Critical Java SE update due Tuesday fixes 40 flaws

Critical Java SE update due Tuesday fixes 40 flaws – The Reg

And yes, most are remotely exploitable

According to Oracle’s security announcement, the patch pack addresses 40 different vulnerabilities. All update levels of Java SE 5, 6, and 7 are affected by the flaws, as are all versions of JavaFX.

Of the 40 bugs, all but three are remotely exploitable over a network without the need for a username or password.

Oracle plans to release its latest Java SE Critical Patch Update on June 18, 2013.

Watch for it and install it if you have Java installed on your system. If you are sure you don’t need Java for anything, it would be best to uninstall it or disable it until the update, or at least disable Java in your browsers.

New Twist to Online Tech Support Scam and more

This one has been going on for quite a while, but it is definitely spreading like a bad rash. Just to prove it, one of my clients got a call from one of these while I was actually at their home for an appointment to work on their computer. What’s the chance of that happening? It’s certainly never happened before. And they are definitely using some serious social engineering to fool people into allowing them to get into their computers to quote/unquote fix their computers.

Thanks to Windows Secrets and Fred Langa for the link:

Windows Secrets reader Scott Brande was recently on the receiving end of a typical tech-support con. Recognizing it for what it was, he carefully documented the attempted snow job, then sent in his notes as a service to all Windows Secrets readers.

Check out the rest of Fred Langa’s article for the fully documented story.

And from IC3.gov site:

New Twist to Online Tech Support Scam and more – IC3.gov Scam Alerts (Jan 7, 2013)

NEW TWIST TO ONLINE TECH SUPPORT SCAM

The IC3 continues to receive complaints reporting telephone calls from individuals claiming to be with Tech Support from a well-known software company. The callers have very strong accents and use common names such as “Adam” or “Bill.” Callers report the user’s computer is sending error messages, and a virus has been detected. In order to gain access to the user’s computer, the caller claims that only their company can resolve the issue.

The caller convinces the user to grant them the authority to run a program to scan their operating system. Users witness the caller going through their files as the caller claims they are showing how the virus has infected their computer.

Users are told the virus could be removed for a fee and are asked for their credit card details. Those who provide the caller remote access to their computers, whether they paid for the virus to be removed or not, report difficulties with their computer afterwards; either their computers would not turn on or certain programs/files were inaccessible.

Some report taking their computers to local technicians for repair and the technicians confirmed software had been installed. However, no other details were provided.

In a new twist to this scam, it was reported that a user’s computer screen turned blue, and eventually black, prior to receiving the call from Tech Support offering to fix their computer. At this time, it has not been determined if this is related to the telephone call or if the user had been experiencing prior computer problems.

Unbelievable! MICROSOFT DOESN’T DO THAT!

Avoid tech support phone scams

Cybercriminals don’t just send fraudulent email messages and set up fake websites. They might also call you on the telephone and claim to be from Microsoft. They might offer to help solve your computer problems or sell you a software license. Once they have access to your computer, they can do the following:

  • Trick you into installing malicious software that could capture sensitive data, such as online banking user names and passwords. They might also then charge you to remove this software.
  • Take control of your computer remotely and adjust settings to leave your computer vulnerable.
  • Request credit card information so they can bill you for phony services.
  • Direct you to fraudulent websites and ask you to enter credit card and other personal or financial information there.

Neither Microsoft nor our partners make unsolicited phone calls (also known as cold calls) to charge you for computer security or software fixes.

More here at Microsoft’s article: Avoid Phone Scams

Some more interesting things in the IC3 Scam Alerts:

You might also find the rest of the IC3 Scam Alerts interesting; including a list of the most popular passwords out there. If you are using any of them as passwords, you might just want to change it now!

Also some info on Java Exploit that is for sale for 5 digits! :

Miscreants in the cyber underground are selling an exploit for a previously undocumented security hole in Oracle’s Java software that attackers can use to remotely seize control over systems running the program, KrebsOnSecurity has learned.

Might want to check out: How to Unplug Java from the Browser

IE10 is now available for Windows 7 – Finally

IE10 is now available for Windows 7 – Finally!!

It is great news that the most modern Internet Explorer browser will now be available for Windows 7.

Before today, IE10 was only available for Windows 8 and that only since about October 2012.

In SecurityGarden’s posting about this:

Key Improvements

Key improvements in IE9 include improved performance, security, and privacy.  Of major significance are the results of the independent testing conducted by NSS Labs, referenced below, in which IE10 with App Rep had a mean malware block rate of 99.1%.

More about CPU, Windows 7 32/64 bit requirements, check to see if your computer is 32-bit or 64-bit by clicking a link on the article,  and of course the download links, and more, all on SecurityGarden’s posting.

Oh, another cool feature of IE10, is one that is already built into Google Chrome. Flash is incorporated within IE10 and updated within the browser. Hopefully that will work out well over time for both browsers. And hopefully they will not fall down on their vigilance in being very fast in getting the Flash updates incorporated as they are released.

Disable Java – Windows, Mac, Linux

US Department of Homeland Security advises disabling Java following fresh zero-day vulnerability – The Verge

A new Trojan horse has been discovered that exploits a flaw found in Java, leaving computers running Windows, Mac OS, and Linux vulnerable to attack. Mal/JavaJar-B allows attackers to remotely trigger code once it infects a system, potentially leading to the installation of malware, or even ransomware. Oracle hasn’t yet patched the vulnerability, which targets even the latest version of Java.

US-CERT RECOMMENDS THAT USERS DISABLE JAVA IN WEB BROWSERS

Apple has already taken care of this on the Mac by updating to disallow all Java except including the new one that hasn’t even been released yet. Excellent move from Apple.

Firefox and Google Chrome has had you click to even use Java for awhile now. From my experience, I believe that includes the current version of Java as well. As noted above, Firefox now includes the current version of Java in their blacklist. You have to personally choose to actually use Java using their Click to Play feature. Thank you Mozilla!

Google Chrome has instituted on December 21, 2012, noted in their blog posting, a feature that disallows silent extension addon installations. I believe this is something that Mozilla did some time ago when they experienced problems with it. Or maybe not.

So you will definitely want to disable Java in all browsers in Windows, Linux and on the Mac just to be safe for now.

Internet Explorer now allows you to disallow plugins by default and only allow those you specifically allow. But if you have allowed Java in the past, you will want to disable it:

How to Disable Java – PCMag

The PCMag article gives instructions for all the main browsers. Check it out and please for your sake don’t use a browser for general use that allows Java at least for now.

Disable it in at least one browser that you can use for general purpose use.

Whichever method you choose, visit the Java test page at http://java.com/en/download/testjava.jsp to confirm that Java is disabled. Yes, you’ll occasionally run across a website that relies on Java. If necessary, you can temporarily enable Java for those sites. But you may be surprised at how little you miss it.

More here at Security Garden, Dottech.org (How to/tutorial with images) and Venture Beat as well.

I have Java totally disallowed in my main browser, and enabled in one of my other browsers so I can still go to Secunia.com to use their OSI (Online Security Inspector) to check plugins and Internet facing programs. I also compare that with Firefox’s plugin checker. This in Windows. On my Mac, I have Java disabled in all but one browser and turn Java on and off as needed overall. In Linux Java is also disabled in my main browser.

This is very important until Oracle gets this updated and is quick to fix these vulnerabilities.

Oracle really needs to get on the stick before they and all the programs that make use of them are made obsolete! And there are millions of them!!!

EDIT: As of 1/11/2013 – Added Mozilla’s and Apple’s change to include blacklisting of the current version of Java due to the Trojan affecting even the current version of Java. See the info earlier in the posting.

Microsoft Security Advisory (2798897)

Microsoft Security Advisory (2798897)

This is a security advisory about fraudulent certificates that need to be revoked!

As Security Garden wrote here:

Microsoft released Security Advisory 2798897 to provide notification regarding a a fraudulent digital certificate issued by TURKTRUST Inc.

TURKTRUST Inc. incorrectly created two subsidiary Certificate Authorities: (*.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org). The *.EGO.GOV.TR subsidiary CA was used to issue a fraudulent digital certificate to *.google.com.

The Certificate Trust list update is available through Windows Updates.

Be sure to apply any Windows Updates that are waiting (showing in the lower right corner in the system tray) to be installed and/or check for Windows Updates manually to be sure you have the update!

This is an important update since fraudulent digital certificates can make spoofing attacks possible.

