NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > InfoSec News> current

[ISN] New security protection, fixes for 39 exploitable bugs coming to Java

From: InfoSec News (alertsinfosecnews.org)
Date: Tue Apr 16 2013 - 01:09:31 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://arstechnica.com/security/2013/04/new-security-protection-fixes-for-39-exploitable-bugs-coming-to-java/

By Dan Goodin
Ars Technica
Apr 15 2013

Oracle plans to release an update for the widely exploited Java browser
plugin. The update fixes 39 critical vulnerabilities and introduces changes
designed to make it harder to carry out drive-by attacks on end-user
computers.

The update scheduled for Tuesday comes as the security of Java is reaching
near-crisis levels. Throughout the past year, a series of attacks hosted on
popular websites has been used to surreptitiously install malware on unwitting
users' machines. The security flaws have been used to infect employees of
Facebook and Apple in targeted attacks intended to penetrate those companies.
The vulnerabilities have also been exploited to hijack computers of home and
business users. More than once, attackers have exploited one previously
undocumented bug within days or weeks of patching a previous "zero-day," as
such vulnerabilities are known, creating a string of attacks on the latest
version of the widely used plugin.

In all, Java 7 Update 21 will fix at least 42 security bugs, Oracle said in a
pre-release announcement. The post went on to say that "39 of those
vulnerabilities may be remotely exploitable without authentication, i.e., may
be exploited over a network without the need for a username and password." The
advisory didn't specify or describe the holes that will be patched. Security
Exploration, a Poland-based security company that has discovered dozens of
"security issues" in Java, has a running list of them here.

In addition to the bug fixes, Oracle developers plan to roll out changes to
Java that are intended to help end users make better decisions about when (and
when not) to allow Java code to be executed in their browsers. Under the
update, Java will display a variety of messages and dialog boxes, such as the
one shown above, when it encounters websites that host Java applets. In some
cases, the code will be executed only after an end user clicks an "OK" button.

[...]

______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]