Newest Java Update Fails to Protect Against Biggest Threat
Java vulnerabilities are still the number one exploit path to compromise endpoints on an enterprise. And the latest release on Wednesday still doesn’t fix everything. And unless you are running Invincea, a browser and system wrapper that prevents local exploit, you would be better off uninstalling java for now.
From the Reg here:
Apple released a Java update on Wednesday but it does not tackle a high-profile flaw that has become the target of attacks over recent weeks.
Java for OS X 2012-005 and Java for Mac OS X 10.6 Update 10 offer patched versions of Java for OS X Lion and Mountain Lion systems that tackle CVE-2012-0547. But this is a different beastie from the CVE-2012-4681 megabug currently stalking Java users, KrebsOnSecurity reports.
Oracle patched the CVE-2012-4681 megabug with an update to its vulnerable Java Runtime Environment (JRE) 1.7 last week. However Security Explorations, the firm that originally found the flaw, warned that the patch issued by Oracle was itself buggy, without going into details. Even the original flaw dates from April but people only really stood up and took notice after exploits began circulating, around two weeks ago.
The most straightforward advice in the midst of this confusion is for users to uninstall Java, or at minimum disable Java-related browser plugins
And what the hell is up with java always trying to install some third party app? At one point java tried to install Carbonite online backup. Today it tried to install the ASK toolbar- like another browser helper object is something people are clamoring for? Is Oracle really just sponsoring and monetizing their own security flaws?
Every new Java update attempts to saddle my browser with the lame ASK TOOLBAR.Makes me think ASK is sponsoring all java flaws!
— Dr. Jones (@BelchSpeak) September 6, 2012
|Print article||This entry was posted by Dr. Jones on September 6, 2012 at 12:07 pm, and is filed under Cyber. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site.|
No comments yet.
No trackbacks yet.
about 3 months ago - No comments
I think solar energy reached its useful peak when it powered my Texas Instruments calculator in the 8th grade. It seems like a failed energy source due to its huge expense, lack of innovation, and woeful lack of useful energetic output. And now, its on par with blue boner pills, Nigerian get-rich quick schemes and…
about 3 months ago - 1 comment
I have an inner DJ that often wakes me up with an earworm from a song I’ve heard the previous day. This morning it was a song from Old Crow Medicine Show, “Rock me Mama.” But for some reason, in my head I kept hearing “fuck me java” so I tinkered with the lyrics. Surfin…
about 2 years ago - No comments
Two years ago I wrote about how US-CERT was criticized because its Einstein program didn’t allow analysts to see payloads in their analytical stream. They probably still don’t, which is why so many Federal agencies still don’t fully participate with the program. There is little value from the system. Now an Inspector General found that…
about 4 years ago - No comments
I haven’t written very much about the Conficker virus on this page except to note that it caused France to ground their fighter jets. I didn’t write about it because, despite the hype and the dreaded April First doomsday threat that never materialized, I just haven’t been seeing it play out very much in the…
about 4 years ago - No comments
Sun is going to finally do their part to keep criminals off your computers. Their newest patches are going to uninstall the old vulnerable versions. Last year, I wrote here: Just because you have updated a program does not always mean you are no longer vulnerable. Usually when a new version is installed, the old…