Very good article. Note that only browsers are involved and only if they
use Java 7. Other programs, especially those using Java 6 are not
affected. That is the case with BrailleBlaster
http://www.brailleblaster.org .
John
On Mon, Jan 14, 2013 at 08:48:30AM -0500, Bob, K8LR wrote:
> Hi,
>
> Here is more info on the Java security problems. This just appeared on the
> Chicago Tribune web site. I don't think that the government is trying to
> scare us on this one. I've known two people whose idenity was stolen and
> its not fun at all!
>
> Bob, K8LR, [log in to unmask]
> Reuters
> 6:48 a.m. CST, January 14, 2013
> Oracle Corp. released an emergency update to its Java software for surfing
> the Web
> on Sunday, but security experts said the update fails to protect PCs from
> attack
> by hackers intent on committing cyber crimes.
> The software maker released the update just days after the U.S. Department
> of Homeland
> Security urged PC users to disable the program because of bugs in the
> software that
> were being exploited to commit identity theft and other crimes.
> Oracle's failure to quickly secure the software means that PCs running Java
> in their
> browsers remain vulnerable to attack by criminals seeking to steal
> credit-card numbers,
> banking credentials, passwords and commit other types of computer crimes.
> Adam Gowdiak, a researcher with Poland's Security Explorations who has
> discovered
> several bugs in the software over the past year, said that the update from
> Oracle
> leaves unfixed several critical security flaws.
> "We don't dare to tell users that it's safe to enable Java again," said
> Gowdiak.
> Some security consultants are advising businesses to remove Java from the
> browsers
> of all employees except for those who absolutely need to use the technology
> for critical
> business purposes.
> HD Moore, chief security officer with Rapid7, a company that helps
> businesses identify
> critical security vulnerabilities in their networks, said it could take two
> years
> for Oracle to fix all the security bugs that have currently been identified
> in the
> version of Java that is used for surfing the Web.
> "The safest thing to do at this point is just assume that Java is always
> going to
> be vulnerable. Folks don't really need Java on their desktop," Moore said.
> An Oracle spokeswoman declined to comment.
> ORACLE'S UPDATE
> Oracle said on its security blog on Sunday that its update fixed two
> vulnerabilities
> in the version of Java 7 for Web browsers.
> It said that it also switched Java's security settings to "high" by default,
> making
> it more difficult for suspicious programs to run on a personal computer
> without the
> knowledge of the user.
> Java is a computer language that enables programmers to write software
> utilizing
> just one set of code that will run on virtually any type of computer,
> including ones
> that use Microsoft Corp's Windows, Apple Inc's OS X and Linux, an operating
> system
> widely employed by corporations.
> One version is installed in Internet browsers to access web content.
> Separate versions
> are installed directly on PCs, server computers and other devices including
> phones,
> webcams, and Blu-ray players.
> The Department of Homeland Security and computer security experts said on
> Thursday
> that hackers figured out how to exploit the bug in a version of Java used
> with Internet
> browsers to install malicious software on PCs. That has enabled them to
> commit crimes
> from identity theft to making infected computers part of an ad-hoc networks
> that
> used to attack websites.
> Oracle said that the flaws only affect Java 7, the program's most-recent
> version,
> and versions of Java software designed to run on browsers.
> Java is so widely used that the software has become a prime target for
> hackers. Last
> year, Java surpassed Adobe Systems Inc's Reader software as the most
> frequently attacked
> piece of software, according to security software maker Kaspersky Lab.
> Java was responsible for 50 percent of all cyberattacks last year in which
> hackers
> broke into computers by exploiting software bugs, according to Kaspersky.
> That was
> followed by Adobe Reader, which was involved in 28 percent of all incidents.
> Microsoft
> Windows and Internet Explorer were involved in about 3 percent of incidents,
> according
> to the survey.
> The Department of Homeland Security said attackers could trick targets into
> visiting
> malicious websites that would infect their PCs with software capable of
> exploiting
> the bug in Java.
> It said an attacker could also infect a legitimate website by uploading
> malicious
> software that would infect machines of computer users who trust that site
> because
> they have previously visited it without experiencing any problems.
> Security experts have been scrutinizing the safety of Java since a similar
> security
> scare in August, which prompted some of them to advise using the software
> only on
> an as-needed basis.
> Meanwhile, Microsoft said on Sunday that would it release an update on
> Monday to
> fix a previously disclosed flaw in Internet Explorer versions 6, 7 and 8
> that made
> PCs vulnerable to attacks in which hackers can gain remote control of the
> machines.
> Microsoft previously released a temporary fix to prevent such attacks.
> Copyright � 2013, Reuters
>
> Bob, K8LR, [log in to unmask]
--
John J. Boyer; President, Chief Software Developer
Abilitiessoft, Inc.
http://www.abilitiessoft.com
Madison, Wisconsin USA
Developing software for people with disabilities
|