More information at KrebsOnSecurity here:

Google and Microsoft today began warning users about active phishing attacks against Google’s online properties. The two companies said the attacks resulted from a fraudulent digital certificate that was mistakenly issued by a Turkish domain registrar.

In a blog post published today, Google said that on Dec. 24, 2012, its Chrome Web browser detected and blocked an unauthorized digital certificate for the “*.google.com” domain.

More info from WOT and Firefox and Chrome:

Google blocked both certificates in Chrome on December 26. It now plans to no longer display “Extended Validation” status in Chrome for any certificate issued by TurkTrust. It’s debating whether to also block any connection to HTTPS sites validated by the CA.

Mozilla announced that it too was revoking trust for the two problem certificates in a Firefox update landing next Tuesday. TurkTrust’s root certificate is also being excluded from Firefox for the time being. Microsoft is doing the same, as are other browser vendors.

I would imagine that Apple will be also releasing an update to their Digital Certificate list if this is a universal issue.

Microsoft issues Fix It for IE vulnerability

Microsoft issues Fix It for IE vulnerability

According to this Computerworld article and Security Garden Blog:

Microsoft has released a quick fix for a vulnerability in older versions of its Internet Explorer browser that is actively being used by attackers to take over computers.

Microsoft Fix it

Microsoft Fix it

Fix it for Security Advisory 2794220 now available – Microsoft TechNet Blog

We have updated Security Advisory 2749920 to include the Fix it we discussed in Saturday’s blog post.  This easy, one-click Fix it is available to everyone and prevents the vulnerability from being used for code execution without affecting your ability to browse the Web. Additionally, applying the Fix it does not require a reboot. While we have still observed only a few attempts to exploit this issue, we encourage all customers to apply this Fix it to help protect their systems.

BOLD emphasis mine.

Even if you use another browser, this Fix it should still be applied.

Oracle to stop patching Java 6 in February 2013

Oracle to stop patching Java 6 in February 2013 – Computerworld

The article notes that of course this will be a hardship for Mac OS X Snow Leopard users and for users of earlier versions of OS X, but that is not as far as this rabbit hole goes. Very good article. Well worth a read.

That will leave a significant portion of Mac users without the means to run an up-to-date Java next year. According to Web metrics company Net Applications, approximately 41% of all Macs still run versions of OS X older than Lion.

Apple will presumably issue the final OS X patches for Java 6 in February alongside Oracle’s update.

It will also be hard on businesses, and even government agencies and departments, that will now be forced to work over their Java based programs to make sure they will still work with the current versions of Java 7.

That also means that Oracle themselves will have to update their Forms and Reports (or maybe these are things built by the companies using them too), to work with Java 7 so companies and some government agencies and departments can allow vendors that provide service and products to them. Currently, many of them must make use of Oracle Forms and Reports built on Java 6 from a special site like the MyInvoice subdomain that the government military still uses. That site requires a later version of Java 6 even now. This puts them and their vendors at risk by requiring an old Java on their systems in order to even work with them.

And what about the medical community. I have seen them falling down on the job as well on keeping up with the version of Java that physicians must use on their computers in order to read X-Rays remotely from home or on the road.

The article further is concerned about even upgrading to Java 7:

On Tuesday, Polish researcher Adam Gowdiak, who reported scores of Java vulnerabilities to Oracle this year, told the IDG News Service, “Our research proved that Java 7 was far more insecure than its predecessor version. We are not surprised that corporations are resistant when it comes to the upgrade to Java 7.”

Now that is sad news indeed. There are many sites that make use of Java and with good reason! Even Android is based on Linux — C,C++ and Java. As are many embedded systems, phones, and many electronic devices around the home.

Oracle needs to fix this problem and their Java. If they are going to be the owner of Java, they need to do better with the Java programming language that companies are not concerned about moving to their Java 7! So many programming eco systems out there depend on Java.

They inherited Java and the huge eco systems that depend on them, and base of users when they bought out Sun Microsystems. They can’t make swiss cheese with a door and think people will be be fine with this. Even things like OpenOffice.org and LibreOffice depend on Java — thankfully the current Java, but even that is according to this article, problematic. And what about all the embedded devices that depend on Java? When you install Java and are waiting for it to install, Oracle proudly talks about the billions of devices, that run Java. Oracle’s Java.com About page proudly states:

To date, the Java platform has attracted more than 9 million software developers. It’s used in every major industry segment and has a presence in a wide range of devices, computers, and networks.

