You may have heard the dire warnings about Java recently from US agencies and other FUD mongerers. Nick Peers says that Oracle’s Java 7 update 11 security patch fixes nothing. That may be true because there is nothing you can do to software to fix user stupidity.
Note that most of the brouhaha involves using Java as a web browser plug in.
“Update 11 specifically acts on a Java exploit in web browsers that the US Department of Homeland Security warned is being “actively exploited” by malware. This allows code to be executed outside of Java’s sandbox, allowing keyloggers and botnet code to be distributed through the Java exploit.”
…
“Researchers warn that despite this new setting, the security can be bypassed by hackers able to mask their code through “social engineering”, which allows them to mask its true origins and claim to be from a trusted source, encouraging users to accept the code even though it’s been flagged.”
Oracle’s page on Critical Patch Updates, Security Alerts and Third Party BulletinSecurity Alerts might be a resource for the gory detail.
The security alerts often call the threat a zero day attack. All this means is that it is a newly discovered tactic for those trying to worm their way into your computers.
The US Department Homeland Security Office of Cybersecurity and Communications Vulnerability Note VU#625617, Java 7 fails to restrict access to privileged code describes where the ‘stupidity’ idea comes in.
“By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system. Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for this vulnerability.”
The essence is that you shouldn’t visit bad neighbourhoods if you don’t want to get mugged.
When it comes to computers, this is like the scams that plague old folks who are just a bit too trusting. Don’t download software unless you know, outside of the computer sources, that the software is suitable for your needs.
Of course, you can do as suggested and just remove the capability to run an entire class of software. You could also just disconnect the computer from the network, not turn it on, or even wipe the storage media and not run any software. That would, of course, make the computer a rather useless decoration but at least it’d be safe and secure from malicious software attacks.
I see Symantec is up on this with additional protection for recent Java zero-day. Security fears are always an opportunity for the entrepreneur!

Post a Comment