{"id":1758,"date":"2013-04-16T09:53:22","date_gmt":"2013-04-16T13:53:22","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=1758"},"modified":"2013-04-16T09:53:22","modified_gmt":"2013-04-16T13:53:22","slug":"new-security-protection-fixes-for-39-exploitable-bugs-coming-to-java","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2013\/04\/16\/new-security-protection-fixes-for-39-exploitable-bugs-coming-to-java\/","title":{"rendered":"New security protection, fixes for 39 exploitable bugs coming to Java"},"content":{"rendered":"

\"\"<\/a><\/p>\n

Oracle plans to release an update for the widely exploited Java browser plugin. The update fixes 39 critical vulnerabilities and introduces changes designed to make it harder to carry out drive-by attacks on end-user computers.
\nThe update scheduled for Tuesday comes as the security of Java is reaching near-crisis levels. Throughout the past year, a series of attacks hosted on popular websites has been used to surreptitiously install malware on unwitting users’ machines. The security flaws have been used to infect employees of Facebook and Apple in targeted attacks intended to penetrate those companies. The vulnerabilities have also been exploited to hijack computers of home and business users. More than once, attackers have exploited one previously undocumented bug within days or weeks of patching a previous “zero-day,” as such vulnerabilities are known, creating a string of attacks on the latest version of the widely used plugin.
\nIn all, Java 7 Update 21 will fix at least 42 security bugs, Oracle said in a pre-release announcement. The post went on to say that “39 of those vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.” The advisory didn’t specify or describe the holes that will be patched. Security Exploration, a Poland-based security company that has discovered dozens of “security issues” in Java, has a running list of them here.
\nIn addition to the bug fixes, Oracle developers plan to roll out changes to Java that are intended to help end users make better decisions about when (and when not) to allow Java code to be executed in their browsers. Under the update, Java will display a variety of messages and dialog boxes, such as the one shown above, when it encounters websites that host Java applets. In some cases, the code will be executed only after an end user clicks an “OK” button.
\n“The messages presented depend upon different risk factors, such as using old versions of Java or running applet code that is not signed from a trusted Certificate Authority,” an article posted to Oracle’s Java.com explained. “Apps that present a lower risk display a simple informational message. This includes an option to prevent showing similar messages for apps from the same publisher in the future.”
\nBy contrast, higher-risk apps will be accompanied by a message that includes an exclamation point in a yellow warning triangle when the app certificate is untrusted or expired, or a yellow warning shield when the app is unsigned or is signed by a certificate that’s not valid.
\nOracle introduced a similar dialog message scheme late last year, but as previously reported by Ars, it doesn’t check the validity of application certificates. It’s a shortcoming that makes it easy for attackers to bypass the protection. That’s because it presents certificates as trustworthy even when they’ve been reported as stolen and added to publicly available revocation databases. The failure of Java to check certificate revocation lists came to light last month after Java gave the green light to a malicious app even though the digital certificate signing it had been revoked by the company that owned it.
\nFor almost a year now, Ars has been calling on Oracle developers to rigorously audit the Java software framework to patch the most critical security holes. It’s also crucial for Java to be outfitted with protections designed to help end users block drive-by attacks and to lessen the damage that can be done when vulnerabilities are exploited. It will take a few weeks to know if Tuesday’s update will finally deliver these long-overdue changes. We’re certainly keeping our fingers crossed, but in the meantime, we’re repeating our oft-repeated advice: users who have no need for the Java browser plugin should uninstall it, or users could reserve a specific browser for the handful of websites they use that require Java and a separate browser for all other sites.
