-=PCTechTalk=- PSA: Java Exploit (Threat-level critical)
- From: LARRY SOUTHERLAND <larrysoutherland@xxxxxxxxxxxxx>
- To: the_bullhorn2@xxxxxxxxxxxxxxx, thebullhornsbest@xxxxxxxxxxxxxxx, Puters_N_Such@xxxxxxxxxxxxxxx, PC TechTalk <pctechtalk@xxxxxxxxxxxxx>
- Date: Sun, 13 Jan 2013 16:28:25 -0800 (PST)
http://krebsonsecurity.com/2013/01/what-you-need-to-know-about-the-java-exploit/
________________________________
12
Jan 13
What You Need to Know About the Java Exploit
254tweetsTOP5Kretweet
On Thursday, the world learned that attackers were breaking into computers
using
a previously undocumented security hole in Java, a program that is installed
on
hundreds of millions of computers worldwide. This post aims to answer some of
the most frequently asked questions about the vulnerability, and to outline
simple steps that users can take to protect themselves.
Q: What is Java, anyway?
A: Java is a programming language and computing platform that powers programs
including utilities, games, and business applications. According to Java maker
Oracle Corp., Java runs on more than 850 million personal computers worldwide,
and on billions of devices worldwide, including mobile and TV devices. It is
required by some Web sites that use it to run interactive games and
applications.
Q: So what is all the fuss about?
A: Researchers have discovered that cybercrooks are attacking a previously
unknown security hole in Java 7 that can be used to seize control over a
computer if a user visits a compromised or malicious Web site.
Q: Yikes. How do I protect my computer?
A: The version of Java that runs on most consumer PCs includes a browser
plug-in. According to researchers at Carnegie Mellon Universityâs CERT,
unplugging the Java plugin from the browser essentially prevents exploitation
of the vulnerability. Not long ago, disconnecting Java from the browser was
not
straightforward, but with the release of the latest version of Java 7 â
Update
10 â Oracle included a very simple method for removing Java from the browser.
You can find their instructions for doing this here.
Q: How do I know if I have Java installed, and if so, which version?
A: The simplest way is to visit this link and click the âDo I have Javaâ
link,
just below the big red âDownload Javaâ button.
Q: Iâm using Java 6. Does that mean I donât have to worry about this?
A: There have been conflicting findings on this front. The description of this
bug at the National Vulnerability Database (NVD), for example, states that the
vulnerability is present in Java versions going back several years, including
version 4 and 5. Analysts at vulnerability research firm Immunity say the bug
could impact Java 6 and possibly earlier versions. But Will Dormann, a security
expert whoâs been examining this flaw closely for CERT, said the NVDâs
advisory
is incorrect: CERT maintains that this vulnerability stems from a component
that
Oracle introduced with Java 7. Dormann points to a detailed technical analysis
of the Java flaw by Adam Gowdiak of Security Explorations, a security research
team that has alerted Java maker Oracle about a large number of flaws in Java.
Gowdiak says Oracle tried to fix this particular flaw in a previous update but
failed to address it completely.
Either way, itâs important not to get too hung up on which versions are
affected, as this could become a moving target. Also, a new zero-day flaw is
discovered in Java several times a year. Thatâs why Iâve urged readers to
either uninstall Java completely or unplug it from the browser no matter what
version youâre using.
Q: A site I use often requires the Java plugin to be enabled. What should I do?
A: You could downgrade to Java 6, but that is not a very good solution. Oracle
will stop supporting Java 6 at the end of February 2013, and will soon be
transitioning Java 6 users to Java 7 anyway. If you need Java for specific Web
sites, a better solution is to adopt a two-browser approach. If you normally
browse the Web with Firefox, for example, consider disabling the Java plugin
in
Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.)
with
Java enabled to browse only the site(s) that require(s) it.
Q: I am using a Mac, so I should be okay, right?
A: Not exactly. Experts have found that this flaw in Java 7 can be exploited to
foist malware on Mac and Linux systems, in addition to Microsoft Windows
machines. Java is made to run programs across multiple platforms, which makes
it especially dangerous when new flaws in it are discovered. For instance, the
Flashback worm that infected more than 600,000 Macs wiggled into OS X systems
via a Java flaw. Oracleâs instructions include advice on how to unplug Java
from
Safari. I should note that Apple has not provided a version of Java for OS X
beyond 6, but users can still download and install Java 7 on Mac systems.
However, it appears that in response to this threat, Apple has taken steps to
block Java from running on OS X systems.
Q: I donât browse random sites or visit dodgy porn sites, so I shouldnât
have to
worry about this, correct?
A: Wrong. This vulnerability is mainly being exploited by exploit packs, which
are crimeware tools made to be stitched into Web sites so that when visitors
come to the site with vulnerable/outdated browser plugins (like this Java
bug),
the site can silently install malware on the visitorâs PC. Exploit packs can
be
just as easily stitched into porn sites as they can be inserted into
legitimate, hacked Web sites. All it takes is for the attackers to be able to
insert one line of code into a compromised Web site.
Q: Iâve read in several places that this is the first time that the U.S.
government has urged computer users to remove or wholesale avoid using a
particular piece of software because of a widespread threat. Is this true?
A: Not really. During previous high-alert situations, CERT has advised Windows
users to avoid using Internet Explorer. In this case, CERT is not really
recommending that users uninstall Java: just that users unplug Java from their
Web browser.
Q: Iâm pretty sure that my Windows PC has Java installed, but I canât seem
to
locate the Java Control Panel from the Windows Start Menu or Windows Control
Panel. What gives?
A: According to CERTâs Dormann, due to what appears to potentially be a bug
in
the Java installer, the Java Control Panel applet may be missing on some
Windows systems. In such cases, the Java Control Panel applet may be launched
by finding and executing javacpl.exe manually. This file is likely to be found
in C:\Program Files\Java\jre7\bin or C:\Program Files (x86)\Java\jre7\bin.
Q: I canât remember the last time I used Java, and it doesnât look like I
even
need this program anymore. Should I keep it?
A: Java is not as widely used as it once was, and most users probably can get
by without having the program installed at all. I have long recommended that
users remove Java unless they have a specific use for it. If you discover
later
that you really do need Java, it is trivial and free to reinstall it.
Q: This is all well and good advice for consumers, but I manage many PCs in a
business environment. Is there a way to deploy Java but keep the plugin
disconnected from the browser?
A: CERT advises that system administrators wishing to deploy Java 7 Update 10
or later with the âEnable Java content in the browserâ feature disabled
can
invoke the Java installer with the WEB_JAVA=0 command-line option. More
details
are available in the Java documentation.
Q: Okay, I think Iâm covered on Java. But what about Javascript?
A: Because of the unfortunate similarity of their names, many people confuse
Java with Javascript. But these are two completely different things. Most Web
sites use JavaScript, a powerful scripting language that helps make sites
interactive. Unfortunately, a huge percentage of Web-based attacks use
JavaScript tricks to foist malicious software and exploits onto site visitors.
To protect yourself, it is critically important to have an easy method of
selecting which sites should be allowed to run JavaScript in the browser. It
is
true that selectively allowing JavaScript on known, âsafeâ sites wonât
block
all malicious scripting attacks: Even legitimate sites sometimes end up
running
malicious code when scammers figure out ways to sneak tainted, bogus ads into
the major online ad networks. But disallowing JavaScript by default and
selectively enabling it for specific sites remains a much safer option than
letting all sites run JavaScript unrestricted all the time.
Firefox has many extensions and add-ons that make surfing the Web a safer
experience. One extension that I have found indispensable is NoScript. This
extension lets the user decide which sites should be allowed to run
JavaScript,
including Flash Player content. Users can choose to allow specific exceptions
either permanently or for a single browsing session.
Chrome also includes similar script- and Flash blocking functionality that
seems designed to minimize some of these challenges by providing fewer
options.
If you tell Chrome to block JavaScript on all sites by default, when you
browse
to a site that uses JavaScript, the upper right corner of the browser displays
a box with a red âXâ through it. If you click that and select âAlways
allow
JavaScript on [site name]â it will permanently enable JavaScript for that
site,
but it doesnât give you the option to block third-party JavaScript content
on
the site as Noscript does. In my testing, I had to manually refresh the page
before Chrome allowed scripting on a site that Iâd just whitelisted. In
addition, there is a very handy add-on for Chrome called NotScripts that works
very much like Noscript.
Selectively script blocking can take some getting used to. Most
script-blocking
add-ons will disable scripting by default on Web sites that you have not added
to your trusted list. In some cases, it may take multiple tries to get a site
that makes heavy use of Javascript to load properly.
Internet Explorer allows users to block scripts, but even the latest version
of
IE still doesnât give the user much choice in handling JavaScript. In IE9,
you
can select among JavaScript on, off, or prompting you to load JavaScript.
Turning JavaScript off isnât much of an option, but leaving it completely
open
is unsafe. Choosing the âPromptâ option does nothing but serve incessant
pop-up
prompts to allow or disallow scripts (see the video below). The lack of a
simpler approach to script blocking in IE is one of the main reasons I
continue
to steer readers toward Firefox and Chrome.
---------------------------------------------------------------
Please remember to trim your replies (including this sentence and everything
below it) and adjust the subject line as necessary.
To subscribe, unsubscribe or modify your email settings:
//www.freelists.org/webpage/pctechtalk
OR
To subscribe to the mailing list, send an email to
pctechtalk-request@xxxxxxxxxxxxx with "subscribe" in the Subject. To
unsubscribe send email to pctechtalk-request@xxxxxxxxxxxxx with "unsubscribe"
in the Subject.
To access our Archives:
http://groups.yahoo.com/group/PCTechTalk/messages/
//www.freelists.org/archives/pctechtalk/
To contact only the PCTT Mod Squad, write to:
pctechtalk-moderators@xxxxxxxxxxxxx
To join our separate PCTableTalk off-topic group, send a blank email to:
pctabletalk+subscribe@xxxxxxxxxxxxxxxx
---------------------------------------------------------------
Other related posts:
- » -=PCTechTalk=- PSA: Java Exploit (Threat-level critical) - LARRY SOUTHERLAND
