Java vulnerability patch of August 30 is incomplete
September 3, 2012
On August 29, 2012, I wrote an article about a new zero day exploit of the then latest versions of Java: version 7, updates 1 through 6. One day later, Oracle, the keepers of the mysteries of Java, released a patched version, Java SE 7u7 (update 7). It seems that their patch has still not closed the vulnerabilities exploited in the BlackHole Exploit Kit.
The security firm who first disclosed the new vulnerability used in the "zero day" attacks, did so on April 2, 2012, 5 months ago. During this time, Oracle failed to deliver any patch for that vulnerability. It was only at the very end of August 2012, when the technical details about the new vulnerability were made public and added to the BlackHole Exploit Kit, that Oracle rushed out a sudden patch, on August 30.
The firm who first reported the vulnerability tested the patched version and announced that it failed to block all off the exploit methods which they had already disclosed to Oracle, in April. If this is true, even if you apply the patched version, Java 7 build 7, your devices may be exploitable. So, I repeat my advice, which has been echoed by many others in the computer security field: if you don't really need Java, which is most Internet users, uninstall it! Very few websites are using Java Applets anymore. Most switched to Flash when it was in its heyday. Now, with Flash support dwindling in new devices and virtually all Mac and "i" products, many sites are switching to other emerging technologies, including HTML 5, to render active content.
OTOH, if you do require Java, to run office, intranet, or desktop applications, which don't need a web browser to display, upgrade to the latest version, set it to automatically check for updates every day, then disable the automatically installed Java plug-ins on all web browsers installed on your computer. This protects the web browsers from being exploited by a drive-by attack, or from somebody being fooled into clicking a poisoned link in an email, instant message, or Facebook posting.
See this US-CERT post for the simple details about these Java exploits.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.