Users urged to disable Java as new exploit emerges

This is an article in the Register this morning, just how much of a threat it is I do not know. Anyway if your concerned please read the article.

Users urged to disable Java as new exploit emerges

All operating systems, browsers vulnerable

http://www.theregister.co.uk/2012/08/27/disable_java_to_block_exploit/

Oracle Java 7 Update 6, and possibly other versions, allows remote attackers
to execute arbitrary code via a crafted applet, as exploited in the wild in
August 2012 using Gondzz.class and Gondvv.class.

Another article!

Unpatched Java exploit spreads like wildfire

http://nakedsecurity.sophos.com/2012/08/28/unpatched-java-exploit-spreads-like-wildfire/

More in this article!

http://www.f-secure.com/weblog/archives/00002414.html

 

Hi a bit more info on this subject going around at the moment!


Security experts warn that the damage may only get worse because the exploit code is both reliable and available.


1. The number of attacks, still low at this point, appear to install the Poison Ivy Remote Access Trojan.


2. One main problem is there is usually a delay in issuing Java patches. Add that to the quick circulation of the exploit code and you're likely to get many more attackers exploiting the vulnerability.


3. Members of security company Rapid7 say they've already developed on exploit against Windows 7 and are currently testing it against a number of internet browsers and OS's. They suggest users disable Java until a patch is released.


4. KrebsonSecurity reporter Brian Krebs suggests the exploit will also roll into the BlackHole exploit kit and also suggests disabling or uninstalling Java for the time being.


5. The next scheduled Java patch isn't until mid October and Oracle has yet to comment on the reports or a scheduled fix.


There is a strong possibility this only affects Java 7, so apart from disabling Java
altogether, a possible fix is to revert back to Java 6 until there's an update fix.

This Trojan has been around since 2005 so unless it's been modified it should be easy enough to find remove.

Any thoughts? Regards, Ian.

 

New Update

Java 7 Update 7 released this morning. Presumably this will fix the security issue with Update 6.

 

Cheers I know already but not going to update yet I rolled back to v 6 yesterday on three machines v6 is patched and secure, well as much as Java's software can be.

Amazing that Oracle new about the problem for six weeks and did nothing!

Saw an ruski add for the infection tool today, the yanks and others have been hit with it,

I suppose in some cases we're lucky some other country gets hit first so we get a bit of warning'

Another Kuwait company having trouble, think It's the same virus that took out the oil company!

Anyway thanks for the reply. Regards ,Ian.

 

I've updated to Java 7 update 7 on my x64 & x86 machines. I need Java for various programs that I run (& need). Java & Adobe flash are probably the Achilles' Heels on Windows.

I also managed to avoid the Ask Toolbar!

 

To me that makes you even more vunerable than before you rolled back.

 

Is your Java exploitable?

 

It is likely they were working frantically to come up with a fix but keeping silent to prevent more and more badguys (and wannabes) from learning about it and exploiting it.

It is proper security procedure to NEVER announce a weakness until it is fixed.

Odd that Secunia PSI has yet to yell at me about this - even after forcing a manual scan.

Before installing this new version, note the Java FAQ page that says to first (their red)

 

Secinoa has problems also. I have seen it several times where it failed to notifiy me of updates. I usually see them posted on a message board before it tells me also. It has been telling your for a while now to uninstall older versions before installing the new version.

 

And I think that is sad. I fail to understand how or why the programmers have yet to code the installation program to first detect previous versions, then uninstall them if necessary before installing the newer version. There are many programs that do that already.

I feel it is lazy programming.

 

I have not uninstalled the old ones in probably the last couple of years. It does it automatically. It didn't for years before, but does now. Try it next time. I didn't uninstall the 7.5 and the 7.7 took care of it.

 

Sadly, it is not consistent and you can run JavaRA to see that for yourself as remnants of older versions are typically left behind.

 

Just got a notice on 2 of my XP machines for the update. Downloaded with
no problems.

 

Well I ran JavaRA first, then ran the update - also with no problems.

 

"Java is insecure & awful" ~ You've got no argument from me there!

I have updated Java 7 u7, as I stated earlier. However, on my 32 bit Vista notebook I have Java FX2.1.1, which must have installed when I upgraded Java 6 to Java 7. When I have tried to update this to FX2.2 I get an unauthorised access warning (see jpeg). I have 'agreed' to the OTN licence term but I still seem to get the page.

Do I need Java FX2.2 (or 2.1.1 for that matter) at all? I'm not really sure what it actually is or does.