Oracle Java SE Update – Critical Update

Oracle Java SE Update – Security Garden

Oracle Java released an update to Java SE 6 and Java SE 7.

Edited to clarify:  Included in the Oracle updates are eighty-eight (88) new critical security fixes across numerous Oracle products, listed in the Oracle Critical Patch Update Advisory.  It is strongly advised that the update be installed for those products as soon as possible due to the thread posed by a successful attack.

More in the article.

Time to start checking Java.com for updates from Oracle that fix the latest Bugfixes for Java for your Windows, Solaris, and Linux operating systems. Linux users can also check their distros for these updates, and Mac users should start checking rigorously for updates to Java SE 6 from Apple.

NOTE: As of 10:37 AM EDT today, April 28, 2012, the Java website still shows Java SE 6, Update 31.

You will want to check the download links on Security Garden’s posting for the most recent updates. Or here on Oracle’s download page for Java SE Runtime Environment 6 Update 32 for Linux, Solaris, Windows (mainstream version that works with most applications). Mac OS X users still need to get their Java SE 6, Update 32 from Apple, so please keep checking!

Thanks for keeping us updated on Oracle’s Java status, Security Garden!

Advertisements

New, sneakier Flashback malware infects Macs

New, sneakier Flashback malware infects Macs – Computerworld

A new, sneakier variant of the Flashback malware was uncovered yesterday by the French security firm Intego.

Flashback.S, which Intego described Monday, uses the same Java vulnerability as an earlier version that has infected an estimated 820,000 Macs since its appearance and still plagues over 600,000 machines.

But unlike Flashback.K, the variant that first surfaced last month and has caused consternation among Mac users, Flashback.S never asks the victim to enter an administrative password for installation, but instead relies only on the silent exploit of the Java bug to sneak onto the system.

“The differences are very subtle,” Peter James, a spokesman for Intego, said in an interview Tuesday. “There’s no password request [by Flashback.S].”

Much more in the two page article.

Apple will likely need to update their seek and destroy tool very quickly to help users stay free of this new variant.

If you think you are beginning to need an antivirus/antimalware solution, there are quite a few out there. Below are just a few:


Sophos Anti-Virus for Mac Home Edition
– Sophos has a worthy product out there and it is nice that they make their money on corporate/business computers and offer the home version for free.

ClamXav The Free Anti-Virus Solution for Mac OS X It uses the popular open source ClamAV engine as it’s back end and has the ability to detect both Windows and Mac threats.

There are other options as well for the Pay to Play crowd.

ESET Cybersecurity for Mac

And others from Intego Virus Barrier for Mac free and Pro versions available in the Mac App Store. Intego as noted above found this newest FlashBack in the wild). Other Mac antivirus firms Symantec/Norton, and many more.

Many of these come with a heavy CPU usage hit that is very annoying considering the small number of actual threats out there for the Mac. Of course some users may feel that the ones that provide real time protection are the way to go, some may feel it is worth it if their Macs are speedy enough and they have enough RAM.

For those who don’t think they need a Mac antivirus just yet, if you don’t use Java or none of your programs use Java, you could go to the ~/Applications/Utilities/Java Preferences.app and disable Java until you actually need it and then re-enable it as needed. It’s a very easy thing to do really.

Or you could set up AppleScript to monitor areas where malware might inject itself so it will alert you.

Monitor OS X LaunchAgents folders to help prevent malware attacks – CNET

Some additional locations to add can be found at MrAnderson.info here.

Also installing Piriform CCleaner for Mac is a great idea and can be run as needed very quickly every day even.

Certainly less of a system resource hit and one could still have a non-resident antivirus and scan at your convenience and respond if the Applescript tells you something is going on that you didn’t instigate by installing a program, etc.

The Applescript monitoring locations that you can set up is built with Mac OS X which is light on resources and free. The Applescript monitoring does a similar thing as WinPatrol does in Windows – but of course in a very small area comparatively. WinPatrol does so much more but the key similarity is the monitoring for changes to areas that malware can hit a Windows PC.

What we need for people who are not very savvy about these things is a MacPatrol app like WinPatrol.

Call Starkist

New version of Mac OS X Trojan exploits Word, not Java

New version of Mac OS X Trojan exploits Word, not Java – ZDNET

A second variant of the Mac OS X Trojan referred to as Backdoor.OSX.SabPub.a or SX/Sabpab-A is exploiting a Microsoft Word security hole, not the usual Java vulnerabilities used before.

Just a few days ago, a new Mac OS X Trojan was spotted in the wild that exploited Java vulnerabilities and required no user interaction to infect your Apple Mac, just like the Flashback Trojan. Kaspersky referred to it as “Backdoor.OSX.SabPub.a” while Sophoscalled it at “SX/Sabpab-A.” Now, both security firms have confirmed a different variant of this new Trojan that infects Macs by exploiting Microsoft Word, not Java.

