dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
14

jabarnut
Light Years Away
Premium Member
join:2005-01-22
Galaxy M31

jabarnut to StuartMW

Premium Member

to StuartMW

Re: Warning: 0-Day vulnerability in Java 7

Ah, thanks, Stuart.
Like I said, it's been a long day. (Not really myself). Well, I'm never really myself.

StuartMW
Premium Member
join:2000-08-06

StuartMW

Premium Member

Yes well you're "Light Years Away"

jabarnut
Light Years Away
Premium Member
join:2005-01-22
Galaxy M31

jabarnut

Premium Member

Correct.

trparky
Premium Member
join:2000-05-24
Cleveland, OH

trparky

Premium Member

Guess that the guys behind Java had an "Oh shit!" moment and thought that maybe, just maybe, this deserved an out-of-band update contrary to their normal standard operating procedures.

jabarnut
Light Years Away
Premium Member
join:2005-01-22
Galaxy M31

1 edit

jabarnut

Premium Member

I hear you...and their "standard operating procedures" were not too often for sure.
Glad they were on top of this one.

StuartMW
Premium Member
join:2000-08-06

StuartMW

Premium Member

said by jabarnut:

Glad they were on top of this one.

Hopefully someone here will "take one for the team" and will visit a known exploit site. Then we'll know for sure if Oracle "did good".

jabarnut
Light Years Away
Premium Member
join:2005-01-22
Galaxy M31

jabarnut

Premium Member

Excellent suggestion! And since you're the one who suggested it, you're elected.

StuartMW
Premium Member
join:2000-08-06

StuartMW

Premium Member

said by jabarnut:

...you're elected.

Thank you for your kind offer but I respectfully decline

For whatever reason there have been a ton of software/firmware updates (for software I use) today. It's been non-stop.

jabarnut
Light Years Away
Premium Member
join:2005-01-22
Galaxy M31

jabarnut

Premium Member

Lol..no problem, Stuart. Hell, I don't want to test it either.
I'll do what I usually do. Just sit around and observe, and see if anyone else has problems in the near future.

StuartMW
Premium Member
join:2000-08-06

1 recommendation

StuartMW

Premium Member

Well this old Lemming has seen others (and even tried when younger) "jump" but now prefers to watch the less wise do so
mysec
Premium Member
join:2005-11-29

mysec to jabarnut

Premium Member

to jabarnut
said by jabarnut:

Glad they were on top of this one.


Oracle knew about currently exploited Java vulnerabilities for months, researcher says
»www.techworld.com.au/art ··· er_says/

Oracle knew since April about the existence of the two unpatched Java 7 vulnerabilities that are currently being exploited in malware attacks, according to Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations.

Security Explorations reported 19 Java 7 security issues to Oracle on Apr. 2. Those issues included the two zero-day -- unpatched -- vulnerabilities that attackers are exploiting to infect computers with malware, Gowdiak said Wednesday via email.

According to a status report received on Aug. 23 from Oracle, the company was planning to fix the two vulnerabilities in its October Critical Patch Update (CPU), together with 17 other Java 7 flaws reported by Security Explorations, Gowdiak said.

Oracle releases security patches every four months. The last Java CPU was released in June and only addressed 3 of the security issues reported by Polish security firm.

"Although we stay in touch with Oracle and the communication process has been quite flawless so far, we don't know why Oracle left so many serious bugs for the Oct. CPU," Gowdiak said.

Oracle did not immediately return a request for comment regarding the vulnerability reports received from Security Explorations.



----
rich
mysec

mysec to StuartMW

Premium Member

to StuartMW
said by StuartMW:

Hopefully someone here will "take one for the team" and will visit a known exploit site. Then we'll know for sure if Oracle "did good".


IMHO, a better test of my security would be to see if protection in place would prevent the exploit from running, without a patch in place.

If my security includes whitelisting plugins per site, then the exploit doesn't run if I am redirected to, or otherwise hit upon a booby-trapped site not white listed.

Below, the source code shows the malicious JAR file but it can't execute if the plugin is not enabled, so the page just sits there and does nothing:




This is reinforced from that JAVA check site:




(Newer versions of browsers include the option to be notified anytime a plugin is asked to run. This will alert to any attempt to exploit a plugin by remote code execution -- aka "drive-by")

Finally, as another poster mentioned, these exploits download a binary executable file, so, protection for that in place takes care of that possibility. Here, an old exploit against v.6:




I'm reminded of an article from almost 6 years ago now:

An Ounce of Prevention
»www.infosec.co.uk/Exhibi ··· tion.pdf

This approach [white listing] can effectively eliminate the need to patch in emergency mode. Malicious code by default is not on the white list which means that enterprises can rest assured that their exposed software vulnerabilities are safe from potential exploitation, enabling their IT staff to work proactively to develop scheduled patch deployments rather than being in a constant state of emergency.




----
rich