Oracle Sun ships Java patch as attacks surface

[tweetmeme source=”franscomputerservices” only_single=false]As attacks surface, Sun ships Java sudden Java patch (ZDNet):

In a sudden about-face, Sun has rushed out a Java update to fix a drive-by download vulnerability that exposed Windows users to in-the-wild malware attacks.

The release notes that accompanies the new Java 6 Update 20 makes no mention of the public flaw disclosure or subsequent attacks but I’ve been able to confirm that the patch does cover the vulnerability released by Google security researcher Tavis Ormandy.

Much more in the article by Ryan Naraine at ZDNet blogs linked above.

Glad to hear they have finally released a patch.

Might want to go get the latest Java 6 Update 20 asap at Manual Downloads at Java.com

Unpatch Java Exploit Spotted in-the-wild

[tweetmeme source=”franscomputerservices” only_single=false]Unpatch Java Exploit Spotted in-the-wild (Krebs on Security):

Last week, a Google security researcher detailed a little-known feature built into Java that can be used to launch third-party applications. Today, security experts unearthed evidence that a popular song lyrics Web site was compromised and seeded with code that leverages this Java feature to install malicious software.

As I mentioned last time, it is sad that Java is needed to help keep your systems safer through Secunia’s OSI (Online Software Inspector) by helping you keep your Internet facing programs up to date.

For now, if you are not sure if you have Java on your system, you can look in Add/Remove Programs (Windows XP) or Programs, Uninstall Programs (Vista and Windows 7) to see if it is installed. The best option at this point is to probably uninstall Java entirely on Windows computers until Oracle realizes the dangers this problem poses to Windows users.

Of course if you would prefer, you could use the link to SANS Internet Storm Center (New bug/exploit for javaws) to review your options.

Another option would be to use Firefox with the NoScript Extension and only allow scripting on trusted sites. NOTE: Even though java is not javascript, most plugins use some sort of scripting to wrap their plugins in to work in a browser so using NoScript would go a long way to protecting users and still be able to use Secunia’s OSI noted earlier in this article.

However, note that there is still the possibility that the malware cocktail could still potentially gain access through Internet Explorer even if you are not using Internet Explorer. To prevent this, Windows users might consider installing BillP Studios’ WinPatrol so they are alerted to any changes to their system before it happens and be given an opportunity to prevent it – You can try it out for free, but it is one of the best $19.99 you ever spent ($10 off right now, normal price $29.99). BillP Studios used to have a free version which can still be found on sites like FileHippo.com (note, however that it is not the new version which is apparently only offered in Trial/Buy).

According to the article, popular lyrics site: songlyrics dot com (I did not create a link to it and I would NOT recommend going there if you have Java installed!) the “Crimepack” exploit kit is being used to foist a cocktail of malware on Windows users’ computers.

I mentioned this Java vulnerability in my last posting. If you want more information, please see my earlier post and Brian Kreb’s Krebs on Security article above.

Tavis Ormand tried to get through to Oracle about the danger, but they chose to rate it as not that important. They indicated that it could wait till the normal patch cycle. However, apparently, they didn’t fix it then either because when all the Oracle quarterly cycle patches came out this week it wasn’t in their list of fixed vulnerabilities — which means they apparently intend to wait till the NEXT cycle!

Roger Thompson, chief research officer at AVG says:

the site appears to use the very same code mentioned in Ormandy’s proof-of-concept to silently redirect songlyrics.com visitors to a site that loads the “Crimepack” exploit kit, a relatively new kit designed to throw a heap of software exploits at visiting browsers…

It is hard to say whether visiting sites like the lyrics site would hurt other OSes like Mac OS X (especially Tiger which hasn’t had a Java update in ages!), or Linux because Brian Krebs’ article was geared to Windows users.

Oracle, Java and Security

[tweetmeme source=”franscomputerservices” only_single=false]Oracle, Java and Security … oh my!

Java bug exposes users to serious code-execution risk – Researchers disclose because Oracle won’t!

This zero day bug, which is in the Java Web Start (this is automatically added as an ‘extension’ in Firefox – which I always disable) has become a real problem. Here’s a quote from the article regarding the Researchers’ attempt to make Oracle understand the severity of this issue:

Both researchers stressed the ease in which attackers can exploit the bug using a website that silently passes malicious commands to various Java components that jump-start applications in Internet Explorer, Firefox, and other browsers. Ormandy said he alerted Java handlers in Oracle’s recently-acquired Sun division to the threat but “they informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle.

(bold emphasis in the quote mine)

Merely disabling ActiveX or Firefox plugins isn’t enough because the toolkit is installed separately from Java. That means the only temporary fixes are browser specific for IE and Firefox and involve setting killbits or employing file system access control list features. (More about that here).

Or we could always just uninstall Java entirely until Oracle decides to protect their users.

That is a sad option since Secunia makes use of Java for it’s OSI (Online Software Inspector) which has become a very handy free tool for folks to keep up on the myriad of “Internet-facing” programs, plugins, missing Windows Updates, etc.

And of course, Weather.gov (for animated maps) and NASA/JPL use Java for many online projects. I would think they would want Oracle to rethink their position on this problem!

Plus, this is not just a Microsoft Windows Issue. The article also notes that this could affect Linux.

And from the sound of it, also Apple’s Mac OS; particularly since Apple is slow to upgrade Java on their OS platform, and they haven’t done an update for Java in a while for OS X Tiger at all.

What a mess. This issue with Java vulnerabilities, and how Oracle is handling it, may well provide a backdrop that opens up other concerns about Oracle’s stance on security related to their flagship products … things that maybe Oracle wouldn’t want folks to start thinking about…