Sophos detects the malicious Word documents as Troj/DocOSXDr-A and points to the following Microsoft Security Bulletin: MS09-027. Kaspersky meanwhile points to this security bulletin for the same Microsoft Word security hole: CVE-2009-0563.

So, it looks like uninstalling Java or disabling it is not the biggest threat afterall. 😉 Now you need to upgrade your Microsoft Office software to protect you from this.

Very important to do, and updating your Java is very important too through Apple Software Updates as Apple put out another update that not only fixed the problem, it also removed the malware infection if found.

Better late than never? Apple has released the third Java update in a week for Mac OS X, and this one contains the tool to remove the Flashback malware from infected systems. Beneath the belated fix to help users eradicate the threat, Apple has introduced a proactive approach to reducing security risk, and other vendors should take note.

Java update for OS X patches Flashback malware exploit

Java update for OS X patches Flashback malware exploit – CNET:

Following the recent Flashback malware developments for OS X where unpatched vulnerabilities in the latest Java runtime for OS X were being exploited, Apple has issued an update that brings Java up-to-date and patches these vulnerabilities.

The patch is available via Software Update for systems that have Java installed, but can also be downloaded from the following Apple support Web pages. The update is available only for OS X 10.6 and 10.7, since Apple has stopped supporting prior versions of OS X.

Java for Mac OS X 10.6 Update 7
Java for OS X Lion 2012-001

EDIT:

Mac Botnet Infects More Than 600,000 Apple Computers – eWeek

Apple’s security code of silence: A big problem – CNET
:

Security industry insiders have long known the Mac platform has its holes. The Flashback Trojan is the first in-the-wild issue that’s confirmed this, and big-time. More will follow unless Apple steps up its game.


Secure your Mac from Flashback infection – USAToday
:

Flashback is technically not a trojan-horse application at all, but a “drive-by download” that infects computers by exploiting a vulnerability in Web software.

That makes it much worse than a trojan: You just need to visit a malicious site, without downloading the wrong app or entering an admin password, to have this program silently take command of your Mac and begin altering the content of Web pages.

Find Out if Your Mac Has the Flashback Trojan — the Fast and Easy Way – Mashable – Two quick Applescript scripts if you are squeemish about running commands in a commandline terminal. I have not used them as I checked in commandline. Use at your own risk.

..

It is tragic that for all the online virus/malware scanners that are out there for Windows users, there do not appear to be any for Mac OS X. Now that is tragic.

Java 6 Update 24 Plugs 21 Securty Holes

[tweetmeme source=”franscomputerservices” only_single=false]Java 6 Update 24 Plugs 21 Securty Holes (Krebs On Security)

A new version of Java fixes at least 21 security flaws in the widely-distributed software bundle. Updates are available for Windows, Linux and Solaris users.

Windows users that have Java installed should update as soon as possible. Usually Windows users will see the orange Java update icon in the System Tray (by the clock in the lower right side). When the Java update icon is presented, click on it and follow instructions. Be sure to unclick extra installs for Google Chrome, toolbars, etc. if you don’t want them.

If you haven’t been presented with the Java update icon, go to the Java.com site to download the Java update for Windows.

If you use a Mac, you will have to wait till Apple does the update and hope they do it quickly. Soon Mac users will also be updating through the Oracle Java website like Windows, Linux and Solaris users do now. But not yet.

Race Conditions aka TOCTOU and now KHOBE

[tweetmeme source=”franscomputerservices” only_single=false]There is a ‘supposedly new’ threat on the horizon for Windows XP users, and more so on multi-core systems called KHOBE (Kernel HOok Bypassing Engine).

Although this is a threat, it is not a new threat — in fact, this type of thing has been a threat to computing since 1998 when it was written about in PDF format: RaceConditions.pdf, and in 1996 in this PDF: racecond.pdf and many times since then in articles online about TOCTOU (noted below in this posting).

It definitely sounds pretty bad when it is reported that this ‘new’ KHOBE can bypass EVERY Windows security product in an article by the respected Adrian Kingsley-Hughes at ZDNet Blogs and as reported and tested by MATOUSEC here. And it certainly isn’t a non-issue…

However, let’s look at this objectively. First this is not the first, last or only situation that has or will arise. Race Conditions as noted above have been created by TOCTOU (Time of check to time of use) situations since the dawn of computing and yes, they are not easy to test for in all situations/hardware prior to release of software/Operating Systems, but these types of conditions have been a potential threat for a very long time in all kinds of software.

A time-of-check-to-time-of-use bug (TOCTTOU − pronounced “TOCK too”) is a software bug caused by changes in a system between the checking of a condition (such as a security credential) and the use of the results of that check. It is a kind of race condition.

