{"id":1382,"date":"2013-03-15T10:26:00","date_gmt":"2013-03-15T14:26:00","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=1382"},"modified":"2013-03-15T10:26:00","modified_gmt":"2013-03-15T14:26:00","slug":"researchers-javas-security-problems-unlikely-to-be-resolved-soon","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2013\/03\/15\/researchers-javas-security-problems-unlikely-to-be-resolved-soon\/","title":{"rendered":"Researchers: Java&#039;s security problems unlikely to be resolved soon"},"content":{"rendered":"<p style=\"text-align:center;\"><a href=\"http:\/\/www.pcworld.com\/article\/2030778\/researchers-javas-security-problems-unlikely-to-be-resolved-soon.html\"><img decoding=\"async\" alt=\"\" src=\"http:\/\/nccomputertech.files.wordpress.com\/2013\/03\/java-logo-100027745-large.jpg\" \/><\/a><\/p>\n<p>Since the start of the year, hackers have been exploiting vulnerabilities in Java to carry out a string of attacks against companies including Microsoft, Apple, Facebook and Twitter, as well as home users. Oracle has made an effort to respond faster to the threats and to strengthen its Java software, but security experts say the attacks are unlikely to let up any time soon.<br \/>\nJust this week, security researchers said the hackers behind the recently uncovered MiniDuke cyberespionage campaign used Web-based exploits for Java and Internet Explorer 8, along with an Adobe Reader exploit, to compromise their targets. Last month, the MiniDuke malware infected 59 computers belonging to government organizations, research institutes, think tanks and private companies from 23 countries.<br \/>\nThe Java exploit used by MiniDuke targeted a vulnerability that hadn\u2019t been patched by Oracle at the time of the attacks, Kaspersky Lab said in a blog post. Vulnerabilities that are made public or exploited before a patch is released are known as zero-day vulnerabilities, several of which have been used in the attacks against Java this year.<br \/>\nIn February, software engineers from Microsoft, Apple, Facebook and Twitter had their work laptops infected with malware after visiting a community website for iOS developers that had been rigged with a Java zero-day exploit. The breaches were the result of a larger \u201cwatering hole\u201d attack launched from multiple websites that also affected government agencies and companies in other industries, The Security Ledger reported.<br \/>\nOracle has responded to the attacks by issuing two emergency security updates since the start of the year and accelerating the release of a scheduled patch. It has also raised the default setting of the security controls for Java applets to high, preventing Web-based Java applications from executing inside browsers without user confirmation.<br \/>\nSecurity experts say this is a good start but think more should be done to increase the adoption rate for updates and to improve the management of Java security controls in corporate environments. More importantly, they say, Oracle should thoroughly review its Java code to identify and fix the basic security issues. They believe Java would be more secure today if Oracle had listened to the security industry\u2019s warnings over the years.<br \/>\n\u201cIt\u2019s difficult to say what has been going on internally at Oracle for the past years, but based on an external impression I feel they could have reacted sooner,\u201d said Carsten Eiram, chief research officer at consulting firm Risk Based Security, via email. \u201cI\u2019m not sure Oracle really took the predictions of Java being the next major target seriously.\u201d<br \/>\nIt\u2019s unlikely Oracle could have prevented the recent attacks, he said, but it would be in a better position if it had acted sooner to secure its code and add more layers of security.<br \/>\n\u201cI think the current state of Java security is due to the fact that Sun pushed Java very strongly when they still owned it,\u201d said Costin Raiu, director of the global research and analysis team at Kaspersky Lab, via email. \u201cAfter Oracle purchased Java, perhaps little interest went into this project.\u201d<br \/>\nOracle acquired Java when it bought Sun Microsystems in 2010. The software is installed on 1.1 billion desktop computers worldwide, according to information at Java.com. Its widespread deployment and cross-platform nature make it an attractive target for hackers. Researchers at Security Explorations, a Polish vulnerability research firm, have found and reported 55 vulnerabilities in the Java runtimes maintained by Oracle, IBM and Apple over the past year, 36 of them in Oracle\u2019s version.