\nvia New security protection, fixes for 39 exploitable bugs coming to Java | Ars Technica<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Oracle plans to release an update for the widely exploited Java browser plugin. The update fixes 39 critical vulnerabilities and […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[7,9],"tags":[341,583,1178],"class_list":["post-1758","post","type-post","status-publish","format-standard","hentry","category-security","category-software","tag-exploit","tag-java","tag-vulnerability"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-sm","jetpack-related-posts":[{"id":5980,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/07\/15\/future-java-7-security-patches-will-work-on-windows-xp-despite-end-of-official-support\/","url_meta":{"origin":1758,"position":0},"title":"Future Java 7 security patches will work on Windows XP despite end of official support","author":"NCCT","date":"July 15, 2014","format":false,"excerpt":"Oracle has dispelled rumors that the upcoming security update for Java 7 and those it will release in the future might not work on Windows XP. \u201cWe expect all versions of Java that were supported prior to the Microsoft de-support announcement to continue to work on Windows XP for the\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5659,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/06\/02\/flaws-in-popular-seo-plug-in-put-wordpress-websites-at-risk\/","url_meta":{"origin":1758,"position":1},"title":"Flaws in popular SEO plug-in put WordPress websites at risk","author":"NCCT","date":"June 2, 2014","format":false,"excerpt":"Many WordPress websites could be at risk of compromise if their administrators don\u2019t upgrade a popular search engine optimization (SEO) plug-in to a newly released version that fixes serious vulnerabilities. Researchers from Web security firm Sucuri found two flaws in a plug-in called \u201cAll in One SEO Pack\u201d that potentially\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/core5.staticworld.net\/images\/article\/2013\/04\/hacker_internet_web_attack-100033459-large.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/core5.staticworld.net\/images\/article\/2013\/04\/hacker_internet_web_attack-100033459-large.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/core5.staticworld.net\/images\/article\/2013\/04\/hacker_internet_web_attack-100033459-large.jpg?resize=525%2C300 1.5x"},"classes":[]},{"id":7766,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/03\/10\/playing-minecraft-no-longer-makes-your-pc-a-juicy-target-for-hackers\/","url_meta":{"origin":1758,"position":2},"title":"Playing Minecraft no longer makes your PC a juicy target for hackers","author":"NCCT","date":"March 10, 2015","format":false,"excerpt":"The folks at Microsoft-owned Mojang just gave PC users one more reason to uninstall Java from their systems. The Minecraft launcher for PC now installs and manages its own instance of Oracle\u2019s software. The version of Java the new Minecraft launcher uses is contained within the game\u2019s directory\u2014meaning you no\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5710,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/06\/10\/microsoft-pushes-out-massive-security-update-for-internet-explorer\/","url_meta":{"origin":1758,"position":3},"title":"Microsoft pushes out massive security update for Internet Explorer","author":"NCCT","date":"June 10, 2014","format":false,"excerpt":"Microsoft pushes out massive security update for Internet Explorer Six down, six to go. Today is the Microsoft Patch Tuesday for June, and it comes with seven new security bulletins. The good news is that five of the seven are only rated as Important, but one of the two Critical\u2026","rel":"","context":"In "Microsoft"","block_context":{"text":"Microsoft","link":"https:\/\/nccomputertech.com\/techtalk\/category\/microsoft\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5916,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/07\/08\/attack-on-dailymotion-redirected-visitors-to-exploits\/","url_meta":{"origin":1758,"position":4},"title":"Attack on Dailymotion redirected visitors to exploits","author":"NCCT","date":"July 8, 2014","format":false,"excerpt":"Attackers injected malicious code into Dailymotion.com, a popular video sharing website, and redirected visitors to Web-based exploits that installed malware. The rogue code consisted of an iframe that appeared on Dailymotion on June 28, researchers from security vendor Symantec said Thursday in a blog post. The iframe redirected browsers to\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8617,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/09\/11\/the-first-monthly-android-security-updates-start-rolling-out-for-nexus-devices\/","url_meta":{"origin":1758,"position":5},"title":"The first monthly Android security updates start rolling out for Nexus devices","author":"NCCT","date":"September 11, 2015","format":false,"excerpt":"Google has delivered on its promise to release monthly security updates today, with the first of said updates now rolling out to nearly all Nexus devices released in the past three years. The updates haven't been given their own Android version number, with Google instead opting to simply change the\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/1758","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=1758"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/1758\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=1758"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=1758"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=1758"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}