Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Java security threats: What you need to know

Rich Mogull | Aug. 31, 2012
First, the bad news. Once again, Mac users are at risk due to a flaw in Java, similar to the one that enabled the Flashback Trojan. Even worse, there isn't (yet) a patch to fix that vulnerability. But don't worry: This time around, there's good news for Mac users: Thanks to changes Apple has made, most of us are likely to be safe from this threat.

First, the bad news. Once again, Mac users are at risk due to a flaw in Java, similar to the one that enabled the Flashback Trojan. Even worse, there isn't (yet) a patch to fix that vulnerability. But don't worry: This time around, there's good news for Mac users: Thanks to changes Apple has made, most of us are likely to be safe from this threat.

That said, although you likely aren't at risk today, it is clear that Java still represents one of the biggest, most persistent security problems face users of all operating systems. So I recommend you consider implementing the precautions suggested below.

What happened

On Sunday, August 26, security vendor FireEye published information about a new Java attack that used a previously unknown Java vulnerability. The attack, which originated from China, affected the latest version of the Java Runtime Environment (Java 7, version 1.7). The attack comes through your Web browser when you browse to a malicious site and allows an attacker to silently take complete control over your computer.

After FireEye's initial post, details about the vulnerability quickly became public and exploits taking advantage of it appeared in multiple attack tools. Further research by security vendor Immunity Inc. indicated that the active exploit actually took advantage of two separate unpatched Java vulnerabilities (what we, in the industry, call zero-days).

The exploit for the first vulnerability was quickly added to the BlackHole exploitation kit--one of the most widely used malicious hacking tools. The exploit is also now available as an attack in the Metasploit penetration-testing framework, which is freely available and favored by script kiddies and security professionals (myself included) throughout the world.

At this time, Oracle--which inherited Java when it acquired Sun Microsystems--has not commented on the exploits, although we now know that the company knew about the vulnerabilities since April and was planning to release a patch in its October update. Only time will tell if the company will break its quarterly patch cycle and release an emergency update sooner. (My money is on early release.)

In summary, we have at least two exploitable vulnerabilities affecting anything running the latest version of Java, both are being used in active attacks, and one is bundled with one of the most popular bad-guy toolkits on the market (BlackHole) and a very popular (and free) security testing tool. You can't patch either one.

It's the very definition of "bad".

Why most Mac users aren't at risk

All that said, there are two reasons why Macs are less at-risk than people on other platforms, despite being easy to exploit if the right conditions are in place.

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.