Monday, August 27, 2012

Don't Use Current Java!
New Zero-Day Java Exploits
Are In-The-Wild


[UPDATE #3 ! - 2012-09-01]

Yes, the newly patched version of Java '7', v1.7 Update 7, has yet-another zero-day security hole!!!

This is unbelievable. 

Some people out there are:

1) Out to kill Java via malware.
2) Out to kill Java via crap coding.

Take your pick.

Read it and weep for poor, insecure, creaky old Java, the programming language that couldn't catch a break.

Security Explorations, the Polish security startup that discovered the Java SE 7 vulnerabilities that have been the targets of recent web-based exploits, has spotted a new flaw that affects the patched version of Java released this Thursday....
Security Explorations founder and CEO Adam Gowdiak was able to confirm that the defect does affect Java SE 7 Update 7, which Oracle released this week as a rare out-of-band patch.... 
As in the case of the earlier vulnerabilities, Gowdiak says, this flaw allows an attacker to bypass the Java security sandbox completely, making it possible to install malware or execute malicious code on affected systems. 
Unlike the earlier vulnerabilities, no known exploit of the new flaw has yet been found in the wild, but Gowdiak says he included proof-of-concept code with the report to demonstrate that an exploit is indeed possible....
For the time being, given the apparent similarity of this flaw to the ones previously reported, users are advised to either disable Java in their browsers or uninstall it completely to avoid falling prey to any future exploits. 
Bolding and italics are mine, added for emphasis.

You know the drill.
or never install it in the first place.

If you MUST use Java, at this point the only safe version is the last one provided via Apple for OS X 10.7 and 10.8, version 1.6.0 33-b03-424. Otherwise, forget about using Java on the Internet until further notice.

After reviewing the current data, including CVE-2012-4681, I know of NO safe version of Java "6" or Java "7" available. That INCLUDES Apple's last Java update, v1.6 Update 33! Maybe Java 6 Update 35, recently provided by Oracle, is safe. But that is not-at-all clear. We're going to have to wait for more details about this latest zero-day discovery. Most certainly, there is no safe version of Java "7" at this time.

When more of this saga is revealed, I promise to break it out into a separate article.

Hey Oracle: Can we have a rest now? Please?


[UPDATE #2 ! - 2012-08-31]

Oracle has released a newer version of Java for OS X than the nasty, security hole riddled version noted below. This update theoretically patches the current zero-day exploits. Note that this is NOT an Apple update to Java. Apple is no longer supporting or installing Java. Oracle is now the sole source.

Bad Java = Java "7", version 1.7 Update 6.
New Java = Java "7", version 1.7 Update 7.

NOTE: Nothing indicates that New Java Update 7 is going to be any more secure than Bad Java Update 6, which was even less secure than Bad Java Update 5.

Just Say No To Java.

IMHO Oracle has turned the Java project into a dangerous mess. We can no longer expect any future version of Java to be secure. That dream era is over. You have been warned.

If you just gotta install the latest Oracle version of Java for OS X, you will find it here:

Download Java for Mac OS X


[UPDATE #1 ! - 2012-08-29]

A second zero-day security hole has been discovered in the current version of Java! Read all about it:

Second Java zero-day exploit uncovered

“The beauty of this bug class is that it provides 100 percent reliability and is multiplatform,” Esteban Guillardoy, a developer at Immunity, said Tuesday in announcing the discovery of the second bug. “Hence this will shortly become the penetration test Swiss knife for the next couple of years.” 
Users of Java, which is installed in billions of devices worldwide, are notorious for not staying up to date with patches. Rapid7 estimates that 65 percent of the installations today are unpatched. However, this time around, people with the latest version of Java were the ones most open to attack.

Turn Java OFF on your Macs. Just leave it that way until or unless it's absolutely required. That is the future of Java on ALL computer platforms, not just Macs. Java used to be heralded as 'secure!' So long to that vacuous dream.

I suspect there are more Java fun and games yet to come. I'll post as I learn about them.


Extra! Extra!

Hopefully you've figured out that Java is now just another source of 3rd party security holes. Java is NOT secure. Java is now the single most dangerous 3rd party software you can run on your Mac. So Don't Use Java!

The latest, current version of Java, on any platform, has a new zero-day exploit that is already being exploited in the wild. Turn Java OFF!

Here is Intego's coverage of the story, as of today:

The exploit in all major browsers and appears to work on some versions of Linux, OS X 10.7 and higher, as well as Windows, if you’re using the latest version of Java.... At this time there is no patch available for this exploit, so it’s highly recommend that you disable Java until this vulnerability has been fixed.

If/when this exploit is discovered to be used against Macs, I will post here. For now, don't take any chances: Leave Java disabled!

As a reminder: If you ever chose to install Java at all, you can TURN OFF Java on the Internet using the Java Preferences app you'll find in your Utilities folder. An illustration is below. If you are running OS X 10.8+, you may find Java has already been turned off for you. This is now a function of OS X whereby it automatically turns off the Java plug-in if you have not used it recently.

Of course, some websites demand the use of Java. In those cases only, go into the Java Preferences and turn it on, then reload the page requiring Java. I highly recommend leaving the Java Preferences app open and running until you decide to leave that website in order to remind you to turn Java OFF again!

Stay safe! And be sure your backups, both on and off site, are up-to-date.


No comments:

Post a Comment