Oracle Fixes Java; Fed Warning Remains

Tuesday, January 15, 2013 @ 03:01 PM gHale

Oracle Corp. released a fix for the Zero Day flaw in its Java software that raised an alarm from the U.S. Department of Homeland Security (DHS) last week.

However, even after issuing the patch, DHS still said users disable Java in their Web browsers.

Ransomware Uses Java Zero Day
Java Zero Day Exploits Ready to Go
Adobe Fixes Acrobat, Reader, Flash
Malware Targets Java HTTP Servers

“This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered,” DHS said Monday in an updated alert published on the website of its Computer Emergency Readiness Team. “To defend against this and future Java vulnerabilities, consider disabling Java in Web browsers until adequate updates are available.”

The alert follows the department’s warning Thursday. Java allows programs to run within websites and powers some advertising networks. Users who disable Java may not be able to see portions of websites that display real-time data such as stock prices, graphical menus, weather updates and ads.

Exploit kits already included attacks against the vulnerability.

Java 7 released in 2011 and Oracle said installing its “Update 11” will fix the problem.

As mentioned security experts said special code jumping on the vulnerability is available through Web exploit packs.

The packs, sold for upwards of $1,500 apiece, make complex hacker codes available to relative amateurs. This particular flaw even enables hackers to compromise legitimate websites by taking over ad networks. The end result is users end up redirected to malicious sites where damaging software can load onto their computers.

The sale of the packs means malware exploiting the security gap is “going to be spread across the Internet very quickly,” said Liam O’Murchu, a researcher with Symantec Corp. “If you have the opportunity to turn it off, you should.”

Oracle said it released two patches – to address the flaw highlighted by the government, as well as another flaw that the government said was “different but equally severe.”

As well, the patches set Java’s default security level to “high” so users will automatically get a prompt and given a chance to decline malicious software before it loads onto their computers.

Disabling Java completely in browsers has a similar effect, however. When websites appear without crucial functions, users can click a button to turn Java back on.

Making users aware when Java programs are about to install gives users a 50/50 chance of avoiding malware, said Kurt Baumgartner, a senior security researcher with Kaspersky Lab.

Leave a Reply

You must be logged in to post a comment.