NEWS - August 30, 2012
by Carol~ - 8/30/12 8:46 AM
Chorus Grows Louder to Disable Java 7 After Exploit Hits Mainstream
More security researchers are recommending users disable the current version of Java after zero-day exploits gained traction in the Web world.
Patrick Runald, director of security research for Websense, told PC World today that his team had uncovered more than 100 infected domains - a figure expected to rise sharply after the exploit code for the Java vulnerabilities was added in recent days to the popular hacker tool Blackhole.
The original attack, believed to be based in China, is based on two vulnerabilities in one .jar file in Java 7.
Because of Java's ubiquitousness within Web sites, and Oracle's failure to date to release a patch out of its normal quarterly rotation, companies this week began recommending users disable Java browser plugins to help prevent the malicious code from entering machines through compromised Web sites.
"The beauty of this bug class is that it provides 100 percent reliability and is multiplatform. Hence this will shortly become the penetration test Swiss knife for the next couple of years (as did its older brother CVE-2008-5353)," wrote an Immunity developer Esteban Guillardoy earlier this week.
US-CERT recommended as a workaround disabling the Java plugin in browsers such as Safari, Chrome, Firefox and Internet Explorer. Apple's Lion and Mountain Lion also use Java 7 while Leopard and Snow Leopard do not.
Continued : https://threatpost.com/en_us/blogs/chorus-grows-louder-disable-java-7-after-exploit-hits-mainstream-082912
Java 0-day exploit served from over 100 sites
Care to Disable the Java Plugin?
From the Mozilla Security Blog:
Update - Aug 29, 2012: Protecting Users Against Java Security Vulnerability
We've been closely monitoring the recent Java security vulnerability and evaluating different options to best protect our users.
Our goal is to provide protection to Firefox users against this actively exploited vulnerability in Java while also leaving the user in control so they can choose to allow Java on important sites that they trust.
We are still working out the implementation details, but our solution will accomplish two primary objectives:
1. By default, vulnerable versions of Java will be disabled for our Firefox users.
2. Users will be provided the option to enable Java through a clear and visible message that will be displayed anytime the user views a page using Java.
We'll provide additional updates when items are finalized. In the interim, we still advise users to disable the Java plugin as described below.
Continued : https://blog.mozilla.org/security/2012/08/28/protecting-users-against-java-security-vulnerability/