The hits just keep on coming for Java. As fast as Oracle/Sun plugs (or tries, but fails to plug) one hole, another is discovered by independent security researchers.
This time, it’s the security research team at FireEye that have found vulnerabilities in the latest Java, version 7u15, as well as the most recent 6-series version (6u41).
Making matters worse, the new vulnerability is being actively exploited in the wild: a remote access trojan is being installed on affected computers.
In other words, even if you have the latest version of Java, you can be hit by this exploit. As always, if you don’t actually need Java enabled in your browser, disable it. If that’s not an option, be extremely wary of browsing web sites that you don’t know for sure are safe.
Ars Technica has additional details.
On February 26, Adobe announced version 11.6.602.171 of the Flash player. As usual, Adobe says: “These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.” The technical details are available in Adobe Security Bulletin APSB13-08.
Microsoft simultaneously announced a Flash update for Internet Explorer 10 on Windows 8, which will be delivered via Windows Update.
Google will no doubt release a new version of Chrome that includes the Flash updates in the next day or so.
Anyone who uses Flash in their web browser should install the appropriate update as soon as possible. That includes anyone who uses Youtube. So basically just about everyone.
Oh no, not again! Adam Gowdiak of the Security Explorations research team has been hard at work, looking for holes in the latest Java (7u15). Here’s a quote from Mr. Gowdiak’s alert email:
We had yet another look into Oracle’s Java SE 7 software that was released by the company on Feb 19, 2013. As a result, we have discovered two new security issues (numbered 54 and 55), which when combined together can be successfully used to gain a complete Java security sandbox bypass in the environment of Java SE 7 Update 15 (1.7.0_15-b03).
Gowdiak has submitted his findings to Java’s developers, but there has been no official confirmation from Oracle/Sun as yet. Still, I’m cautioning Java users – especially those of us who have Java enabled in our web browsers – to exercise extreme caution, and flagging Java 7u15 as possibly vulnerable.
Ars Technica has more details.
Version 25.0.1364.97 of Google’s Chrome web browser was announced yesterday.
The new version includes several security and other bug fixes, as well as some new features for web developers and voice recognition.
No mention of Java is made in the announcement linked above, but presumably the most recent Java security fixes found their way into this Chrome release.
Starting with this version, Chrome extension updates are no longer installed ‘silently’. This is a welcome improvement in security.
As expected, Adobe has announced updates for its Reader and Acrobat software to address recently-revealed security vulnerabilities. The full technical details are available in the related security bulletin.
Oracle/Sun has released Java version 7, update 15. What happened to update 14? Anyway, the new version includes a batch of security and other bugfixes they wanted to release with the last batch, and which were originally scheduled for release today. Confused yet?
Since the new version is all about fixing the rather horrible Java security vulnerabilities that have been revealed in recent weeks, you should go ahead and install the update, if you use Java. If you don’t use it, pat yourself on the back and count yourself lucky.
If you read the announcement linked above, you’ll notice that once again, determining the version being discussed is left as an exercise for the reader, since the version (7u15) is not mentioned anywhere on the page. There are plenty of references to the versions being replaced, which only adds to the confusion. Annoying.
If you’re running Windows 7, and you haven’t already installed Service Pack 1, you should do so before April 9, 2013. After that date, Microsoft will no longer provide patches for Windows 7 without SP1. That includes security patches.
Microsoft will continue to supply patches for Windows 7 with SP1 until January 14, 2020.
The details are laid out in a related post on Microsoft’s Springboard blog.
Oracle/Sun has announced that additional security-related updates for Java will be made available on February 19. The emergency updates released on February 1 were originally scheduled to be released with the upcoming updates on February 19. Stay tuned.
There’s a brief announcement on the Adobe Product Security Incident Response Team (PSIRT) Blog stating that Adobe is looking into reports of a new exploit for their Reader software. No further details are provided. Since this exploit is apparently being seen in the wild, we recommend extreme caution when opening PDF documents from unknown or untrusted sources. Better yet, switch to a different PDF reader like Foxit, thereby avoiding the dangers inherent in using Adobe Reader.
Update: Ars Technica has the details. Apparently the vulnerability was reported by the security company FireEye, and attacks based on the vulnerability have been seem in the wild. Further, the vulnerability is important because security in version 11 of the Reader software was supposedly much more difficult to circumvent.
Update 2: There’s a new post on the Security Advisory blog for Adobe Reader and Acrobat that covers this issue.
Update 3: Ars Technica points out that Adobe Reader 11 would protect users from this vulnerability, if its security settings were actually enabled by default (which they aren’t). On learning this, I immediately made the required changes to my installation of Reader, enabling Protected View. Check the bottom of this post for the procedure.
Update 4: Adobe announced that updates for the vulnerabilities in Reader will be made available some time during the coming week.
Enabling Protected View in Adobe Reader 11
- Start Adobe Reader.
- From the menu, select Edit > Preferences.
- Select Security (Enhanced) from the list on the left.
- In the Sandbox Protections section at the top, make sure that the setting for Protected View is All files.
- Click OK.
And here’s a screenshot:
Version 24.0.1312.70 of Google’s web browser contains the latest version of Adobe Flash.
Update: Something funny going on here. The announcement linked above states that version 24.0.1312.70 is actually for the Linux platform. It goes on to say: “This release contains an update to Flash (11.6.602.167). This Flash update has been pushed to Windows, Mac, and Chrome Frame platforms through component updater.” But what is the ‘component updater’, and how will it affect the version number of Chrome in Windows? There’s nothing on the Chrome support site about it. My own Chrome installation reports itself as being up to date at version 24.0.1312.57. Has Flash been updated in my installation or not? How can I determine what version of Flash is running in Chrome? Comments below the announcement linked above show other users similarly confused. Meanwhile, another new version was announced on Feb 14: “The Stable channel has been updated to 24.0.1312.71 for Windows Standalone Enterprise. This build contains an updated Flash (11.6.602.167).” That version at least seems to be targeted at Windows, but what is “Windows Standalone Enterprise”? It contains the same version of Flash as 24.0.1312.70, but again my version of Chrome reports that it is up to date at 24.0.1312.57. Not much we can do at this point except wait for Google to sort out this mess.