Sunday, January 13, 2013
Last vulnerability in Java has caused quite a stir in the IT community
critically dangerous vulnerability in the Java environment has become well-known less than a week ago, but it has already caused a lot of noise in the IT environment, as it is, first, allows the implementation of the browser on the victim any file and execute it, and secondly , the exploit for it is actively spreading in the network.
In most Oracle, responsible for the development of Java, recognize Vulnerability and say that they are working on a fix. In the coming Tuesday, the company plans to issue 86 patches for their products, but will any of them are a patch for Java - is not known.
Independent experts say that in contrast to many other Java-vulnerabilities vulnerability dangerous because Java has a huge user base - more than 1 billion devices, and in addition, Java runs on most modern mobile, desktop and server platforms, so under attack in most cases are members of multiple systems at once.
The Polish IT company Security Explorations on Friday said that in Europe and North America, the latest Java-vulnerability is already being used by hackers and the company recorded a few active intrusion. Adam Govdiak, IT Specialist Security Explorations, says that Java-vulnerability only applies to Java 7 and all updates, including the latest at the moment Update 10. Other versions of Java are not subject to the problem.
He also noted that the vulnerability itself is likely to have originated due to a bug, which Oracle had warned in August. Then labeled the problem the company closed, but not completely. Bug is related to the way Java handles incoming header parameters. "Bugs in recent resemble weeds: you pull out one, and in its place grows two more. Seems that Oracle has completed too early to deal with weeds," - says Govdiak.
The press service of the Oracle said that the bug only works in JDK 7 and attack vectors occurs only in the case of browser requests. The company also said that the problem is related to the method Class.forName (), lets you download other software, including and limited classes.
Security experts reacted to this very serious problem, because Java is also used in the mass corporate programs as well as programs for the automation of business and management. On Thursday and Friday, U.S. and German regulators personal data already released an official statement saying that they would recommend to other government users to completely eliminate the use of Java before the proper corrections.
On Saturday, anti-virus company Sophos reported that it recorded a new piece of malware Mal / JavaJar-B, which is just under consideration operates Java-vulnerability. The code works on all versions of Java 7, including the latest Java 7 Update 10 further Sophos said the malware not only works under Windows, but on Unix and Linux. Also in Sophos said that the problem in Java has already been added to pentestery Blackhole and NuclearPack.
Among Apple say that while under their OS is not fixed yet and malware, they temporarily have Java-plugin for Safari browser to the black list of applications and the OS with a browser will not use it as long as it is unlocked. Recall that the black lists are located in the Windows system file Xprotect.plist.
In US CERT also said he had already sent a warning to all its users about a critical risk in Java.