Friday, January 11, 2013

Oracle leaves serious zero-day vulnerability in java


Some computer security experts are encouraging users to disable java if they don’t use or need it, because of an Oracle java vulnerability left open since October 2012.

The report says that the Black Hole Exploit Kit and Coll Exploit Kit, for distributing ransomware, both take advantage of the Oracle unfixed vulnerability.  The articles suggest that Oracle was negligent in the way it handled the problem in October.

There is a detailed technical story at TNW, “The Next Web”, here

Arstechnica has a detailed story by Dan Goodin here

CERT, the Software Engineering Institute at Carnegie Melon, has a report Vulnerability Note 625617, saying that Kava 7 fails to restrict access to privileged code, in a bulletin here

CERT is advising users to disable java.

Infection could occur by visiting a deliberately crafted HTML document.

Softpedia has a story that suggests that Windows users are warned if they are executing unsafe code, link here.  There are reports that this problem is more serious in Max and Unix environments.  Be careful where you surf.

Update: Jan. 12

Jim Finkle of Reuters reports that Oracle will supply a fix to java "shortly".

Update: Jan. 15

Oracle supposedly completed a patch Sunday Jan. 13.  I have not yet seem any prompts or instructions to apply the fix myself.

Update: Feb 8

Oracle pushed a replacement Java engine on my main Windows 7 laptop as soon as I booted up after returning home.  It took about 5 min.  The next hard boot (Feb. 8) took a little longer than usual.

No comments: