Homeland Security warns to disable Java amid zero-day flaw
www.zdnet.com/homeland-security-warns-to...day-flaw-7000009713/
The U.S. Department of Homeland Security has warned users to disable or uninstall Java software on their computers, amid continuing fears and an escalation in warnings from security experts that hundreds of millions of business and consumer users are vulnerable to a serious flaw.
Hackers have discovered a weakness in Java 7 security that could allow the installation of malicious software and malware on machines that could increase the chance of identity theft, or the unauthorized participation in a botnet that could bring down networks or be used to carry out denial-of-service attacks against Web sites.
"We are currently unaware of a practical solution to this problem," said the DHS' Computer Emergency Readiness Team (CERT) in a post on its Web site on Thursday evening. "This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available."
Java users should disable or uninstall Java immediately to mitigate any damage.
The latest flaw, as earlier reported by ZDNet, is currently being exploited in the wild, security experts have warned. Alienvault Labs have reproduced and verified claims that the new zero-day that exploits a vulnerability in Java 7, according to security expert Brian Krebs.
As you can see below we tricked the malicious Java applet to execute the calc.exe in our lab.
java-zero-dayVerifying the flaw, security researchers were able to trick the malicious Java applet to execute the Windows calculator. Credit: Alienvault Labs
Java is used by hundreds of millions of Windows, Mac and Linux machines -- along with mobile devices and embedded systems -- around the world to access interactive content or Web applications and services.
It's not uncommon for the U.S. government -- or any other government agency -- to advise against security threats, but rarely does an agency actively warn to disable software; rather they offer advice to mitigate such threats or potential attacks, such as updating software on their systems.
=====================================
New malware exploiting Java 7 in Windows and Unix systems
reviews.cnet.com/8301-13727_7-57563567-2...ws-and-unix-systems/
Mal/JavaJar-B is a cross-platform exploit of a new zero-day vulnerability in the latest Java runtimes.
A new Trojan horse called Mal/JavaJar-B has been found that exploits a vulnerability in Oracle's Java 7 and affects even the latest version of the runtime (7u10).
The exploit has been described by Sophos as a zero-day attack since it has been found being actively used in malware before developers have had a chance to investigate and patch it. The exploit is currently under review at the National Vulnerability Database and has been given an ID number CVE-2013-0422, where it is still described as relatively unknown:
"Unspecified vulnerability in Oracle Java 7 Update 10 and earlier allows remote attackers to execute arbitrary code via unknown vectors, possibly related to "permissions of certain Java classes," as exploited in the wild in January 2013, and as demonstrated by Blackhole and Nuclear Pack."
The malware has currently been seen attacking Windows, Linux and Unix systems, and while so far has not focused on OS X, may be able to do so given OS X is largely similar to Unix and Java is cross-platform. Additionally, the exploit is currently being distributed in the competing exploit kits "Blackhole" and "NuclearPack," making it far more convenient to criminal malware developers to use.
Even though the exploit has not been seen in OS X, Apple has taken steps to block it by issuing an update to its built-in XProtect system to block the current version of the Java 7 runtime and require users install an as of yet unreleased version of the Java runtime (release b19). Additionally, the U.S. Department of Defense has issued an advisory to disable Java on systems that have it installed.
Luckily with the latest versions of Java, users who need to keep it active can change a couple of settings to help secure their systems. Go to the Java Control Panel that is installed along with the runtime, and in the Security section uncheck the option to "Enable Java content in the browser," which will disable the browser plug-in. This will prevent the inadvertent execution of exploits that may be stumbled upon when browsing the Web, and is a recommended setting for most people to do. If you need to see a Java applet on the Web, then you can always temporarily re-enable the plug-in.
The second setting is to increase the security level of the Java runtime, which can also be done in the same Security section of the Java Control Panel. The default security level is Medium, but you can increase this to High or Very High. At the High level, Java will prompt you for approval before running any unsigned Java code, and at the Very High level all Java code will require such approval, regardless of whether or not it is signed.
Since this threat is Java-based, it will only affect systems that have Java installed. Most platforms do not come with Java, but if you have installed it and do not need or regularly use it, you might consider removing it from your system. While Java is convenient for legitimate developers, its conveniences also help malware developers spread their harmful practices to multiple platforms.