Tech Alert: Update Java NOW
This definitely needs a boost, so here:
Originally posted by lolmac at Tech Alert: Update Java NOW
How recently did you install an update to Java?
If your answer is "Last week" or "Last month" or "Huh? What's that?" or, in fact, anything other than "Yesterday" or "Today", go thou and update. Now. Then come back here and I'll tell you why, but seriously, DON'T WAIT.
http://www.java.com/en/download/inc/windows_upgrade_xpi.jsp
It usually comes as a file named 'jxpiinstall.exe'. The file will also offer to install the Ask toolbar: uncheck this and proceed.
After installation, go into your control panel and un-install any older versions of Java that might be lurking (Versions 6 or less). The patched version is Version 7 Update 7.
ETA: link to all downloads: http://java.com/en/download/manual.jsp -- the Mac update is about mid-page.
So. Why?
Late Sunday night, a 'zero-day exploit' was discovered 'in the wild', using two vulnerabilities in the current version of Java. By late Monday, the exploit had been incorporated into the kits used by malware developers.
- - - - -
Department of Very Basic Geekspeak Translation for Non-Geeks:
Java: a software platform that runs a ton of software all over the friggin' place.
Zero-day exploit: evil code that is a problem RIGHT NOW, for which a defense has not yet been developed and released.
In the wild: It's already out there and can hit your computer.
- - - - -
Translated into English: in the first half of this week, the Bad Guys were handed the key to your computer. This specific hole allows successful infection of a fully patched computer running any standard security software. It doesn't even matter what browser you're using: it can slip through IE, Firefox, and Chrome. It works on Macs as well as PCs, and not even Ubuntu is safe -- the vulnerability is that pernicious. No patch existed to block the hole. And here's the rub: Oracle, the company responsible for issuing security patches, wasn't planning to do anything about it until October.
By Wednesday morning, the IT blogosphere was recommending that people uninstall Java from their computers, or shut it down in their browsers. The catch is that there's a metric buttload of Java out there, running many of the widgets that we use on the web. This kind of translated into "Stop doing anything online."
By Thursday morning, infected code had been found on over a hundred websites, and the IT blogosphere was howling for Oracle's blood -- especially since it was discovered that Oracle had been informed of the vulnerability in April.
Oracle released the patch on Thursday afternoon.
You haven't heard any of this? Well, Oracle hasn't been talking about it. They never said, "Yes, it's a problem, and we're working on it and we'll have your fix ASAP." They didn't say bupkis. They didn't even promote the patch when it was released.
So, if you haven't heard of it before this -- Congratulations! You are among about at least half a billion people who are still at risk, because a patch ain't worth spit until it's applied. Actually, by this point, I REALLY hope you're not at risk any more, because you did go update Java back at the beginning of this post, right? You're safe now?
This isn't entirely over -- you may hear me saying this all over again soon, since Java is the shiny new channel for the malware goons. I don't think they've discovered Tumblr or Pinterest or similar sites yet, but if they do -- well, how many sites can you think of where everyone happily clicks away on any and every link they see?
There's a bright spot: in my earlier posts, I've been a fervent advocate of running AdBlock in whatever browser you favour -- it's available for Chrome now as well as Firefox. (If you use Internet Explorer, except under duress, please schedule me for an intervention, stat.) Guess what? It's not a perfect protection against malware, but it's a damned good first step. Run an adblocker, use an anti-malware scan as well as an anti-virus, don't click on funny links in emails, talk to an IT person when you seen weird stuff going on, and you've already lowered your chances of getting hit by an impressive amount.
And now, go update Java if you haven't yet. Please?
ETA2: the same group that originally identified the vulnerabilities in Java and told Oracle about them has analyzed the patch. They report that there are still holes, although they're different holes from the ones that are already being used by the Bad Guys. This means that the Bad Guys will find them, sooner or later (probably sooner). More patching will be needed.
In the interim: the safest thing is, well, never to go online. Next safest: uninstall or disable Java. Next safest: stay fully patched, use an adblocker, run regular anti-malware scans, don't click on weird links in email.
For advanced students: one approach is to bifurcate your browsing. If there's a site that you MUST use that requires Java, run that site in one browser -- Chrome, say, or even IE -- and do the rest of your browsing in another browser, such as Firefox. Turn off Java in that browser. This was the approach I had everyone use at work this week, since our daily operations REQUIRED use of a professional website that ran almost entirely on Java.
It's been pointed out (and not just here) that the exploit only works in the most recent version of Java. Can't we just roll back to an older version, or stick with an older version if you haven't updated? Unfortunately, no, not really. The older version has a different set of security holes: that's why the new version came out. If you roll back, you've locked the front door and unlocked the back patio.
On the one hand: this is the newest, most fashionable vector, bringing you the latest in custom tailored malware. This is where the crooks are focusing their efforts. So if you don't update, you're vulnerable to the older threats; if you do update, you may be vulnerable to the newer ones, as they're developed. Personally, I'm staying updated.
ETA3: Thanks to dbskyler, here's an outstanding article on the Mac situation, including a good description of bifurcated browsing.
