icubesire

revenuehits

Search in Desigs Guru

Wednesday, January 16, 2013

Forget Oracle's Latest Java Patch. Just Kill The Program In Your Browser For Good

http://designsguru.blogspot.in

After months of inaction and even a warning from the Department of Homeland Security, Oracle has finally released a fix for yet another security vulnerability in its ubiquitous and notoriously buggy Java software. But there’s already been a fix available that’s remain simpler and far more effective: Kick your Java habit altogether.
Despite Oracle’s new patch, which the company posted to its website Sunday–more than four months after it was informed about the bug by Polish security firm Security Explorations–Java watchers in the security industry are recommending that users give up on the endless cycle of the program’s bugs and fixes and instead turn it off in their browsers for good. “Users should simply disable it,” says H.D. Moore, chief security officer at the security firm Rapid7 who has tested numerous Java exploitation techniques over the last year. “The amount of utility it offers is so much smaller than the risk it creates for users. It’s much safer to leave it off.”
The Department of Homeland Security took the rare step of issuing a warning to users late last week that a new flaw in Java had been integrated into multiple common “exploit kits,” commonly-available software that would allow cybercriminal hackers to infect users’ machines with malware via a Java applet when they visit an infected website.
The bug was just the latest in a series that wracked Oracle for much of 2012. In August a flaw in the software, also reported months earlier by Security Explorations, was exploited by hackers installing malware including the Poison Ivy trojan on target PCs. When Oracle released a patch, Security Explorations quickly found another flaw in the fix that would allow the new security measures to be bypassed. And the company followed that revelation with the discovery of yet another critical bug in the program.
Russian security firm Kaspersky reported in its third quarter analysis of security threats that Java was exploited in fully 56% of all known attacks that took advantage of vulnerabilities in software. And last summer, a Java vulnerability was used by the Flashback malware to create the first known large-scale botnet of Macs, which numbered more than 600,000 at its peak.
Apple, for its part, responded to Oracle’s security failings by disabling the Java plug-in by default in all browsers on Mac OSX. Wolfgang Kandek, chief technology officer at software vulnerability analysis firm Qualys, says users of other operating systems should take the same step, only enabling Java on the rare occasions that they encounter a trusted website that requires the program. (A useful guide to uninstalling the program can be found on KrebsOnSecurity.)
Java in many ways goes against all the security trends that have made browsers harder to exploit in recent years. It still requires manual updates, despite several browsers’ moves to automatically download and install new versions of themselves. And despite modern browsers’ attempts to prevent websites from gaining access to a PC beyond a limited “sandbox,” Java can in many cases allow attackers to escape those restrictions, access the full hard disk and making network connections with remote servers. “The attack surface is so big,” Kandek says. “In many ways, you don’t want Java to be able to do all the things that it does anymore.”
As for Oracle’s failure to maintain the security of the software, Kandek blames Oracle’s focus on its corporate customers–Java, after all, was a partly consumer-facing addition to Oracle’s product line acquired along with Sun Microsystems in 2009. He expects that Oracle will eventually wake up to the need for more vigilance in quickly detecting and blocking attacks on its consumer software, just as Microsoft has done over the last decade.
If it wants to maintain Java’s hold in consumers’ browsers, it had better. “I don’t see these attacks against Java stopping,” says Kandek. “It would be great if we could all just turn it off.”

No comments:

Post a Comment

Thanks

LinkWithin

Related Posts Plugin for WordPress, Blogger...