Friday, January 11, 2013

Severe hacking threat posed by Java

Millions of computer users around the world are vulnerable to a hacking threat due to a security flaw in the Java plugin. The so-called zero-day exploit leaves users of both PCs and Macs at risk and security experts are advising them to disable the software in their browser [FT].

Insecure mess

"Java is a mess. It's not secure," Jaime Blasco, Labs Manager with AlienVault Labs, told Reuters. "You have to disable it."

Java, which is installed on hundreds of millions of computers around the globe, is a computer language that enables programmers to write software using just one set of code that will run on virtually any type of computer.

It is used so that Web developers can make sites accessible from browsers running on Microsoft Corp Windows PCs or Macs from Apple Inc. Computer users access those programs through modules, or plugins, that run Java software on top of browsers such as Internet Explorer and Firefox.

However at least three computer security experts told Reuters on Thursday that computer users should disable those Java modules to protect themselves from attack.

Hackers' open season

"This is like open hunting season on consumers," said HD Moore, chief security officer with Rapid7, a company that helps businesses identify critical security vulnerabilities in their networks. Moore said machines running on Mac OS X, Linux or Windows all appear to be vulnerable to attack.

"The exploit is the same as the zero-day vulnerabilities we have been seeing in the past year in IE, Java and Flash," Blasco warned. "The hacker can virtually own your computer if you visit a malicious link thanks to this new vulnerability. At the moment, there is no patch for this vulnerability, so the only way to protect yourself is by disabling Java."

Slow response

There has been criticism that Oracle, which bought Java from Sun Microsystems in 2010, have been slow in updating flaws in its software. In April 2012 another zero-day exploit was identified but a patch was not released until late August [Sophos].

The slow release of patches and the fact that Java is less used than it used to be is prompting some to question whether they should uninstall the software altogether [Slate]. 

Business challenge

While some Internet users can get by without it many organizations do require Java, though there may be alternatives. However Marc Maiffret, chief technology officer with BeyondTrust, says that businesses may need to keep using Java to access some websites and Internet-based programs that run on the technology.

"The challenge is mainly for businesses, however, which have to use it for some applications," he said. "Oracle simply needs to do a lot more to secure Java and get their act together."

Risk to all systems

Cybercriminals exploit Java because it is multi-platform, capable of running on computers regardless of whether they are running Windows, Mac OS X or Linux. As a result it's not unusual for us to see malicious hackers use Java as an integral part of their attack before serving up an OS-specific payload. In early 2012 more than 600,000 Apple Macs were infected by the Flashback malware because of a Java security flaw [Sophos].

As regards the latest security threat there are reports that hackers are heavily exploiting the vulnerability [HotForSecurity]. The flaw was first identified by a French researcher who goes by the name Kafeine. In a post on his Malware Don't Need Coffee website, the researcher claimed that the latest version, Java 7 Update 10, was being exploited on a site that receives "hundreds of thousands of hits daily" and concluded that "this could be mayhem."

Government warnings

The vulnerability is certainly being taken seriously by more than technology bloggers. The US Computer Emergency Readiness Team (US-CERT), which falls under the National Cyber Security Division of the Department of Homeland Security, issued a stark warning and advised users to disable the software in their browsers [TheNextWeb / Sophos].

The question over whether Java should be completely removed is difficult to answer. Like most problems in life, the answer isn't an easy yes or no. While most web browsing can be conducted without the need for Java, other sites are reliant upon it. The software is often used to allow users easily upload files to cloud storage websites such as ADrive. While it would be great to be rid of all unstable and risky software and plugins such as Adobe Flash, Shockwave and Java, due to the high use by many websites, users are stuck with them.  For now at least the best advice is to disable Java and hope that an update is forthcoming [InfoWorld].

tvnewswatch, London, UK

No comments: