Here we go again: Java 7u11 security patch incomplete

[wrldwzrd89]

Link to story: http://arstechnica.com/security/2013/01/critical-java-vulnerabilies-confirmed-in-latest-version/

Summary: Security researchers have confirmed that the latest version of Oracle's Java software framework is vulnerable to Web hacks that allow attackers to install malware on end users' computers.

My analysis: Well, this is the latest in a series of black eyes / punches to the gut for Oracle and Java. How do you deal with such an unmitigated disaster? I don't know - but at this point, since all the exploits involve the web browser applet plugin, I'd be tempted to announce that Java applets, at least as we know them now, will cease to exist completely in Java SE 8 - the web plugin will go away, as will all code to support it. This is just a hypothetical "nuclear" measure; but in this day and age, with HTML5 being the clear way forward, it just may be worth it.

 

[munkery]

Exploitation of these Java vulnerabilities is at least somewhat mitigated by requiring the end user to click "OK" to run unsigned and self signed Java applets by default.

Exploiting these vulnerabilities will now require some measure of social engineering to get users to click "OK". Albeit, it most likely will not be difficult to get unknowledgeable users to do so.

 

[snberk103]

...
Exploiting these vulnerabilities will now require some measure of social engineering to get users to click "OK". Albeit, it most likely will not be difficult to get unknowledgeable users to do so.

I suspect the definition of "unknowledgeable user" includes way more people for Java than it does for email. Most of my non-techy friends are now well trained to reject dodgey emails - sometimes too well trained as even legitimate emails get binned occasionally.

But I think that the vast majority of people have no idea what a legitimate Java request looks like. And since they have been trained to reject emails, and this is not an email, we may see largely successful socially engineered exploits for Java. Unless they take it out entirely.

 

[munkery]

I suspect the definition of "unknowledgeable user" includes way more people for Java than it does for email. Most of my non-techy friends are now well trained to reject dodgey emails - sometimes too well trained as even legitimate emails get binned occasionally.

But I think that the vast majority of people have no idea what a legitimate Java request looks like. And since they have been trained to reject emails, and this is not an email, we may see largely successful socially engineered exploits for Java. Unless they take it out entirely.

I totally agree. Prior to Java sandbox bypass exploits being readily available, users had to accept running unsigned and self signed Java applets that required permission beyond those allowed by the Java sandbox and malware still used social engineering to trick users to gain those privileges.

Now Java requires all unsigned and self signed applets to be manually allowed regardless of the applets required permissions in relation to the Java sandbox. So, malware that uses Java applets will either require being manually allowed to run to execute a Java sandbox exploit or to prompt the user to accept a certificate to run with elevated privileges.

Basically, another layer of security has been added but users that are susceptible to being tricked via social engineering are still liable to be tricked.

At least now knowledgeable users that require Java enabled in the browser are more protected.

 

[SactoGuy18]

That's the reason why both my Windows 7 desktop and laptop computers are running Norton Internet Security 2013. Symantec has updated their malware signatures to stop known vulnerabilities in the Java virtual machines.

 

[munkery]

That's the reason why both my Windows 7 desktop and laptop computers are running Norton Internet Security 2013. Symantec has updated their malware signatures to stop known vulnerabilities in the Java virtual machines.

Anti-virus software will only protect you from specific known threats; unknown threats aren't reliably detected. Java applets as a whole aren't inherently bad so a specific definition is required for a malicious applet.

That's the reason why I don't use any online services that require Java and don't have Java enabled in my web browser.