Java 0-day exploit in circulation

Secunia rates this vulnerability as EXTREMELY CRITICAL http://secunia.com/advisories/51820 

from http://www.majorgeeks.com/story.php?id=37214

The latest Java version, Java 7 Update 10 contains a critical security
vulnerability which is reportedly already being used for large scale
cyberattacks...

Because the vulnerability, thanks to the various exploit kits, requires minimum
effort to exploit, it is reasonable to expect that the number of web sites
hosting the exploit is likely to rise exponentially over the next few days.
Simply visiting an infected web site is all that's required to fall victim to a
malware infection. The attack code may also be hosted on mainstream web sites...

Users who have Java installed on their computers should deactivate the Java
plugin in their browsers without delay.

I was one who totally quit Java, but I was not happy since my UPS program needs java to run. So I was stuck with a 30 min battery UPS that cut off after 2 mins if the power was out because I did not have control over the default Tripp.Lite battery timing.

Well this Java 7Up10 allows me run my UPS program and also give me the choice to disable any Java app from running while visiting web sites. When I check Complements in IE or Plugins in FF Java is nowhere to be found. Even WinPatrol can not detect Java.

Hopefully no 0-day exploit either :emotion-18:

For those who might be thinking this is just another "cry of wolf":  The U.S. Department of Homeland Security has warned users to disable or uninstall Java software on their computers, amid continuing fears and an escalation in warnings from security experts that hundreds of millions of business and consumer users are vulnerable to a serious flaw.

http://www.zdnet.com/homeland-security-warns-to-disable-java-amid-zero-day-flaw-7000009713/

Apple and Mozilla - 'Just say no to Java'

Apple released an updated malware definition list for their XProtect pseudo-antivirus protection in OS X Snow Leopard and newer:  Instead of identifying a new virus, this updated definition temporarily disabled the Java Web Start browser plugin that enables Java applications to run inside of Safari/Firefox/Chrome.

Mozilla has added all current releases of Java to its add-on blocklist.  In Mozilla's announcement they explain that plugins on the blocklist are forced into utilizing Firefox's Click to Play functionality (which prevents "drive-by" attacks, unless the user expressly clicks on the plug-in to allow it).

http://nakedsecurity.sophos.com/2013/01/11/apple-and-mozilla-just-say-no-to-java/

Oracle Corp said it is preparing an update to address a flaw in its widely used Java software after the U.S. Department of Homeland Security urged computer users to disable the program in web browsers because criminal hackers are exploiting a security bug to attack PCs...

Java was responsible for 50 percent of all cyber attacks last year in which hackers broke into computers by exploiting software bugs, according to Kaspersky. That was followed by Adobe Reader, which was involved in 28 percent of all incidents.

http://www.reuters.com/article/2013/01/13/us-usa-java-security-idUSBRE90B0EX20130113

Java 7 u11 was released.

http://www.oracle.com/technetwork/java/javase/downloads/index.html

Watch out for any toolbar offered while installing.

Added: still there is not much of assurance it will patch the whole.

http://news.cnet.com/8301-1009_3-57563730-83/oracle-releases-software-update-to-fix-java-vulnerability/

http://www.reuters.com/article/2013/01/13/us-java-oracle-security-idUSBRE90C0JB20130113

http://bits.blogs.nytimes.com/2013/01/13/u-s-agency-warns-of-java-software-problem/

Here is another article I ran into. Looks real serious.  

www.cpapracticeadvisor.com/.../updated-fix-for-java-security-flaw-available

Security experts on Java: Fixing zero-day exploit could take 'two years'

Amid growing concern over Java's security, Oracle released an emergency fix over the weekend. However, security professionals say that this measure doesn't go far enough.
http://www.zdnet.com/security-experts-on-java-fixing-zero-day-exploit-could-take-two-years-7000009756/

Speaking of Adobe, when I check my programs and features page it shows that I have Adobe AIR, Flashplayer, and Reader. I have no idea how these applications work or what they do. Should I dump them? As of now, Java is history.