Java technology’s versatility, efficiency, platform portability, and security make it the ideal technology for network computing. From laptops to datacenters, game consoles to scientific supercomputers, cell phones to the Internet, Java is everywhere!

  • 1.1 billion desktops run Java
  • 930 million Java Runtime Environment downloads each year
  • 3 billion mobile phones run Java
  • 31 times more Java phones ship every year than Apple and Android combined
  • 100% of all Blu-ray players run Java
  • 1.4 billion Java Cards are manufactured each year
  • Java powers set-top boxes, printers, Web cams, games, car navigation systems, lottery terminals, medical devices, parking payment stations, and more.

To see places of Java in Action in your daily life, explore java.com.

The bold on the bullet list above is mine.

Oracle really needs to wake up now before they totally destroy the great reputation that Sun Microsystems had when they conceived and built so much with Java. And all for nothing!

Trust is a terrible thing to waste.

 

 

Java flaws already included in Blackhole exploit kit within 12 hours

Java flaws already included in Blackhole exploit kit, Oracle was informed of vulnerabilities in April – Sophos Naked Security

It took less than 12 hours from the time the proof of concept for the latest Java zero-day vulnerabilities went public for exploits of those vulnerabilities to be included in a commercial crimeware kit.

Brian Krebs was first to mention having heard that CVE 2012-4681 was being added to the Blackhole exploit kit, and SophosLabs confirmed seeing it in the wild a few hours later.

And this about Macs in particular:

Some have asked if Mac users are at risk from the CVE 2012-4681 exploit and the answer is “Maybe.” The version officially distributed by Apple is Java 6, which is not vulnerable.

Interesting that an older version is not vulnerable to this particular zero day exploit. But if users of Lion and Mountain Lion have installed Java 7 directly from  Oracle’s Java.com site (which is the only way to even get Java on Lion and Mountain Lion), then they are vulnerable.

And of course, Windows and Linux/UNIX/BSD are all vulnerable as well if Java 7 has been installed.

Soon Twitter users were tweeting that Mac users were being attacked, but that the malware apparently on the blackhole server is serving Windows malware. Gives Mac users a reprieve to get their Java updated … if they installed it at all.

What is really sad is that Oracle was made aware of this vulnerability back in April and didn’t fix it in a timely manner.

Thankfully Firefox and Google Chrome will disable or at least not automatically run Java if it’s outdated. Other browsers (Internet Explorer, Opera, etc.) should be doing the same thing.

Java 7 ‘super dangerous’ vulnerability

There is a recently discovered ‘super dangerous’ vulnerability in Java 7.

This vulnerability affects all Java 7 users; whether they run a version of Windows, or using a Mac, or an Opensource Linux operating system:

Macs at risk from ‘super dangerous’ Java zero-day – Computerworld:

Hackers are exploiting a zero-day vulnerability in Java 7, security experts said today.

The unpatched bug can be exploited through any browser running on any operating system, from Windows and Linux to OS X, that has Java installed, said Tod Beardsley, the engineering manager for Metasploit, the open-source penetration testing framework used by both legitimate researchers and criminal hackers.

I think the reason they have singled out Mac users in the article is that most Windows users if they have a recent version of Java installed will get upgrade notifications from Oracle’s Java. Where many Mac users until Lion had Java being updated (albeit late) by Apple. Now they are responsible to keep it updated on Lion IF they decide to install Java manually themselves. Lion and Mountain Lion do not come with Java installed by default. But if you do have it installed on your Mac:

Maynor said he was able to trigger the vulnerability with the Metasploit code in both Firefox 14 and Safari 6 on OS X 10.8, better known as Mountain Lion.

These exploits are mainly aimed at Windows users, but Macs are becoming more and more popular because overall they have less issues than Windows for viruses, etc.

But browser exploits are a bain for all computer users. And we have to keep our plugins updated to stay one step ahead.

If you are using Firefox, there is a page you can go to where you can check to see if your plugins can be checked to make sure you are up to date:

Firefox Check Plugins page

Interestingly that Check Plugins page also seems to work pretty well on Google Chrome’s browser as well. Just remember that if it tells you Flash is outdated, Google Chrome will be updating that for you on their next update.

Looks like I am off for a new Flash update… see ya next time.