<br \/>\nFull Story: <a href=\"http:\/\/www.pcworld.com\/article\/2030778\/researchers-javas-security-problems-unlikely-to-be-resolved-soon.html\" target=\"_blank\">Researchers: Java&#8217;s security problems unlikely to be resolved soon | PCWorld<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Since the start of the year, hackers have been exploiting vulnerabilities in Java to carry out a string of attacks [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[7,9],"tags":[341,583,1178],"class_list":["post-1382","post","type-post","status-publish","format-standard","hentry","category-security","category-software","tag-exploit","tag-java","tag-vulnerability"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-mi","jetpack-related-posts":[{"id":7766,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/03\/10\/playing-minecraft-no-longer-makes-your-pc-a-juicy-target-for-hackers\/","url_meta":{"origin":1382,"position":0},"title":"Playing Minecraft no longer makes your PC a juicy target for hackers","author":"NCCT","date":"March 10, 2015","format":false,"excerpt":"The folks at Microsoft-owned Mojang just gave PC users one more reason to uninstall Java from their systems. The Minecraft launcher for PC now installs and manages its own instance of Oracle\u2019s software. The version of Java the new Minecraft launcher uses is contained within the game\u2019s directory\u2014meaning you no\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5980,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/07\/15\/future-java-7-security-patches-will-work-on-windows-xp-despite-end-of-official-support\/","url_meta":{"origin":1382,"position":1},"title":"Future Java 7 security patches will work on Windows XP despite end of official support","author":"NCCT","date":"July 15, 2014","format":false,"excerpt":"Oracle has dispelled rumors that the upcoming security update for Java 7 and those it will release in the future might not work on Windows XP. \u201cWe expect all versions of Java that were supported prior to the Microsoft de-support announcement to continue to work on Windows XP for the\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":7751,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/03\/06\/more-iot-insecurity-this-blu-ray-disc-pwns-pcs-and-dvd-players\/","url_meta":{"origin":1382,"position":2},"title":"More IoT insecurity: This Blu-ray disc pwns PCs and DVD players","author":"NCCT","date":"March 6, 2015","format":false,"excerpt":"For more than a decade, malicious hackers have used booby-trapped USB sticks to infect would-be victims, in rare cases to spread virulent, self-replicating malware on air-gapped computers inside a uranium enrichment plant. Now, a security researcher says he has found a way to build malicious Blu-ray discs that could do\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3175,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/13\/security-team-pries-open-secrets-of-chinese-hacker-gang\/","url_meta":{"origin":1382,"position":3},"title":"Security team pries open secrets of Chinese hacker gang","author":"NCCT","date":"August 13, 2013","format":false,"excerpt":"A Chinese hacker gang whose malware targeted RSA in 2011 infiltrated more than 100 companies and organizations, and was so eager to steal data that it probed a major teleconference developer to find new ways to spy on corporations, according to researchers. The remote-access Trojan, or RAT, tagged as \"Comfoo\"\u2026","rel":"","context":"In &quot;Networking&quot;","block_context":{"text":"Networking","link":"https:\/\/nccomputertech.com\/techtalk\/category\/networking\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/zapt5.staticworld.net\/images\/article\/2013\/04\/hacker_internet_web_attack-100033459-large.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/zapt5.staticworld.net\/images\/article\/2013\/04\/hacker_internet_web_attack-100033459-large.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/zapt5.staticworld.net\/images\/article\/2013\/04\/hacker_internet_web_attack-100033459-large.jpg?resize=525%2C300 1.5x"},"classes":[]},{"id":5916,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/07\/08\/attack-on-dailymotion-redirected-visitors-to-exploits\/","url_meta":{"origin":1382,"position":4},"title":"Attack on Dailymotion redirected visitors to exploits","author":"NCCT","date":"July 8, 2014","format":false,"excerpt":"Attackers injected malicious code into Dailymotion.com, a popular video sharing website, and redirected visitors to Web-based exploits that installed malware. The rogue code consisted of an iframe that appeared on Dailymotion on June 28, researchers from security vendor Symantec said Thursday in a blog post. The iframe redirected browsers to\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3106,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/05\/attackers-reported-seeding-cloud-services-with-malware\/","url_meta":{"origin":1382,"position":5},"title":"Attackers reported seeding cloud services with malware","author":"NCCT","date":"August 5, 2013","format":false,"excerpt":"LAS VEGAS -- Malware writers are ramping up their use of commercial file hosting sites and cloud services to distribute malware programs, security researchers said at this week's Black Hat conference here. Traditionally, malware writers had distributed their malicious code from their own sites. But as security vendors get better\u2026","rel":"","context":"In &quot;Networking&quot;","block_context":{"text":"Networking","link":"https:\/\/nccomputertech.com\/techtalk\/category\/networking\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/1382","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=1382"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/1382\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=1382"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=1382"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=1382"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}