jabarnutLight Years Away Premium Member join:2005-01-22 Galaxy M31 |
to StuartMW
Re: Warning: 0-Day vulnerability in Java 7Ah, thanks, Stuart. Like I said, it's been a long day. (Not really myself). Well, I'm never really myself. |
|
|
StuartMW
Premium Member
2012-Aug-30 3:25 pm
Yes well you're " Light Years Away" |
|
|
jabarnutLight Years Away Premium Member join:2005-01-22 Galaxy M31 |
jabarnut
Premium Member
2012-Aug-30 3:26 pm
Correct. |
|
trparky Premium Member join:2000-05-24 Cleveland, OH |
trparky
Premium Member
2012-Aug-30 3:41 pm
Guess that the guys behind Java had an "Oh shit!" moment and thought that maybe, just maybe, this deserved an out-of-band update contrary to their normal standard operating procedures. |
|
jabarnutLight Years Away Premium Member join:2005-01-22 Galaxy M31 1 edit |
jabarnut
Premium Member
2012-Aug-30 3:49 pm
I hear you...and their "standard operating procedures" were not too often for sure. Glad they were on top of this one. |
|
|
StuartMW
Premium Member
2012-Aug-30 4:06 pm
said by jabarnut:Glad they were on top of this one. Hopefully someone here will "take one for the team" and will visit a known exploit site. Then we'll know for sure if Oracle "did good". |
|
jabarnutLight Years Away Premium Member join:2005-01-22 Galaxy M31 |
jabarnut
Premium Member
2012-Aug-30 4:21 pm
Excellent suggestion! And since you're the one who suggested it, you're elected. |
|
|
StuartMW
Premium Member
2012-Aug-30 4:27 pm
Thank you for your kind offer but I respectfully decline For whatever reason there have been a ton of software/firmware updates (for software I use) today. It's been non-stop. |
|
jabarnutLight Years Away Premium Member join:2005-01-22 Galaxy M31 |
jabarnut
Premium Member
2012-Aug-30 4:30 pm
Lol..no problem, Stuart. Hell, I don't want to test it either. I'll do what I usually do. Just sit around and observe, and see if anyone else has problems in the near future. |
|
1 recommendation |
StuartMW
Premium Member
2012-Aug-30 4:35 pm
Well this old Lemming has seen others (and even tried when younger) "jump" but now prefers to watch the less wise do so |
|
mysec Premium Member join:2005-11-29 |
to jabarnut
said by jabarnut:Glad they were on top of this one. Oracle knew about currently exploited Java vulnerabilities for months, researcher says » www.techworld.com.au/art ··· er_says/Oracle knew since April about the existence of the two unpatched Java 7 vulnerabilities that are currently being exploited in malware attacks, according to Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations.
Security Explorations reported 19 Java 7 security issues to Oracle on Apr. 2. Those issues included the two zero-day -- unpatched -- vulnerabilities that attackers are exploiting to infect computers with malware, Gowdiak said Wednesday via email.
According to a status report received on Aug. 23 from Oracle, the company was planning to fix the two vulnerabilities in its October Critical Patch Update (CPU), together with 17 other Java 7 flaws reported by Security Explorations, Gowdiak said.
Oracle releases security patches every four months. The last Java CPU was released in June and only addressed 3 of the security issues reported by Polish security firm.
"Although we stay in touch with Oracle and the communication process has been quite flawless so far, we don't know why Oracle left so many serious bugs for the Oct. CPU," Gowdiak said.
Oracle did not immediately return a request for comment regarding the vulnerability reports received from Security Explorations. ---- rich |
|
mysec |
to StuartMW
said by StuartMW:Hopefully someone here will "take one for the team" and will visit a known exploit site. Then we'll know for sure if Oracle "did good". IMHO, a better test of my security would be to see if protection in place would prevent the exploit from running, without a patch in place. If my security includes whitelisting plugins per site, then the exploit doesn't run if I am redirected to, or otherwise hit upon a booby-trapped site not white listed. Below, the source code shows the malicious JAR file but it can't execute if the plugin is not enabled, so the page just sits there and does nothing:
This is reinforced from that JAVA check site:
(Newer versions of browsers include the option to be notified anytime a plugin is asked to run. This will alert to any attempt to exploit a plugin by remote code execution -- aka "drive-by") Finally, as another poster mentioned, these exploits download a binary executable file, so, protection for that in place takes care of that possibility. Here, an old exploit against v.6:
I'm reminded of an article from almost 6 years ago now: An Ounce of Prevention » www.infosec.co.uk/Exhibi ··· tion.pdfThis approach [white listing] can effectively eliminate the need to patch in emergency mode. Malicious code by default is not on the white list which means that enterprises can rest assured that their exposed software vulnerabilities are safe from potential exploitation, enabling their IT staff to work proactively to develop scheduled patch deployments rather than being in a constant state of emergency. ---- rich |
|
|