Thursday, December 1, 2011

Patch Java NOW if you haven't already

Folks, this looks like a bad one to have out in the wild.  If you don't run Firefox with NoScript, you have Java enabled in your browser, and have not patched, you are at risk regardless of whether you run Windows or OS X.

Public Java Exploit Amps Up Threat Level — Krebs on Security

An exploit for a recently disclosed Java vulnerability that was previously only available for purchase in the criminal underground has now been rolled into the open source Metasploit
exploit framework. Metasploit researchers say the Java attack tool has
been tested to successfully deliver payloads on a variety of platforms,
including the latest Windows, Mac and Linux systems.


Metasploit also posted the results of testing the exploit against a
variety of browsers and platforms, and found that it worked almost
seamlessly to compromise systems across the board, from the latest
64-bit Windows 7 machines to Mac OS X and even Linux systems.


The exploit attacks a vulnerability that exists in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier. If you are using Java 6 Update 29, or Java 7 Update 1, then you have the latest version
that is patched against this and 19 other security threats. If you are
using a vulnerable version of Java, it’s time to update. Not sure
whether you have Java or what version you may be running? Check out this link, and then click the “Do I have Java?” link below the big red “Free Java Download” button. Apple issued its own update to fix this flaw and other Java bugs earlier this month.

... At the risk of sounding like a broken record, I’ll repeat my advice from earlier this week: If you don’t need Java, get rid of it.
Most people who have it won’t miss it. For those who need Java for the
occasional site or service, disconnecting it from the browser plugins
and temporarily reconnecting when needed is one way to minimize issues
with this powerful program. Leaving the Java plugin installed in a
secondary browser that is only used for sites or services that require
Java is another alternative.

No comments: