Java Virtual Machine patch issued on June 7, 2011
Oracle, the new owners and maintainers of the Java Virtual Machine technology, will be releasing a new, patched version of Java, on June 7, 2011. This "Critical" update is a collection of patches for multiple security vulnerabilities in Oracle Java SE. This patch contains 17 new security vulnerability fixes. All these vulnerabilities may be remotely exploitable without authentication, (may be exploited over a network without the need for a username and password). Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply this Critical Patch as soon as possible (June 7 will do!).
A rating of "Critical," in new-speak, indicates that no direct user interaction is required for an exploit to take ownership of an attacked PC, if that PC is running unpatched versions of exploitable software. All that must occur is that the operator of the PC either clicks on a hostile link, or views a web page which has had hidden malicious redirection links embedded within hidden iframes, or which contains injected JavaScript redirection codes, or navigates to an infected network share (using an unpatched machine).
Once an innocent Netizen has been redirected to an attack site, numerous attack vectors will be tried, until one succeeds in downloading malware to that PC. To date, the most frequently exploited software which plugs into web browsers - is the Java Virtual Machine.
You may or may not be aware that you have Java installed on your PC. If you do know, update it on June 7, 2011 and set the automatic check for updates to every day. You never know on what day Java updates will be issued. If you don't know if Java is installed, and it is, you are probably in greater danger than you can imagine. Read on...
According to the Oracle pre-release bulletin, all version of Java for Windows, Solaris, and Linux, prior to "JDK" (developers version) and "JRE" (user's version) 6 Update 25 are vulnerable. The new patched version to be released on June 7 will be Java 6 build 26.
You can find out if you have any version of Java installed on your PC, by visiting the "Do I Have Java" web page. When you click on the big button labeled: "Verify Java Version," a script will poll your computer for evidence of an installed Java Virtual Machine, known as the "Java Runtime Environment."
If you are using Firefox 4 or newer, and you see a yellow bar appear over that page, proclaiming that you need to install a missing plug-in, click on it and see if it tells you that you must install the Java Runtime Environment. If so, you do not have Java installed. Go on with your life in relative peace. Or, install the newest version, if you must.
If you do install, or upgrade your current installation (Java download page), to the latest version of Java (at that moment) , go to Control Panel (Start > Control Panel), change the view to Classic, or Large Icons, rather than Category, then search out the icon for Java and open it. Find the Update tab and click on it. There, you can check for updates on the spot and also schedule future updates on your schedule. Since you never really know when these updates may be pushed out (unless you are on a security list), it's best to simply set the updater to check every day, at some time when the PC is usually on and not in sleep mode. If it misses a scheduled look-up, it will do one the next day.
In a study released on May 25, 2011, Microsoft revealed that after scanning over 420,000 PCs with Microsoft's free Safety Scanner, released on May 12, 20,097 infected machines were cleaned of malware, averaging 3.5 types per machine. Of those, 70% were infected by means of Java exploits.
Microsoft said that just two (already patched) holes in Java account for 85 percent of all Java attacks in the second half of 2010, when Java exploits exploded from 1 million in the first six months to 13 million in the second half of the year. This indicates that 5 percent of typical Windows users had infected machines and 70% of them had failed to keep up with already released Java updates.
So, be sure to check for the latest Java Runtime Environment or JDK update, to be released sometime on June 7, 2011. Then, set the updater to check automatically every day, just to be safe. Criminals only need to get it right once. You need to get it right all the time.
Keep a valid and up-to-date anti-malware program, from a major manufacturer, operating on all of your computers and make sure it is set to automatically check for updates as often as possible. I personally use and recommend Trend Micro Internet Security or Trend Micro Anti-Virus. Both have real time protection, frequent updates and definitions for brand new malware fingerprints in the cloud. Also, the Trend Micro Smart Protection Network blocks access to known infected web pages, many of which contain Java exploit attacks.
Stay safe and practice Safe Hex!
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.