Advertisement
<a href="http://krebsonsecurity.com/critical-java-update-fixes-20-flaws/?administer_redirect_13=http://abaca.com/free_trial.html"><img src="/a-ab/missing.gif" /></a>
  • About the Author
  • About this Blog

    • Posts Tagged: Oracle

    Time to Patch29 Comments
    20
    Oct 11

    Critical Java Update Fixes 20 Flaws

    Oracle Corp. released a critical update to plug at least 20 security holes in versions of its ubiquitous Java software. Nearly all of the Java vulnerabilities can be exploited remotely to compromise vulnerable systems with little or no help from users.

    If you use Java, take some time to update the program now. According to a report released this month by Microsoft, the most commonly observed exploits in the first half of 2011 were those targeting Java flaws. The report also notes that Java exploits were responsible for between one-third and one-half of all exploits observed in each of the four most recent quarters.

    Methods for exploiting one of the flaws fixed by this update were detailed at a recent security conference in Buenos Aires, where researchers demonstrated a method for intercepting encrypted SSL and TLS traffic.

    Continue reading →

    Time to Patch20 Comments
    12
    Oct 10

    Java Update Clobbers 29 Security Flaws

    Oracle today released a critical update to its widely-installed Java software, fixing at least 29 security vulnerabilities in the program.

    Most consumers on Microsoft Windows PCs will have some version of Java installed (if you’re not sure whether you have Java or what version might be installed, click this link). Existing users can grab the latest version — Java 6 Update 22 — by visiting the Windows Control Panel, clicking on the Java icon, and then selecting the “Update Now” button on the “Update” tab. If you don’t already have this software, I recommend that you keep it that way.

    Per Oracle’s advisory, updates are available for Windows, Solaris and Linux versions of Java. Apple maintains its own version of Java for OS X systems, and typically issues fixes for its version several months after the official Java release.

    Be aware that Java’s updater may by default also include free “extras” that you may not want, such as the Yahoo! Toolbar or whatever other moneymaker they decide to bundle with their software this time around, so be sure to de-select that check box during installation if you don’t want the add-ons.

    Other42 Comments
    5
    Aug 10

    Crimepack: Packed with Hard Lessons

    Exploit packs — slick, prepackaged bundles of commercial software that attackers can use to booby-trap hacked Web sites with malicious software — are popular in part because they turn hacking for profit into a point-and-click exercise that even the dullest can master. I’ve focused so much on these kits because they also make it easy to visually communicate key Internet security concepts that otherwise often fall on deaf ears, such as the importance of keeping your software applications up-to-date with the latest security patches.

    One of the best-selling exploit packs on the market today is called Crimepack, and it’s a kit that I have mentioned at least twice in previous blog posts. This time, I’ll take a closer look at the “exploit stats” sections of a few working Crimepack installations to get a better sense of which software vulnerabilities are most productive for Crimepack customers.

    Check out the following screen shot, taken in mid-June from the administration page of a working Crimepack exploit kit that targeted mostly German-language Web sites. This page shows that almost 1,800 of the nearly 6,000 people who browsed one of the stable of malicious sites maintained by this criminal got hacked. That means some software component that 30 percent of these visitors were running either in their Web browsers or in the underlying Windows operating system was vulnerable to known software flaws that this kit could exploit in order to install malicious software.

    Peering closer at the exploit stats, we see that one exploit was particularly successful: Webstart. This refers to a Java vulnerability that Oracle/Sun patched in April 2010, a powerful and widely-deployed software package that many users aren’t even aware they have on their systems, let alone know they need to keep it updated. (By the way, I got some serious flack for recommending that users who have no need for Java uninstall the program completely, but I stand by that advice.) As seen from the chart, this single Java flaw was responsible for nearly 60 percent of the successful attacks on visitors to these hacked sites.

    Continue reading →

    Other13 Comments
    20
    May 10

    Apple Ships Java Security Update

    Apple has pushed out an update that fixes at least 30 security vulnerabilities in its version of Java for Mac OS X systems.

    The patch appears to fix a flaw in Java that Oracle shipped more than a month ago that attackers were using to install malicious software on Microsoft Windows systems.

    Updates are available for Mac OS X v10.5.8 and Mac OS X v10.6.3 or later, via Apple Downloads or Software Update. The new release brings Java on the Mac to the current version, Java 6 Update 20.

    Time to Patch19 Comments
    20
    Apr 10

    Mozilla Disables Insecure Java Plugin in Firefox

    Mozilla is disabling older versions of the Java Deployment Toolkit plugin for Firefox users, in a bid to block attacks against a newly-discovered Java security hole that attackers have been exploiting of late to install malicious code.

    On April 15, Oracle Corp. pushed out an update to its Java software to fix a dangerous security flaw in the program. The patch came just a day after it became clear that criminals were using the flaw to break into vulnerable systems.

    Continue reading →

    A Little Sunshine / Latest Warnings / Time to Patch / Web Fraud 2.014 Comments
    15
    Apr 10

    Java Patch Targets Latest Attacks

    Oracle Corp. has shipped a new version of its Java software that nixes a feature in Java that hackers have been using to foist malicious software.

    Java 6 Update 20 was released sometime in the last 24 hours, and includes some security fixes, although Oracle’s documentation on that front is somewhat opaque. Most significantly, the update removes a feature that hackers have started using to install malware.

    On Wednesday, a popular song lyrics Web site was compromised and seeded with code that leverages this Java feature to plant malicious software.

    If you need Java for some specific reason, then by all means install this update. However, I have found that most users can happily do without this powerful and feature-rich program, which is fast becoming a popular vehicle for launching a range of attacks. More on that in a future post. Stay tuned.

    Continue reading →