aka infosec
Growth of the ZeroAccess botnet is unfortunately showing no signs of slowing down. darkReading reports “2.2 million infected with fraudulent ad-click botnet’s malware“. The perpetrators make money by using infected computers to fraudulently ‘click’ on web-based ads.
Most current anti-malware software can detect and disable ZeroAccess-related malware. Make sure your anti-malware software is up to date, and run regular scans.
Version 16.0.2 of Firefox fixes three critical security flaws in the previous version. Users are encouraged to upgrade as soon as possible.
Those of you running Windows 8 already should head over to Microsoft Update and install a new out-of-cycle patch for Adobe Flash in Internet Explorer 10.
We were wondering whether the recent Java updates addressed the security holes reported by Adam Gowdiak of Security Explorations. Well, Mr. Gowdiak tested the most recent Java in various browsers, and the answer is no, they do not.
Gowdiak went even further, developing a simple fix for the vulnerability. Oracle is unimpressed, saying that a proper fix will involve a lot more testing than the 30 minutes Gowdiak spent on it. They are sticking to their original estimate, that an official fix will not be available until the February 2013 Critical Patch Update.
So Java, despite the recent patches, is still vulnerable to exploits using the hole reported by Gowdiak. We continue to recommend disabling Java in web browsers.
Java is increasingly the focus of both malware developers and security researchers. Many malware packages include Java code, and drive-by malware infections often use known Java vulnerabilities to trigger web browser-based infections. Java releases are filled with fixes for security vulnerabilities. Security researchers find new Java holes with alarming frequency.
ARS Technica recently asked their readers to talk about Java and how they use it. The resulting article outlines the results of this informal survey and makes some recommendations to users.
On typical Windows computers, Java is installed as a browser plugin, allowing Java code on web sites to be run seamlessly within the browser. This should not be confused with Javascript, which is also used within web browsers, but despite its name, is a totally separate thing.
Many Windows computers also contain the Java Runtime Environment (JRE), which allows standalone Java applications to run without a web browser. Many system administration tools are developed in Java, since this allows the same code to run on many different operating systems. There are also plenty of Java games, including the hugely popular Minecraft. Although Minecraft can be run from within a web browser, the full version of the game runs in the JRE.
Java vulnerabilities exist both in Java browser plugins and in the JRE. However, Java code that runs in the JRE must be explicitly downloaded and installed by the user. For example, to play the full version of Minecraft, the user must go to the Minecraft web site, buy the game, download the installer, install the game on their computer, then run the game. On the other hand, Java code on a malicious or hacked web site can run automatically and invisibly the moment a user visits that web site – if their browser has a functioning Java plugin.
Clearly, Java web browser plugins present a much greater security risk than standalone Java. Our recommendations – echoed by the ARS Technica article – remain the same: you should seriously consider disabling Java plugins in your web browser, but it’s okay to leave the JRE installed on your computer.
Oracle has released updates for all of its Java packages. The updates include a variety of bug and security fixes across all the affected Java products.
You can download the Java Runtime Environment (JRE) or Java Developer Kit (JDK) appropriate for your computing environment from the Java downloads page.
Java browser plugins that are not updated as part of a JRE update will require separate updates, in some cases from the web browser developer (Chrome, Internet Explorer).
It is unclear whether these updates include fixes for the vulnerabilities reported in late September 2012. Update 2012-Oct-25: Apparently they do not, according to security researcher Adam Gowdiak.
Update 2012Oct12: Version 16.0.1 of Firefox has just been released. The new version fixes the vulnerability that caused version 16.0 to be pulled from the Firefox download site yesterday. All users are encouraged to upgrade to 16.0.1 as soon as possible.
Firefox 16.0 has been removed from the Mozilla web site due to a new vulnerability. Users who have already upgraded to the new version should either downgrade to version 15.0.1 or exercise extreme caution before visiting any unfamiliar or suspicious web site. The new vulnerability makes it possible for web sites to access information that is normally protected by the browser.
Update 2012Oct12: No exploits using this vulnerability have yet been seen in the wild, but a proof of concept has been published. The POC demonstrates the vulnerability with a few lines of Javascript code that could be embedded on a web site. Now that this POC has been made public, it’s reasonable to assume that similar code will start appearing on hacked and malicious web sites in the very near future.
Google encourages security researchers to discover security vulnerabilities in its web browser, Chrome. The recently-concluded Pwnium 2 contest revealed one new vulnerability. A $60,000 prize was awarded to its discoverer, and within hours, a new version of Chrome (22.0.1229.94) that addresses the vulnerability was released.
Another new version of the Firefox web browser was released today.
The release notes for version 16.0 describe all the most notable changes, while the bug fixes page for version 16.0 lists every change.
It’s Patch Tuesday and Microsoft has released seven security bulletins, affecting Windows, Word, Internet Explorer and other Microsoft software. A total of 20 vulnerabilities are addressed by the updates. We covered the details in a previous post. As always, we encourage everyone running affected software to apply the updates as soon as possible.
boot13