Don’t lose your Internet on Monday – Use the DNSChanger check tool

Internet will vanish Monday for 300,000 infected computers – Computerworld

It’s not just consumer PCs and Macs — DNSChanger was equal-opportunity malware — that remain infected, but also corporate computers and systems at government agencies, said Tacoma, Wash.-based Internet Identity (IID), which has been monitoring cleanup efforts.

Last week, IID said that its scans showed 12% of Fortune 500 firms, or about one out of every eight, harbored DNSChanger-compromised computers or routers. And two out of 55 scanned U.S. government departments or agencies — or 3.6% — also had failed to scrub all their PCs and Macs.

According to the article, the numbers are down though, back in January, the numbers were still 50%!

Without the server substitutions, DNS Changer-infected systems would have been immediately severed from the Internet.

Yesterday, U.S. District Court Judge Denis Cote extended the deadline for shutting down the replacement servers by four months, from March 8 — this Thursday — to July 9, 2012.

Well, now the deadline is coming up again. Monday, July 9, 2012 they will be turning off the safe substitute go-between servers and anyone who still has DNS Changer-infected systems at that time, will be severed from the Internet on Monday.

Checking is pretty easy and generally will determine if you have a DNSChanger infected system. The DNSChanger Working Group (DCWG), a volunteer organization of security professionals and companies has provided a great way to do just that.

You can go directly to their site Detect Help Guide page with the DNSChanger Detect Tool pages:

http://www.dcwg.org/detect/

You will find lists of servers in various languages there and some information about their checker and what it does. One of the English servers available to provide the DNS Changer Check-Up are:

http://www.dns-ok.us/

You should get the following response if your computer does NOT have DNSChanger or other malware that changes your DNS Servers on your computer:

DNS Changer Check - DCWG - Source: Computerworld

DNS Changer Check – DCWG – Source: Computerworld

In case it is too small to read, at the bottom of the DNS Resolution – GREEN image, it says the following:

Had your computer been infected with DNS changer malware you would have seen a red background. Please note, however, that if your ISP is redirecting DNS traffic for its customers you would have reached this site even though you are infected. For additional information regarding the DNS changer malware, please visit the FBI’s website at:
http://www.fbi.gov/news/stories/2011/november/malware_110911

BOLD emphasis mine.

DNSChanger check tool: Malware infection could cause internet loss Monday, FBI responds – WPTV.com

The WPTV.com article goes a step further and also lists some additional help locations for malware removers, etc.

If your computer is infected, click here to learn how to get rid of the infection: http://www.dcwg.org/fix

The following sites can also help you with free or low-cost products to check and fix your computer if it’s infected:

· Microsoft Safety Scanner – http://www.microsoft.com/security/scanner/en-us/default.aspx

· Kaspersky Labs TDSSKiller – http://support.kaspersky.com/faq/?qid=208283363

· McAfee Stinger – http://www.mcafee.com/us/downloads/free-tools/stinger.aspx

· Hitman Pro (32bit & 64bit versions) – http://www.surfright.nl/en/products/

· Norton Power Eraser – http://security.symantec.com/nbrt/npe.aspx

· Trend Micro Housecall – http://housecall.trendmicro.com

· MacScan – http://macscan.securemac.com/

· Avira – http://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/1199

If you are still concerned that you might lose Internet come Monday, you can use one of the above products to determine if you are infected with the DNSChanger or other malware.

Or just wait till Monday and see, and if you lose Internet, you can use one or more of the products, at that time, or call your computer specialist to help you remove it. With only a few hundred thousand computers still being infected, you could be infected, but chances are, you are not.

Also, without actually running one or more of the programs listed to determine if you are infected, and because the government’s substitute DNS Changer servers are currently in place until Monday, you may not be able to even tell if you are infected from the detect tool alone.

EDIT NOTE: It couldn’t hurt to have a copy of the downloadable antimalware programs and update/run them before Monday: such as McAfee Stinger or Kaspersky’s TDDSKiller just in case — BEFORE they turn off the substitute safe DNS servers. What’s the logic in that? If it turns out you are infected (albeit unlikely), you may not be able to get to the sites to get these antimalware tools later. Of course come Monday, any online tools listed, like Trend Micro’s Housecall and any other online tools would not be available if your computer turns out to be infected and loses Internet.