Early this morning Apple issued an update to its XProtect malware-handling system in OS X that updates the Web plug-in blacklist to include a more recent version of Oracle's Java plug-in. The update now will prevent all versions of the Java Web plug-in before version 126.96.36.199 from running on the system (previously the limit was version 188.8.131.52).
To improve security and cut crashes, Firefox will block plug-ins including Microsoft Silverlight, Adobe Reader, Apple's QuickTime and Oracle's Java, Mozilla said.
Only the newest version of Adobe Systems' Flash Player will be run by default, said Michael Coates, Mozilla's director of security assurance, in a blog post yesterday.
Plug-ins extend a browser's ability to run software or handle different media and file formats, but that extra ability opens new avenues for attack. They've been a staple of Web development for years, but browser makers are working hard to reproduce their abilities directly with Web … Read more
Following recent security vulnerabilities in Java, malware developers are taking a new approach to exploit the Java platform by issuing false updates that pose as legitimate updates for the runtime.
The latest version of the Java runtime that fixes recent vulnerabilities is update 11, and Kaspersky labs is reporting that a new malware is out that poses as "Java Update 11." The malware is packaged in a Java archive file called "javaupdate11.jar" that contains two Windows-based executables called "up1.exe" and "up2.exe." When installed the programs open a back door … Read more
Lately Java has been getting a bit of bad press, thanks to several consecutive security holes that have been exploited by malware developers. One notable occurrence was the Flashback malware threat that affected a number of OS X users, which (though due in part to Apple's negligence about Java upkeep) was rooted in the Java runtime. More recently, Java 7 has seen a new zero-day vulnerability that has been circulating in exploit kits.
In response to these threats, many in the tech community have recommended that people uninstall Java altogether. However, this can be impractical for some, as many … Read more
Despite an emergency software update issued yesterday by Oracle, the U.S. Department of Homeland Security is still advising computer users to disable Java on their Web browsers, fearing that an unpatched vulnerability remains.
Oracle released a software update on Sunday to address a critical vulnerability in Oracle's Java 7 after the DHS' Computer Emergency Readiness Team issued an advisory last week recommending users disable the cross-platform plugin on systems where it was installed. The flaw could allow a remote, unauthenticated attacker to execute arbitrary code when a vulnerable computer visits a Web site that hosts malicious code designed … Read more
Oracle released an emergency software update today to fix a security vulnerability in its Java software that could allow attackers to break into computers.
The update, which is available on Oracle's Web site, fixes a critical vulnerability in Oracle's Java 7 that could allow a remote, unauthenticated attacker to execute arbitrary code. The attack can be induced if someone visits a Web site that's been set up with malicious code to take advantage of the hole.
Oracle said the update modifies the way Java interacts with Web applications.
"The default security level for Java applets and … Read more
A new Trojan horse called Mal/JavaJar-B has been found that exploits a vulnerability in Oracle's Java 7 and affects even the latest version of the runtime (7u10).
The exploit has been described by Sophos as a zero-day attack since it has been found being actively used in malware before developers have had a chance to investigate and patch it. The exploit is currently under review at the National Vulnerability Database and has been given an ID number CVE-2013-0422, where it is still described as relatively unknown:"Unspecified vulnerability in Oracle Java 7 Update 10 and earlier allows … Read more
Android users who want to live an edgier life now can try a beta version of Chrome.
Google yesterday released the Chrome 25 beta for Android 4.x for smartphones and tablets, a version number in sync with the release for personal computers. Previously, the only option was the stable version of Chrome for Android, which is still way back at version 18.
The Chrome for Android beta is available on the Google Play app store, but only by following that link -- it's not visible in Google Play's search, Google said. The beta version can be installed … Read more
The new version also comes with a range of security fixes, including two $1,000 bounties and one $4,000 bounty paid to people who found high-severity vulnerabilities. Because Chrome automatically downloads updates by default in part to patch holes as fast as possible, people just need to restart the browser to update it.
IndexedDB, under development for years, is geared to store data for use even if a Web site or Web … Read more
Security researchers have spotted a new vulnerability in the widely used Java software that could give attackers access to your computer.
The US-CERT group today issued an alert saying that Java 7 Update 10 and earlier versions of the software contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code. The attack can be induced if someone visits a Web site that's been set up with malicious code to take advantage of the hole.
This weak spot is already being attacked "in the wild" -- that is, it's a real-world threat … Read more