About 3 billion devices worldwide are using Java, why you should “or you must” kick it out of your systems, until further notice?!
Most of the tech guys and online “updated” users now by know about Java critical flaw “new Java zero-day vulnerability,” which simply allows hackers reach to your computer by spreading malicious files to infect users who could browse a malicious page or click a spam link, as most of the browsers are Java enabled by default.
This exploit targets the vulnerability in Java Version 7 Update 10 and earlier, so DHS “The Department of Homeland Security” published an alert on United States Computer Emergency Readiness Team’s website “US-CERT” which forced Oracle to release a patch this week and you can find it here.
Cool? No, not yet, as DHS updated the alert, saying:
“Disable Java in web browsersThis and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available. As with any software, unnecessary features should be disabled or removed as appropriate for your environment.”
CNET has contacted Oracle for comment and they will update their report when they learn more, whileDailyDot wrote about the issue saying that the recent discovery of the Red October computer spying campaign perhaps has made the DHS even more sensitive to the possibilities of exploitation, given the wide penetration of Java, which is used on PCs and Apple machines as well as on mobile devices, as many as 100 million machines have been estimated at risk, which made Apple to block Java 7 Plug-in on OS X to address widespread security threat.
Also, ZDNET reported that Red October hackers also used Java exploit for spy campaign.
So, why fixing the Java flaw will take so long? Oracle isn’t saying much, but the OpenJDK community has provided InfoWorld with a complete analysis — and a critique of Oracle’s patch:
“While Oracle’s quick fix appears to have broken the exploit chain in this instance, researchers fear that building another chain could be possible — and may already have happened within the shadows of the black-hat cracker community. They fear that no single developer has the overall knowledge of all of the subsystems involved to safely create a rapid fix, so it will take a process of experimentation stretching over many months to work out what must be re-engineered to make new exploit chains impossible. Oracle seems to agree: It has set the default security level in Java to “high,” just in case.”
Now, what to do? First, make sure you have Java Version 7 Update 11, then turn off the Java Runtime in all of your browsers, from inside the Java Control Panel, (you could follow InfoWorld or NakedSecurity to disable Java in your browsers step by step for each browser), and follow US-CERT updates, also I highly recommend to read their paper about securing your web browser, if you didn’t do that before!
Have you faced a recent issue related to Java? And do you have any other ideas about that issue? Come on, share your view.
ليست هناك تعليقات:
إرسال تعليق