Before Windows was capable of true multi-tasking/multi-threading, it was possible to create these conditions on UNIX machines as noted in this 2001 article at InformationWorld.

So, why the fuss now? Windows 7 is basically claimed to be immune — by its omission in the ‘affected Windows Operating Systems’ list. Apparently only Windows XP (ONLY about 60% of Windows users –eeek! — per Adrian Kingsley-Hughes article above), or earlier Windows OSes are affected and in this particular case, and then only by security software that use the KHOBE (Kernel HOok Bypassing Engine).

Graham Cluely at his Sophos Blog notes,

Because KHOBE is not really a way that hackers can avoid detection and get their malware installed on your computer. What Matousec describes is a way of “doing something extra” if the bad guys’ malicious code manages to get past your anti-virus software in the first place.

In other words, KHOBE is only an issue if anti-virus products such as Sophos (and many others) miss the malware. And that’s one of the reasons, of course, why we – and to their credit other vendors – offer a layered approach using a variety of protection technologies.

In addition, Paul Ducklin’s Sophos blog notes,

The security panic of the week is the widely-reported story of a “vulnerability” called KHOBE. One news headline goes so far as to announce that this “new attack bypasses virtually all AV protection”.

I disagree.

The sample “attack”, which claims to be an 8.0 earthquake for desktop security software, describes a way in which the tamper protection implemented by some anti-malware products might potentially be bypassed. Assuming you can get your malicious code past the anti-malware product in the first place, of course.

Much more in his blog entry. All of these links are must read if you wish to understand as much as is possible what the real threat is.

So, given all this, is the game over on security software because this is now disclosed to be possible (READ: it was always possible) — at least till they figure out how to prevent Race Conditions in security software?

Hardly. But due to the release of the information, this situation may make life interesting security-wise for Windows XP users (earlier Windows OSes like Win2K, Win98, WinME, WinNT shouldn’t even be on the net at this point for many reasons, the least of which is this situation).

So, if you are a Windows user what can you do in the meantime?

  • Keep your systems up to date
  • Make sure you have a hardware NAT or SPI Firewall/Router on your local network, and a software firewall in place and working properly and updated (if it’s a third party firewall – Windows Firewall is updated with your Windows Updates)
  • Keep your browsers up to date
  • Keep your browser plugins (Adobe products, Apple products, Java, etc.) and extensions (like Firefox’s AdBlock Plus, etc.) up to date
  • Keep all Internet facing programs (Adobe, Microsoft, etc.) up to date
  • Run your CCleaner (or other Temporary Files/Temporary Internet Files cleaner program) frequently (I actually run mine several times a day) – Fully close any browsers before running your ‘cleaner’ and then re-open it as needed after you run the ‘cleaner’
  • Make sure your antivirus software is updating as it should and doing its scheduled scans
  • Update and Run any cleaner software and secondary anti-malware programs (like Malwarebytes Anti-malware) at least once a week or more often and immediately if something seems odd on your computer
  • Don’t open suspicious emails, even from known senders
  • Be careful where you go on the Internet. Even some legitimate sites have been hacked
  • Be careful about links and friends on Facebook (if you haven’t deactivated your account yet), Twitter, LinkedIn, and other Web 2.0/dynamic Social Networking sites.

In short, do what you should always be doing to keep yourself safe. Because this isn’t over. It was always a possibility whether we were aware or not, and it will likely be a possibility for a long time to come.

You might also consider installing a preventative program like BillP’s WinPatrol on your system to make you aware of potential changes to your system. *See EDIT below for a note from BillP about WinPatrol and kernel hooks.

And as I noted earlier, the focus of this issue, at this time, is apparently Windows XP, but any operating system is vulnerable to this type of attack and always has been — and that is not likely going to change any time soon.

EDIT: Added the following comment from BillP who developed WinPatrol:

* Thanks! I’m honored by the mention.
It’s a great topic and mentioning WinPatrol is appropriate since I don’t use any kernel hooking to detect changes. Thumbs Up!

Bill

Oracle Sun ships Java patch as attacks surface

[tweetmeme source=”franscomputerservices” only_single=false]As attacks surface, Sun ships Java sudden Java patch (ZDNet):

In a sudden about-face, Sun has rushed out a Java update to fix a drive-by download vulnerability that exposed Windows users to in-the-wild malware attacks.

The release notes that accompanies the new Java 6 Update 20 makes no mention of the public flaw disclosure or subsequent attacks but I’ve been able to confirm that the patch does cover the vulnerability released by Google security researcher Tavis Ormandy.

Much more in the article by Ryan Naraine at ZDNet blogs linked above.

Glad to hear they have finally released a patch.

Might want to go get the latest Java 6 Update 20 asap at Manual Downloads at Java.com