Flash is extremely common all over the web... it's typically what is used to display animations online.   Without Flash, you wouldn't be able to see these.   Odds are you DO use it.  So I would keep it... and be sure it's updated.

------------------

Adobe Reader is the "original" .pdf - file reader... it opens files with a .pdf [Portable Document File] extension.   It is a "standard" format, which is very commonly used.  for example, here's a link to a .pdf version of IRS Income Tax Form 1040:   http://www.irs.gov/pub/irs-pdf/f1040.pdf

Now, there are alteratives to Adobe Reader.   One is FoxIt Reader, and another is Sumatra.   Any one of the three will handle "most" .pdf files --- so you really need only one of these.   Perhaps Adobe Reader may handle some "extended/esoteric features" that the others don't... but I can't assert this definitively.   So to play it safe, I use Adobe Reader --- which is much less attack-prone since the release of version X (which protects itself by automatically "sandboxing" its files).   Joe and/or Red Dawn have used FoxIt and Sumatra, and can speak more about those.

-----------------

AIR is one of those "questionable things" --- it most likely was "bundled" (installed) along with another program [perhaps Reader].   I used to routinely uninstall it.   However, I recently came across [at least] one program on my system that requires AIR --- I found out "the hard way" when that program wouldn't run without AIR --- so I was forced to reinstall it.

We've had some questions here and there about disabling JavaScript as well because people think it is related. Some folks just went ahead and did it. :emotion-3:

Basically, JavaScript is a scripting language and is needed, but is different from Java programming that is often abused and is the one currently having so many issues with vulnerabilities. BillP (of WinPatrol) commented on that HERE.

Quote:
    "...Even if you have been super-diligent and installed the Java security patch released earlier this week for the serious security hole that allowed Java applets in your browser to do naughty stuff, you should still seriously consider whether it's sensible to have Java enabled in your browser at all..."
http://nakedsecurity.sophos.com/2013/01/15/disable-java-browsers-homeland-security/

Whether you decide to disable, update, or remove Java completely, please remember to remove ALL prior versions. We are still seeing old versions hanging around after updates. *If left on the system it may be possible for an attacker to exploit known bugs in the older versions.

For those who have/use Java:   If you're prompted to update your Java, make sure it's the real thing... and not a malware imposter:

http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

"The bad guys behind this threat [are] clearly piggybacking on the Java zero-day incident and users’ fears.  The use of fake software updates is an old social engineering tactic".

(Link c/o BB on FB)

PC Pitstop recommends unintalling Java now:   http://techtalk.pcpitstop.com/2013/01/16/uninstall-java-now/?rob-java

Remark:   I have been living withOUT Java for several years now.   Over that time, I've encountered one or two websites, and one program, which needed Java.   In all cases, I either found an alternative site/program that accomplished the same thing without Java... or deemed the site/program not sufficiently important that I expose myself to the abundance of exploits [known and yet-unknown] in Java.   I have never regretted this decision.

Yes, some of you may indeed find an important site or program that will force Java on you.   I've read several reports that some bank sites use it.   I'm willing to bet it more likely than not that these sites required JavaSCRIPT and NOT Java -- see (*) below.  All I can say is that I can access all of my bank, brokerage, and credit card sites withOUT using Java.

The bottom line is that you'll never know unless you try for yourself.   The simplest way is to disable Java (as explained in the article) and start surfing.   If you find you can do all of your routine work, then you probably don't need Java after all :emotion-1: .   If that's what you conclude, then it's even better to completely uninstall it.   And in the future, if you ever encounter a site [or program] that requires it, you can always reinstall Java then... IF you feel the necessity of that site overrides the security/exploit concerns.

(*) Finally, let me stress that Java is completely separate from the sound-alike JavaSCRIPT.   Yes, you DO need JavaSCRIPT for many websites you visits.   So by all means keep JavaSCRIPT enabled in your browsers.   But go ahead and see if you can live without Java.