XP at around 200Mb does not
leave too much left to hack

 

I learned this almost eight years ago, when I was introduced to the concept of White Listing from a Security Paper by SecureWave, an EndPoint Solutions security company which is now Lumension Security.

From their Paper:

An Ounce of Prevention
http://www.infosec.co.uk/ExhibitorLibrary/123/An_Ounce_of_Prevention.pdf

There are many knowledgeable/alert System Administrators out there that we don't hear about, because their systems are not compromised, so no sensational stories to make the latest news.

Just one example: Shortly following the emergence of the LNK exploit - MS10-046 (via boobytrapped USB sticks) - I spoke with one System Administrator whose organization has about 300 workstations.

He told me that a Group Policy prevented any code from running from USB external media on the workstations.

----
rich

 

Java v7 update 7 is free from exploits now ?

or it has critical vulnerabilities as well ?

what should i do to protect myself from that vulnerability ?

 

There is a new issue with this update that when combined with issues from April 2012, can facilitate a successful code execution attack on Java 7.
Disable Java or remove it has been the recommendation all along.
I disabled, then decided to uninstall.
My computers so far run fine without it.

 

Lifted from Oracle's Java Security Woes Mount As Researchers Spot A Bug In Its Critical Bug Fix

Java 7 Update 7 still vulnerable! Tsk....Goodbye Java!

How to Unplug Java from the Browser

 

Eight years ago is when I started learning the value of a default-deny policy and of isolating/un-integrating the attack surface apps. I definitely don't miss the "constant state of emergency" that some make every new exploit out to be.

The security industry doesn't profit from strong, well implemented policy either. If anything, it hurts product sales. IMO, the hype over new exploits and vulnerabilities is primarily to create fear and a demand for their security products, much of which is powerless against new exploits anyway.

 

I use Appguard in lockdown mode from BlueRidge Networks so I run Java, and Adobe all I want. I don't really see any of these exploits or any future exploits getting by Appguard anytime soon. I could be wrong, but that is how confident I am in Appguard.

 

Here we go again: Critical flaw found in just-patched Java

Here we go again: Critical flaw found in just-patched Java.

-- Tom