Saturday, January 12, 2013

Oracle promises patch for new Java vulnerability, but gives no timeframe

It is comforting to know that Oracle plans a release to fix the Java vulnerability that was uncovered on Thursday. It is not so comforting when the only timeline given is "shortly."

A fix will be available shortly," the company said in a statement released late Friday.

The Department of Homeland Security's U.S. Computer Emergency Readiness Team (US-CERT) and computer security experts said on Thursday that the Java security bug has already been exploited in the wild. Most recommend that the safest -- and easiest -- precaution for end users to take is to uninstall Java, until a fix is issued.

Other companies have taken their own steps, with Apple blocking the use of the Java plug-in on its OS X platform, and Mozilla blocking Java use in its Firefox browser.

The exploit can allow hackers to execute arbitrary code on a PC, allowing them to take over the PC. Hackers then have a number of options, including transmitting a user's sensitive financial information back to a server, or using the PC in a botnet.

It's just the latest security embarrassment for Java. Security firm Kaspersky said that Java was responsible for 50 percent of all cyber attacks in 2012 in which PCs were exploited via software security vulnerabilities. In second place was Adobe Reader, which was involved in 28 percent of such incidents, while general Microsoft Windows vulnerabilities and Internet Explorer were involved in about 3 percent of incidents.

Speaking to security firm Webroot, we were told that while its software could not block the exploitation of Java by a hacker, once the arbitrary code was downloaded and began execution, its SecureAnywhere software would detect the intrusion and halt the malware's execution.

That being said, it's probably still best for most end users to simply disable or uninstall Java. As US-CERT said, a hacker could infect a well-known website such that visitors will see their Java programs exploited.

No comments: