dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
311
share rss forum feed

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

Another Day, Another Java Exploit

cyber-criminals are now using "fraudulent" certificates to bypass java's new security features:

»arstechnica.com/security/2013/03···-attack/

By default, the widely used plugin doesn't check the status of digital certificates used to sign Java apps hosted on websites, Ars Technica has confirmed. As a result, Java presents certificates as trustworthy even when they've been reported as stolen and added to publicly available revocation databases. The failure of Java to check certificate revocation lists came to light on Tuesday when a legitimate site was found hosting a malicious app. Java presented an accompanying certificate as a trusted credential belonging to Texas-based Clearesult Consulting Inc. even though the firm had issuer GoDaddy revoke the certificate in December.
/ / / / / / / / / / / / /
The failure to vet the status of certificates dilutes a key security protection Oracle recently added to Java. Starting in January, the default security configuration was set to "high," causing a browser to seek user permission before running unsigned apps. Since Java treats apps signed by a compromised certificate as trusted, there's the possibility that end users will receive no such prompt, a shortcoming that significantly diminishes the benefit of this important new measure.

related:

»threatpost.com/en_us/blogs/attac···g-030513