Homeland security warns to disable Java amid zero day flaw

[an4rch1]

This is a quoted article from zdnet.com

"The U.S. Department of Homeland Security has warned users to disable or uninstall Java software on their computers, amid continuing fears and an escalation in warnings from security experts that hundreds of millions of business and consumer users are vulnerable to a serious flaw.



Hackers have discovered a weakness in Java 7 security that could allow the installation of malicious software and malware on machines that could increase the chance of identity theft, or the unauthorized participation in a botnet that could bring down networks or be used to carry out denial-of-service attacks against Web sites.

"We are currently unaware of a practical solution to this problem," said the DHS' Computer Emergency Readiness Team (CERT) in a post on its Web site on Thursday evening. "This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available."

Java users should disable or uninstall Java immediately to mitigate any damage.

The latest flaw, as earlier reported by ZDNet, is currently being exploited in the wild, security experts have warned. Alienvault Labs have reproduced and verified claims that the new zero-day that exploits a vulnerability in Java 7, according to security expert Brian Krebs.

As you can see below we tricked the malicious Java applet to execute the calc.exe in our lab.



Verifying the flaw, security researchers were able to trick the malicious Java applet to execute the Windows calculator. Credit: Alienvault Labs
Java is used by hundreds of millions of Windows, Mac and Linux machines -- along with mobile devices and embedded systems -- around the world to access interactive content or Web applications and services.

It's not uncommon for the U.S. government -- or any other government agency -- to advise against security threats, but rarely does an agency actively warn to disable software; rather they offer advice to mitigate such threats or potential attacks, such as updating software on their systems."

So what do you think ?

[geXXos]

According to Oracle , they haven't updated Java for 32bit Windows to v7 yet. It is not due for release until February.

If you're using a 32bit version of Windows you're safe because only v7 of Java is vulnerable according to DHS. I do happen to use Windows 7 32bit. I checked the version of Java installed. Yep, version 6 update 37 which is current for 32bit Windows.


ahh.long live X32..

[techb]

Honestly, I'm glad the media stepped in on this one. But who are we kidding? There are more zero-days than I have hair on my ass. Why is this one so fucking popular?

Don't get me wrong, it helps me out a bit; I can scare the shit out of my customers at work and make fuck loads of money off the brainless sheep with commission from our shitty AV we sell.

Now if the media would step in and at least mention a few zero-days a week, we all might have work as pen-testers by now....

Oh, and with the x32 thing, agreed. But I'ma take it a step further and say long live x8. teeee fuckin heeee 

[an4rch1]

Don't get me wrong, it helps me out a bit; I can scare the shit out of my customers at work and make fuck loads of money off the brainless sheep with commission from our shitty AV we sell

.

Making money off of the brainless sheep ? You work for Microsoft ?


Lol jk but I think that for some reason, this exploit made the national alert because Java is popular and everyone uses it ... I could be totally wrong of course and Naive of how the CERT team operates :/

[techb]

.

Making money off of the brainless sheep ? You work for Microsoft ?


Lol jk but I think that for some reason, this exploit made the national alert because Java is popular and everyone uses it ... I could be totally wrong of course and Naive of how the CERT team operates :/

No, a national/global ISP is what I work for. I wish I could make half a paycheck from one of the Microsoft zombies.... As for the exploit, it made headlines because it hit facebook and twitter so hard, them `popular` words and shit make it hard for the rest of us.