Java 7 update 11 security patch fixes nothing: http://betanews.com/2013/01/14/java-7-update-11-security-patch-fixes-nothing/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed+-+bn+-+Betanews+Full+Content+Feed+-+BN Oracle has issued an emergency fix for its cross-platform Java software. Java 7 update 11 for Windows, Mac and Linux, and Java 7 Update 11 64-bit for 64-bit versions of Windows and Linux, aims to plug a number of alarming security holes that were being used for phishing attacks and other crimeware.
While update 11 should be considered an essential update for all Java users, researchers have warned that the new build is little more than a sticking plaster for the problem, and recommend users actually disable Java from running inside web browsers. Update 11 specifically acts on a Java exploit in web browsers that the US Department of Homeland Security warned is being "actively exploited" by malware. This allows code to be executed outside of Java's sandbox, allowing keyloggers and botnet code to be distributed through the Java exploit. The update basically sets Java's default security settings to "High", which means all code from unknown sources will be flagged before running on the user's say-so. Researchers warn that despite this new setting, the security can be bypassed by hackers able to mask their code through "social engineering", which allows them to mask its true origins and claim to be from a trusted source, encouraging users to accept the code even though it's been flagged. As a result, the Department of Homeland Security's Computer Emergency Readiness Team has recommended users should actually disable Java from running in web browsers -- even after applying the latest update. The warning is echoed by other experts, including Rapid 7 and Polish company Security Explorations. At the present time, Mac OS X disables Java browser plug-ins by default, while Firefox has implemented click-to-play protection on recent updates (but not for this newer build). Users of other web browsers and OSes should check their browser's add-on settings and - if wishing to follow the recommended advice - disable Java manually. In the meantime, Java 7 Update 11 32-bit and Java 7 Update 11 64-bit are both available as free downloads for Windows, Mac and Linux. Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization [email protected] -----Original Message----- From: Kennedy, Jim [mailto:[email protected]] Sent: Monday, January 14, 2013 10:50 AM To: NT System Admin Issues Subject: RE: Java 7 0day actively exploited in the wild | BeyondTrust They bumped the security settings up. It prompts every time now. -----Original Message----- From: Richard McClary [mailto:[email protected]] Sent: Monday, January 14, 2013 9:32 AM To: NT System Admin Issues Subject: RE: Java 7 0day actively exploited in the wild | BeyondTrust Wonder if there's a negative-one-day exploit? Thanks, though, just now got through doing a bunch of JRE upgrades. -----Original Message----- From: Kennedy, Jim [mailto:[email protected]] Sent: Monday, January 14, 2013 8:22 AM To: NT System Admin Issues Subject: RE: Java 7 0day actively exploited in the wild | BeyondTrust Java released update 11 last night. -----Original Message----- From: Kennedy, Jim [mailto:[email protected]] Sent: Friday, January 11, 2013 2:36 PM To: NT System Admin Issues Subject: RE: Java 7 0day actively exploited in the wild | BeyondTrust http://www.zdnet.com/homeland-security-warns-to-disable-java-amid-zero-day-flaw-7000009713/ ________________________________________ From: Mark Boeck [[email protected]] Sent: Friday, January 11, 2013 12:15 PM To: NT System Admin Issues Subject: Re: Java 7 0day actively exploited in the wild | BeyondTrust lol - a friend of mine, a microsoft security mvp, starts her blog off like this: how to uninstall java! http://securitygarden.blogspot.com/2013/01/java-zero-day-again-time-to.html only after that does she post some links about the threat - > - ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals?? (ASPCA??) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
