Java flaw allows “complete” bypass of security [update]

Abarbarian

Abarbarian

Acruncher
Joined
Sep 30, 2005
Messages
11,023
Reaction score
1,223
http://arstechnica.com/security/201...w-allows-complete-bypass-of-security-sandbox/

Researchers have discovered a Java flaw that would let hackers bypass critical security measures in all recent versions of the software. The flaw was announced today by Security Explorations, the same team that recently found a security hole in Java SE 7 letting attackers take complete control of PCs. But this latest exploit affects Java SE 5, 6, and 7—the last eight years worth of Java software.
Click to expand...
Gowdiak and his team have found a total of 50 Java flaws. While this latest one apparently isn’t being exploited in the wild yet, another that was being exploited was patched by Oracle last month, reportedly four months after Oracle learned of the vulnerability.
Click to expand...
We asked Oracle for comment this afternoon and have not heard back yet.
Click to expand...
Oh the joys of computing
breakfast.gif
 
The original warning has been re-issued by the Homeland Security advisor's in America for people to not only disable Java in their web browser, but go as far as to strongly suggest uninstalling Java completely.

While update 11 should be considered an essential update for all Java users, researchers have warned that the new build is little more than a sticking plaster for the problem, and recommend users actually disable Java from running inside web browsers.

Update 11 specifically acts on a Java exploit in web browsers that the US Department of Homeland Security warned is being “actively exploited” by malware. This allows code to be executed outside of Java’s sandbox, allowing keyloggers and botnet code to be distributed through the Java exploit.

The update basically sets Java’s default security settings to “High”, which means all code from unknown sources will be flagged before running on the user’s say-so.
Click to expand...
... and how many of us just click OK.

Researchers warn that despite this new setting, the security can be bypassed by hackers able to mask their code through “social engineering”, which allows them to mask its true origins and claim to be from a trusted source, encouraging users to accept the code even though it’s been flagged.

As a result, the Department of Homeland Security’s Computer Emergency Readiness Team has recommended users should actually disable Java from running in web browsers -- even after applying the latest update.
Click to expand...
How to disable Java in your browsers

You can also use the Java Control Panel which is probably the easiest way for IE users ... :)

IcedTea anyone ?
 
Back
Top