| Java flaws increasingly targeted by attackers, researchers.. "IDG News Service - Java vulnerabilities are increasingly exploited by attackers to infect computers, and the problem could become worse if Oracle doesn't do more to secure the product and keep its installation base up to date, according to security researchers who will talk about Java-based attacks at the Black Hat USA 2012 security conference.":
»www.computerworld.com/s/article/···+News%29 |
|
mysecPremium
join:2005-11-29
kudos:4 | Removing JAVA altogether is often recommended, but
said by article :Unfortunately, not everyone can do this, especially in a business environment, where Java is needed for many internal applications. For example, some banks still have their e-banking systems built around Java, Eiram said.
One solution is to white list JAVA per site, as I do with an insurance site that uses a JAVA applet for contacting and providing information. JAVA won't work on any other site I go to (or am redirected to).
said by article :In some cases attackers reuse exploit code that gets published online by security researchers after Oracle patches the vulnerabilities. However, they modify it and apply different obfuscation techniques to it in order to evade detection by security products.
Since all of the exploits included in Exploit Kits (such as Black Hole, which the article mentions) contain a trojan executable as the payload, it's worth it to have one of many solutions available today that snag any attempt to get such an executable onto the system. This takes care of any vulnerabilities, JAVA or otherwise.
----
rich |
|
| reply to daveinpoway
Java has always been behind with keeping up with security......its like the vendor does not care very much about the consumer. |
|
| reply to mysec
said by mysec:One solution is to white list JAVA per site, as I do with an insurance site that uses a JAVA applet for contacting and providing information. JAVA won't work on any other site I go to (or am redirected to).
How do you do that...? |
|
| reply to daveinpoway
Serious question, not a troll attack: What are the differences in the practical and threat level for Java between OS X versus Windows? Input from folks very knowledgeable about both operating systems especially solicited, but remarks by all welcomed.
(Hey if you are a "pro" in both operating systems strut yourself in your post!) |
|
|
|
mysecPremium
join:2005-11-29
kudos:4
1 edit | reply to LaRRY_PEpPeR
said by LaRRY_PEpPeR:said by mysec:One solution is to white list JAVA per site, as I do with an insurance site that uses a JAVA applet for contacting and providing information. JAVA won't work on any other site I go to (or am redirected to).
How do you do that...?
Each Browser has its own way of dealing with site content.
Opera has both Global and Site Preferences. In Global Preferences, I have everything disabled:
This means that nothing works unless I enable it for a particular site in its Site Preferences:
Sites thus configured are "white listed," meaning that plugin code won't work on any site where the specific content is not enabled (permitted to run).
My reference to "redirected" is this: the way the Exploit Kits work is that the cybercriminals find a way to inject code (eg: SQL injection) on a legitimate site to redirect the victim to the criminal's site, where the exploit code, such as a Java exploit, is hosted.
If this happened on a site I had white listed for Content, once I left that site through the redirection exploit, the criminal's site would not have Content enabled (not white listed), and the exploit code for Java would not work.
----
rich |
|
 Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | »blogs.technet.com/b/mmpc/archive···723.aspx |
|
Reimer
join:2006-08-14
Toronto, ON | reply to daveinpoway
I like how Chrome handles java applets. It blocks them by default and you have to give permission to run them in a pop up. |
|
