[Vision2020] Oracle issues hot patch for zero day Java exploit

Kenneth Marcy kmmos1 at frontier.com
Mon Jan 14 08:46:58 PST 2013 

Here is some technology news you can use if your computer system has a 
Java installation installed:

Oracle Corp. released an emergency update to its Java software for 
surfing the Web on Sunday, but security experts said the update fails to 
protect PCs from attack by hackers intent on committing cyber crimes.

*http://tinyurl.com/ayw8wdj *

ORACLE'S UPDATE

Oracle said on its security blog on Sunday that its update fixed two 
vulnerabilities in the version of Java 7 for Web browsers.

It said that it also switched Java's security settings to "high" by 
default, making it more difficult for suspicious programs to run on a 
personal computer without the knowledge of the user.

Java is a computer language that enables programmers to write software 
utilizing just one set of code that will run on virtually any type of 
computer, including ones that use Microsoft Corp's Windows, Apple Inc's 
OS X and Linux, an operating system widely employed by corporations.


London-based Incisive Media, online publishers of the Inquirer, had this 
to report on the subject:

http://www.theinquirer.net/inquirer/news/2236028/oracle-issues-hot-patch-for-zero-day-java-exploit 


*ENTERPRISE VENDOR* Oracle has released a patch for the zero day Java 
exploit that we reported on last week.

Then the insecurity firms were advising people to load their virtual 
shotguns and get in their security basements to avoid terrible assaults. 
Millions of computer users, regardless of what operating systems they 
use, would be affected and it would happen when they were using the 
internet.

Not disabling Java at that time 
<http://www.theinquirer.net/inquirer/news/2235878/security-vendors-warn-users-to-disable-java-after-zero-day-exploit-is-found>, 
we gather, was the equivalent of kissing a black rat, in London, during 
the plague. Fret no more though, as Oracle has issued the patch we have 
all been waiting for and his fixed Java.

Java 7 Update 11 
<http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html>, 
which is available now, is the sticking plaster that patches the 
vulnerability. In short, it means that the "user is always warned before 
any unsigned application is run to prevent silent exploitation". It is 
recommended that you apply it.

"It's nice that Oracle fixed this vulnerability so quickly," said 
security expert Brian Krebs 
<http://krebsonsecurity.com/2013/01/oracle-ships-critical-security-update-for-java/>, 
"but I'll continue to advise readers to junk this program altogether 
unless they have a specific need for it."

Krebs said that Oracle has already tried to fix the same flaw, but 
failed, adding that malware writers are "constantly finding new zero-day 
vulnerabilities in Java".

He added that it would not surprise him if the same zero day situation 
were to "repeat itself in a month or so". µ

The Inquirer <http://s.tt/1yp7x> (http://s.tt/1yp7x)


So, basically, the situation is as it was reported four months ago by 
Information Week:

Oracle needs to fix holes faster, say some security experts. Leave Java 
disabled for now, because Oracle's emergency patch is insufficient.

http://www.informationweek.com/security/attacks/java-still-not-safe-security-experts-say/240006876 



Ken
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.fsr.com/pipermail/vision2020/attachments/20130114/e1f752ff/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: via.png
Type: image/png
Size: 277 bytes
Desc: not available
URL: <http://mailman.fsr.com/pipermail/vision2020/attachments/20130114/e1f752ff/attachment.png>

More information about the Vision2020 mailing list