Paul B. Gallagher wrote:
From CNet:
New malware exploiting Java 7 in Windows and Unix systems
=========================================================
Mal/JavaJar-B is a cross-platform exploit of a new zero-day
vulnerability in the latest Java runtimes.
by Topher Kessler
January 11, 2013 1:32 PM PST
A new Trojan horse called Mal/JavaJar-B has been found that exploits a
vulnerability in Oracle's Java 7 and affects even the latest version of
the runtime (7u10).
The exploit has been described by Sophos as a zero-day attack since it
has been found being actively used in malware before developers have had
a chance to investigate and patch it. The exploit is currently under
review at the National Vulnerability Database and has been given an ID
number CVE-2013-0422, where it is still described as relatively unknown:
"Unspecified vulnerability in Oracle Java 7 Update 10 and earlier allows
remote attackers to execute arbitrary code via unknown vectors, possibly
related to "permissions of certain Java classes," as exploited in the
wild in January 2013, and as demonstrated by Blackhole and Nuclear Pack."
...
Full story:
<http://reviews.cnet.com/8301-13727_7-57563567-263/new-malware-exploiting-java-7-in-windows-and-unix-systems/>
U.S. tells computer users to disable Java software
Updated 9:00 p.m. ET
WASHINGTON The U.S. Department of Homeland Security is advising people
to temporarily disable the Java software on their computers to avoid
potential hacking attacks.
The recommendation came in an advisory issued late Thursday, following
up on concerns raised by computer security experts.
Read the US-CERT release concerning Java
Experts believe hackers have found a flaw in Java's coding that creates
an opening for criminal activity and other high-tech mischief.
CNET's Topher Kessler writes:
"The malware has currently been seen attacking Windows, Linux and
Unix systems, and while so far has not focused on OS X, may be able to
do so given OS X is largely similar to Unix and Java is cross-platform.
Even though the exploit has not been seen in OS X, Apple has taken
steps to block it by issuing an update to its built-in XProtect system
to block the current version of the Java 7 runtime and require users
install an as of yet unreleased version of the Java runtime.
Luckily with the latest versions of Java, users who need to keep it
active can change a couple of settings to help secure their systems. Go
to the Java Control Panel that is installed along with the runtime, and
in the Security section uncheck the option to "Enable Java content in
the browser," which will disable the browser plug-in. This will prevent
the inadvertent execution of exploits that may be stumbled upon when
browsing the Web, and is a recommended setting for most people to do. If
you need to see a Java applet on the Web, then you can always
temporarily re-enable the plug-in.
The second setting is to increase the security level of the Java
runtime, which can also be done in the same Security section of the Java
Control Panel. The default security level is Medium, but you can
increase this to High or Very High. At the High level, Java will prompt
you for approval before running any unsigned Java code, and at the Very
High level all Java code will require such approval, regardless of
whether or not it is signed."
Java is a widely used technical language that allows computer
programmers to write a wide variety of Internet applications and other
software programs that can run on just about any computer's operating
system.
Oracle Corp. bought Java as part of a $7.3 billion acquisition of the
software's creator, Sun Microsystems, in 2010.
Oracle, which is based in Redwood Shores, Calif., had no immediate
comment late Friday.
_______________________________________________
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey
