Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Oracle releases new Java update to close security holes


  • Please log in to reply
10 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:15 AM

Posted 14 January 2013 - 09:36 AM

Oracle has a released an update that fixes the widely publicized security hole in their Java software. This update brings Java to version 7 Update 11 and fixes two security holes found in previous versions of the software that affected Java running in web browsers. This update also changes the default Java Security Level from Medium to High. With Java being set to High, Java will always prompt you as to whether you want to run an unsigned Java applet or a Java Web Start application.

As the security hole being patched is currently in use by various Crime Kits to exploit and access your computer it is imperative that all users install this update. To install the update, please uninstall all versions of Java by using the Windows Add or Remove Programs or Uninstall Programs control panel. Then install version 7 update 11 using the the following link associated with the bit-type of Windows you are using:

Windows Offline Java Installer(32-bit)
Windows Offline Java Installer (64-bit)

If you are using a 64-bit version of Windows and use both 32-bit and 64-bit web browsers, then you will need to install both versions. If you are on a 32-bit version of Windows or only use 32-bit web browsers, then you only need to install the 32-bit file.


BC AdBot (Login to Remove)

 


#2 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:02:15 AM

Posted 14 January 2013 - 10:03 AM

Thank you for confirming, :thumbup2:

Edited by Union_Thug, 15 January 2013 - 03:15 AM.


#3 omega84

omega84

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 15 January 2013 - 02:16 AM

Honestly can I ever trust Java again? When was the exploit discovered? September? It has been several months of waiting for a patch or even a hotfix and they just now close the hole? I have been struggling like mad to remove Java off all my customers and client's computers. Hopefully with the push for HTML5 and other more secure platforms Java will no longer be necessary. Thanks for the info.

Edited by omega84, 15 January 2013 - 02:16 AM.


#4 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:02:15 AM

Posted 15 January 2013 - 03:29 AM

>>>When was the exploit discovered? September? It has been several months of waiting for a patch...<<<

I believe one of the bugs (there were 2 in this particular exploit) was originally disclosed in August and Oracle issued a "patch" in October. Obviously it got...unpatched somehow.:whistle:

>>>Honestly can I ever trust Java again?<<<

I think we all know the answer or is that a rhetorical question?

>>>Hopefully with the push for HTML5 and other more secure platforms Java will no longer be necessary.<<<

No argument here.

#5 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:01:15 AM

Posted 15 January 2013 - 06:31 AM

If you have not uninstalled Java, then it would automatically update itself.

BTW, the new update seems not be good enough for American security experts.
http://www.chicagotribune.com/business/technology/chi-java-update-oracle-updates-java-security-experts-say-bugs-remain-20130114,0,7822126.story

#6 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:02:15 AM

Posted 15 January 2013 - 06:38 AM

Brian Krebs continues to advise people to remove Java unless you find you absolutely need it, then use a "2 browser solution"' one with, one without.

Edit: One of the first things I do after updating manually is to disable the auto updater & disable the jusched.exe (SP?) Run key in the registry using Autoruns,

Edited by Union_Thug, 15 January 2013 - 06:44 AM.


#7 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:15 AM

Posted 16 January 2013 - 04:06 PM

BBC article
Title: "Java still contains security flaws, experts claim"
Link: http://www.bbc.co.uk/news/technology-21011669

Oracle issued an emergency update to its widely-used Java web software on Sunday, but experts say it still contains security flaws.


Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:15 AM

Posted 16 January 2013 - 06:29 PM

It would seem those experts were right, apparently the next 0-day is already there: http://krebsonsecurity.com/2013/01/new-java-exploit-fetches-5000-per-buyer/

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:02:15 AM

Posted 16 January 2013 - 06:40 PM

self delete

Edited by Union_Thug, 16 January 2013 - 08:28 PM.


#10 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:01:15 AM

Posted 16 January 2013 - 11:17 PM

Nothing can be said at this point. PoC or exploit code is not available.
More coffee for Oracle Java developers :)

#11 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:02:15 AM

Posted 18 January 2013 - 11:20 PM

Yet another vulnerability...

Researchers find critical vulnerabilities in Java 7 Update 11

http://podcasts.infoworld.com/d/security/researchers-find-critical-vulnerabilities-in-java-7-update-11-211150?_kip_ipx=502702245-1358568875&source=rss_security

Researchers from Security Explorations, a Poland-based vulnerability research firm, claim to have found two new vulnerabilities in Java 7 Update 11 that can be exploited to bypass the software's security sandbox and execute arbitrary code on computers.

Oracle released Java 7 Update 11 last Sunday as an emergency security update in order to block a zero-day exploit used by cybercriminals to infect computers with malware.

Security Explorations successfully confirmed that a complete Java security sandbox bypass can be still be achieved under Java 7 Update 11 (JRE version 1.7.0_11-b21) by exploiting two new vulnerabilities discovered by the company's researchers, Adam Gowdiak, the company's founder, said Friday in a message sent to the Full Disclosure mailing list. The vulnerabilities were reported to Oracle on Friday, together with working proof-of-concept exploit code, he said.

According to Security Explorations' disclosure policy, technical details about the vulnerabilities will not be publicly disclosed until the vendor issues a patch.


Edited by Union_Thug, 18 January 2013 - 11:22 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users