Oracle Corp fixed a security flaw with an emergency update to its Java software for PCs in their browsers, but security experts are not happy. They say new update fails to protect PCs from attack by hackers to steal credit-card numbers, banking credentials, passwords and commit other types of computer crimes. Java was responsible for 50% of all cyberattacks in 2012 followed by Adobe Reader, which was involved in 28%. If you remember, the U.S. Department of Homeland Security is advised user to temporarily disable Oracle Corp’s Java software on their computers to avoid potential hacking attacks. The vulnerability potentially put over 850 million PCs at risk.
The vulnerability was being exploited by a zero-day Trojan horse called Mal/JavaJar-B, which was already identified as attacking Windows, Linux and Unix systems and being distributed in exploit kits “Blackhole” and “NuclearPack,” making it far more convenient to attackers.
Oracle released a patch for the security hole and said on its security blog on Sunday that its update fixed two vulnerabilities in the version of Java 7 for Web browsers. The company said that it also switched Java’s security settings to “high” by default, making it more difficult for suspicious programs to run on a personal computer without the knowledge of the user. Oracle Software Security Assurance Director Eric Maurice writing on one of Oracle’s security blogs that the company’s newest patch to Java 7 Update 11 mitigates CVE-2013-0422, but also CVE-2012-3174.
According to Oracle, the latter, “easily-exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols,” and that a “successful attack of this vulnerability can result in unauthorised Operating System takeover, including arbitrary code execution.”
According to Oracle’s advisory: “The default security level for Java applets and web start applications has been increased from “Medium” to “High”. This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the “High” setting the user is always warned before any unsigned application is run to prevent silent exploitation.”
A researcher with Poland’s Security Explorations, Java security expert Adam Gowdiak, It’s nice that Oracle fixed this vulnerability so quickly, but I’ll continue to advise readers to junk this program altogether unless they have a specific need for it. For one thing, Oracle tried (and failed) to fix this flaw in an earlier update. Also, it seems malware writers are constantly finding new zero-day vulnerabilities in Java, and I would not be surprised to see this zero-day situation repeat itself in a month or so. Also, most users who have Java installed can get by just fine without it (businesses often have mission-critical operations that rely on Java).Recommended posts:
According to the Wall Street Journal ,Google acknowledged that the issue is caused with its n…
The post Not happy with new Oracle updates to fix critical security vulnerability in its Java software appeared first on CEOWORLD Magazine.