Be safe, everyone.
Originally posted by lolmac at Tech Alert: Update Java NOW
How recently did you install an update to Java?
If your answer is "Last week" or "Last month" or "Huh? What's that?" or, in fact, anything other than "Yesterday" or "Today", go thou and update. Now. Then come back here and I'll tell you why, but seriously, DON'T WAIT.
http://www.java.com/en/download/inc/windows_upgrade_xpi.jsp
It usually comes as a file named 'jxpiinstall.exe'. The file will also offer to install the Ask toolbar: uncheck this and proceed.
After installation, go into your control panel and un-install any older versions of Java that might be lurking (Versions 6 or less). The patched version is Version 7 Update 7.
ETA: link to all downloads: http://java.com/en/download/manual.jsp -- the Mac update is about mid-page.
So. Why?
Late Sunday night, a 'zero-day exploit' was discovered 'in the wild', using two vulnerabilities in the current version of Java. By late Monday, the exploit had been incorporated into the kits used by malware developers.
- - - - -
Department of Very Basic Geekspeak Translation for Non-Geeks:
Java: a software platform that runs a ton of software all over the friggin' place.
Zero-day exploit: evil code that is a problem RIGHT NOW, for which a defense has not yet been developed and released.
In the wild: It's already out there and can hit your computer.
- - - - -
Translated into English: in the first half of this week, the Bad Guys were handed the key to your computer. This specific hole allows successful infection of a fully patched computer running any standard security software. It doesn't even matter what browser you're using: it can slip through IE, Firefox, and Chrome. It works on Macs as well as PCs, and not even Ubuntu is safe -- the vulnerability is that pernicious. No patch existed to block the hole. And here's the rub: Oracle, the company responsible for issuing security patches, wasn't planning to do anything about it until October.
By Wednesday morning, the IT blogosphere was recommending that people uninstall Java from their computers, or shut it down in their browsers. The catch is that there's a metric buttload of Java out there, running many of the widgets that we use on the web. This kind of translated into "Stop doing anything online."
By Thursday morning, infected code had been found on over a hundred websites, and the IT blogosphere was howling for Oracle's blood -- especially since it was discovered that Oracle had been informed of the vulnerability in April.
Oracle released the patch on Thursday afternoon.
You haven't heard any of this? Well, Oracle hasn't been talking about it. They never said, "Yes, it's a problem, and we're working on it and we'll have your fix ASAP." They didn't say bupkis. They didn't even promote the patch when it was released.
So, if you haven't heard of it before this -- Congratulations! You are among about at least half a billion people who are still at risk, because a patch ain't worth spit until it's applied. Actually, by this point, I REALLY hope you're not at risk any more, because you did go update Java back at the beginning of this post, right? You're safe now?
This isn't entirely over -- you may hear me saying this all over again soon, since Java is the shiny new channel for the malware goons. I don't think they've discovered Tumblr or Pinterest or similar sites yet, but if they do -- well, how many sites can you think of where everyone happily clicks away on any and every link they see?
There's a bright spot: in my earlier posts, I've been a fervent advocate of running AdBlock in whatever browser you favour -- it's available for Chrome now as well as Firefox. (If you use Internet Explorer, except under duress, please schedule me for an intervention, stat.) Guess what? It's not a perfect protection against malware, but it's a damned good first step. Run an adblocker, use an anti-malware scan as well as an anti-virus, don't click on funny links in emails, talk to an IT person when you seen weird stuff going on, and you've already lowered your chances of getting hit by an impressive amount.
And now, go update Java if you haven't yet. Please?
ETA2: the same group that originally identified the vulnerabilities in Java and told Oracle about them has analyzed the patch. They report that there are still holes, although they're different holes from the ones that are already being used by the Bad Guys. This means that the Bad Guys will find them, sooner or later (probably sooner). More patching will be needed.
In the interim: the safest thing is, well, never to go online. Next safest: uninstall or disable Java. Next safest: stay fully patched, use an adblocker, run regular anti-malware scans, don't click on weird links in email.
For advanced students: one approach is to bifurcate your browsing. If there's a site that you MUST use that requires Java, run that site in one browser -- Chrome, say, or even IE -- and do the rest of your browsing in another browser, such as Firefox. Turn off Java in that browser. This was the approach I had everyone use at work this week, since our daily operations REQUIRED use of a professional website that ran almost entirely on Java.
It's been pointed out (and not just here) that the exploit only works in the most recent version of Java. Can't we just roll back to an older version, or stick with an older version if you haven't updated? Unfortunately, no, not really. The older version has a different set of security holes: that's why the new version came out. If you roll back, you've locked the front door and unlocked the back patio.
On the one hand: this is the newest, most fashionable vector, bringing you the latest in custom tailored malware. This is where the crooks are focusing their efforts. So if you don't update, you're vulnerable to the older threats; if you do update, you may be vulnerable to the newer ones, as they're developed. Personally, I'm staying updated.
ETA3: Thanks to dbskyler, here's an outstanding article on the Mac situation, including a good description of bifurcated browsing.
Be safe, everyone.