 Your new post is loading...
Your new post is loading...
|
Scooped by
Gust MEES
April 23, 2013 10:39 AM
|
Just last week you were congratulating yourself for patching your computer against a Java security hole.
Now another zero-day unpatched vulnerability has been found in Oracle's widely used softw... Here's the best piece of advice we can give you at the moment: If you don't need Java enabled in your browser, here's how to turn it off now! Many people who have Java enabled in their browser simply do not need it (By the way, don't mix up Java with JavaScript - they're different things), so the best solution for many folks is to rip Java out of their browser entirely. If you don't need Java, why put yourself at risk?
|
|
Scooped by
Gust MEES
September 28, 2012 9:30 AM
|
|
|
Scooped by
Gust MEES
August 28, 2012 4:00 PM
|
Java is a handy, cross-platform language that's been mightily abused by hackers. With the discovery of a new zero-day Java exploit, experts advise everyone to simply disable Java pending a patch. Here's how. That fix may not be quick in coming. Neil McAllister of The Register notes that Oracle runs on a strict four-month update cycle, and the next update isn't due until October 16th. Both McAllister and FireEye recommend against downgrading to an earlier unaffected Java version, since older versions have their own vulnerabilities. So how do you go about disabling Java? Read more: http://securitywatch.pcmag.com/hacking/302019-security-warning-disable-java-now
Apple may have appeared to have pulled off a coup in persuading Oracle to maintain Java for Mac but can Oracle be trusted to get it right? The emergence of the Flashback Trojan - which exploited a vulnerability in Mac OS X's version of Java - earlier this year led to a lot of flak for both Oracle and Apple. The vulnerability was known about and fixed in the Windows and Linux versions of Java, but remained exposed in OS X for several more weeks. ===> The fact that Apple is ultimately responsible for maintaining Java on OS X saw Apple's ability to protect its users questioned. <=== Read more: - http://www.scoop.it/t/apple-mac-ios4-ipad-iphone-and-in-security
The Flashback botnet is an indication that Apple is not putting enough energy into security and that oracle isn't paying attention to Java security issues.
Une révision Java pour OS X Lion est disponible [1.0/2012-001 - 64 Mo Mo - OS X 10.7] ainsi que pour Snow Leopard [1.0 - Update 7 - 76 Mo - OS X 10.6]. Elle apporte des correctifs de sécurité et d'autres participant à sa stabilité. ===> Cette mise à jour comble tout particulièrement une importante faille exploitée par un malware qui pouvait être récupéré depuis un site web et capable ensuite d'exécuter avec les droits d'administrateur un applet Java contenant un code nuisible... <===
Enterprise users of Java for the Mac OS X should ensure their machines are updated with the latest security patch from Apple, released Tuesday. The update, for both Lion (10.7.3) and Snow Leopard (10.6.8) versions of the platform, closes a dozen holes in Java 1.6.0_29, "the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox," according to Apple. That presumably refers to CVE-2012-0507, which researchers at F-Secure said Monday was being used to spread the latest variant of the password-stealing Flashback trojan. ===> Computers can be infected simply by users visiting a malicious web page, a scenario known as a drive-by download. <=== ===> UPDATE!!! <===
A new variant of the Flashback Trojan that appeared last year can install itself on a Mac without need for an administrator's password.
|
|
Scooped by
Gust MEES
March 29, 2012 3:55 PM
|
The vulnerability in question is CVE-2012-0507, a remote execution bug patched by Oracle in February. Earlier this month, researchers at Microsoft spotted it being used in attacks to circumvent the sandbox mechanism in the Java Runtime Environment (JRE). Now, security blogger Brian Krebs has reported that cybercriminals have packaged an exploit for the bug into the infamous BlackHole toolkit. BlackHole has emerged as one of the most widely-used malware kits sold on the Web. According to security firm AVG Technologies, it accounted for more than 80 percent of toolkit detections during the fourth quarter of 2011. Krebs reported this week he had found several posts on underground carding forums stating the exploit has been included in the kit.
If a Mac OS X user visits a web page, and their Java is not up to date, the malware infection will occur without their intervention. ===> UPDATE asap! <===
|
Two weeks ago, Mac security software company Intego discovered malware which it classified as "a new Java backdoor trojan called Java/Jacksbot.A.” New threats are discovered all the time, but Intego later concluded that even though Jacksbot is a variant of the Java remote access tool (RAT) created by the jailbreaking group Redpois0n, it can target multiple platforms. The malware writers behind JACKSBOT may just be testing the waters for a successful multiplatform malware; however for now they appear to be unwilling to invest the time and resources to develop the code more completely. ===> It’s likely that the authors will continue to improve the code to fully support infection for OS X and Linux. <=== Read more, a MUST: http://thenextweb.com/2012/10/31/jacksbot-java-malware-can-take-control-of-windows-mac-and-linux-systems/?utm_source=dlvr.it&amp;utm_medium=twitter
|
|
Scooped by
Gust MEES
September 26, 2012 12:56 PM
|
Jahrelang hat Apple Java für sein Mac OS selbst bereit gestellt und im Grunde versucht es loszuwerden. Doch jetzt hat man sich mit Oracle geeinigt, dass der Java-Hersteller diese Aufgabe übernehmen soll. Mac-Benutzer sollen in Bezug auf Java also Windows- und Linux-Nutzern gleichgestellt und somit früher als bislang mit Sicherheits-Updates versorgt werden. Read more...
|
|
Scooped by
Gust MEES
April 23, 2012 6:32 PM
|
Symantec helps consumers and organizations secure and manage their information-driven world. Symantec Security Response, along with some other security vendors, reported the discovery of the OSX.Flashback malware recently patched by Apple. Many people may be surprised to learn the infection volume is reported at over 600,000 computers. On a new front, we have recently identified new Java Applet malware, which uses the Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507) to download its payload. This attack vector is the same as the older one, but in this case the Java Applet checks which OS it is running on and downloads a suitable malware for the OS. This is explained further in the following illustration... Read more...
Apple has shipped a Java update for Mac operating systems with 12 security fixes, including one that plugs a hole exploited by a recent variant of the Flashback malware. ===> UPDATE!!! <===
On évoquait hier le retour du cheval de Troie Flashback, dont la dernière variante infecte les Mac par l'intermédiaire d'une faille Java - une faille corrigée depuis un moment par Oracle, mais qu'Apple tarde à mettre à disposition des des utilisateurs. Cupertino a t-il pris le pouls de la menace ? ===> Il est en tout cas assez singulier de voir justement tomber une mise à jour de Java pour Mac OS X, numérotée 1.6.0_31 ! <=== ===> Apple ne fait pas mention de ce fameux ver, mais indique que cette version apporte des améliorations de compatibilité, sécurité et fiabilité. La mise à jour, à récupérer via le mécanisme traditionnel des préférences système, pèse 66 Mo. <===
Unfortunately, Mac users haven't received a patch for that particular vulnerability since Apple hasn't yet ported it to Java for Macs. In addition to all that, there are rumors that an exploit for another unpatched Java flaw is being offered for sale on online forums. ===> The researchers advise Mac users to disable their Java client for the time being in order to avoid infection. <===
A new Flashback variant (Mac malware) has been spotted exploiting CVE-2012-0507 (a Java vulnerability). We've been anticipating something like this for a while now. Oracle released an update that patched this vulnerability back in February… for Windows. ===> But — Apple hasn't released the update for OS X (yet). <===
|
|
Scooped by
Gust MEES
March 20, 2012 8:36 AM
|
Die Sicherheitsexperten des Kaspersky Lab haben bei ihren Untersuchungen eine ungewohnte Variante der Drive-by-Attacke entdeckt. Auf manchen Webseiten kann man sich im Vorbeisurfen (Drive-by) eine Malware einfangen, sofern man nicht aktive und gute Sicherheitsmaßnahmen in Stellung gebracht hat. Die jüngste Variante einer solchen Web-Infektion nutzt Java aus, um ins Zielsystem zu gelangen. Dort hängt es sich nicht etwa wie gewohnt an eine Datei – wo ein Virenscanner sie dann finden könnte – ===> sondern versteckt sich trickreich im RAM. <===
|
Here's the best piece of advice we can give you at the moment:
If you don't need Java enabled in your browser, here's how to turn it off now!
Many people who have Java enabled in their browser simply do not need it (By the way, don't mix up Java with JavaScript - they're different things), so the best solution for many folks is to rip Java out of their browser entirely.
If you don't need Java, why put yourself at risk?
Check also:
- http://www.scoop.it/t/securite-pc-et-internet?tag=Java-vulnerabilities