Update Java to thwart active cross-platform exploit

There is a rather serious vulnerability in Java version 1.6.0_26 that is apparently being actively pursued by hackers, one that is easy to implement and allows hackers to compromise systems without being detected.

The exploit was found a couple of months ago and was addressed in the latest round of Java updates both from Oracle and from Apple for OS X users; however, many people have not yet updated their systems and hackers are working to take advantage of this flaw on these systems.

The vulnerability allows a maliciously crafted Java applet to run undetected on many browsers and allows code to execute outside of the Java sandbox with the privileges of the current user. This means that malicious code in the applet can have access to any system feature your account has access to. For standard user accounts that's restricted to the user's home folder and attached disks, but for administrators it includes the Applications folder and parts of the global library and system folders.

This behavior is not particularly new for vulnerabilities; however, this one is a bit different in that the exploit is easy to perform, does not require authentication or other user input to run, and remains hidden on most browsers.

Beyond all of these details is the real issue here, which is that packaged versions of the exploit are apparently being actively sold and distributed among hackers on underground cybercrime networks, meaning that it is very likely to be implemented on many sites. If by chance a Google search results in you clicking a site that has this exploit, then if you have Java installed, your computer could be quickly compromised. All you have to do is visit a compromised Web site with a malicious Java applet, and most browsers will not even indicate the exploit is running.

In OS X, check the Java Preferences utility to see what version of Java you are running. You can use the preferences to disable Java applets as well.

(Credit: Screenshot by Topher Kessler)

Security community Metasploit took a recent look at this vulnerability, and found that the exploit, described as "a big one," is run completely and successfully on all systems running Java prior to version 1.6.0_29-b11, including Windows XP, Windows 7, Ubuntu Linux, and Apple's OS X.

On all platforms, only Google's Chrome browser gave any notification that a Java applet was running; other browsers like Safari, Internet Explorer, and Firefox gave no indication at all. Regardless of this difference, the malicious applet ran easily and successfully in all browsers.

According to Krebs on Security, the exploit "should not be taken lightly by any computer user," since Java is installed on more than 3 billion computing devices worldwide. Krebs cites Microsoft's Tim Rains as mentioning that Java-based exploits were the most common ones seen on computer systems in the first half of 2011, suggesting that hackers would be eager to get their hands on this current exploit.

Safari's preferences have an option for disabling Java.

(Credit: Screenshot by Topher Kessler)

This is a serious issue, but luckily the last update to Java distributed by Oracle, Apple, and other companies for their operating systems includes a fix for this problem. If you keep your system fully updated and if applied the Java patch when it was released then you have nothing to worry about; however, many times people ignore updates to software that they do not use, with Java being one of them.

To see what version of Java you are running on your system, launch your Java configuration tool or runtime environment and check the version there. For Mac users, Apple has stopped including Java with OS X but has it readily available to download if you run Java applications on your system. If you have not installed Java then you are in the clear. If you have, then go to your /Applicatons/Utilities/ folder and open the Java Preferences application. In here if you see the Java SE 6 version listed as being anything below 1.6.0_29-b11, then it is highly recommended that you update Java on your system.

The latest Java update is available via software update tools, so be sure to run them on your system (Apple's is available by selecting Software Update in the Apple menu). However, you can also download the updates directly from sites like Apple's Java Update 6 for Mac OS X 10.6, and the Java Update 1 for OS X 10.7. Non-Mac users can download the update directly from Oracle.

Firefox's Java handling can be disabled through its Add-ons manager.

(Credit: Screenshot by Topher Kessler)

In addition to updating Java, there are some other steps you can take to help secure your system, especially if you do not regularly use Java Web applets when browsing the Internet (and especially since most common Web scripting is done in JavaScript and PHP, or uses Flash). In the Java preferences, uncheck the option to enable applet plug-in and Web Start applications, which will prevent downloaded applets from launching. Additionally, in Safari's preferences uncheck the security option for enabling Java.

If you use Firefox, then to disable Java go to the Tools menu and select the Add-ons option to open the Add-ons Manager window. In here, click the Plugins section to the left, and locate the Java Applet Plug-in. Then click the "Disable" button next to the plug-in to prevent Java applets from running.

Again, this threat was addressed over a month ago, so while it is only now being found to be a serious issue, the fix for it has been available and ready for a while. However, as it's a recent update many people may not have yet installed it, so again, be sure to check your system and apply the update if you are not running the latest version of Java.

Read more: http://reviews.cnet.com/8301-13727_7-57335639-263/update-java-to-thwart-active-cross-platform-exploit/#ixzz1fQjmo45O

Read More

Oracle: Reports of Itanium's life greatly exaggerated

A wafer of Itanium 9300 processors.

(Credit: Intel)

Oracle filed court papers this week alleging that a "secret" deal between Itanium developers HP and Intel is the only reason for the continued existence of the chip--for which the business-software giant is ending its support.

"HP has secretly contracted with Intel to keep churning out Itaniums so that HP can maintain the appearance that a dead microprocessor is still alive," reads the filing, which All Things Digital's Arik Hesseldahl describes as a routine affair about the discovery process and timing in HP's lawsuit against Oracle for dropping the chip.

HP alleges that Oracle's motivation for ending Itanium support is the latter company's acquisition of Sun Microsystems and its server business, which relies on Intel x86 chips. Oracle, HP claims, is simply trying to convince Itanium customers that the chip isn't long for this world and to get them to switch to x86-based servers like Sun's.

Oracle, on the other hand, says HP's desire to keep customers on Itanium is based on the fact that the Itanium-reliant HP UX operating system commands more in service fees than would a system based on x86 chips. This "led HP to craft a top-secret plan to create a false perception that Itanium still had a future," Hesseldahl quotes the Oracle filing as saying. "HP understands that the future prospects of IT products drive customer purchasing decisions. A buyer who knew that Intel saw no future for Itanium, and was only continuing to invest in the line pursuant to a contractual obligation, would devalue the future prospects of Itanium servers and be less inclined to buy."

In a statement to Hesseldahl, HP fires back. "This filing is just the latest in [Oracle's] ongoing campaign to shore up its failing Sun server business and starve thousands of existing Itanium customers who rely on their Itanium processors for mission-critical activities.

"As Oracle well knows, HP and Intel have a contractual commitment to continue to sell mission-critical Itanium processers to our customers through the next two generations of microprocessors, thus ensuring the availability of Itanium through at least the end of the decade. HP is resolved to enforcing Oracle's commitments to HP and our shared customers and will continue to take actions to protect its customers' best interests."

HP filed its lawsuit in June of this year. And in August, then-CEO Leo Apotheker acknowledged that the Itanium flap was hurting business, saying, "Revenue in business-critical systems declined 9 percent year over year. This decline is sharper than expected as our ability to close deals has been impacted by Oracle's decision and orders are being delayed or canceled. We are working diligently to enforce the commitments that Oracle has made to our customers and to HP."

The Itanium chip was introduced in 1996 and has long been the butt of industry jokes owing to its failure to live up to its developers' hopes--instead of becoming the server market's "unifying architecture," spanning many server lines and operating systems, it's been relegated to a high-end niche.

Intel had no comment for Hesseldahl, but the company has said before that it stands behind Itanium. When Oracle announced, in March, that it was dropping support for the chip, Intel CEO Paul Ottelini said, "We remain firmly committed to delivering a competitive, multi-generational roadmap for HP-UX and other operating system customers that run the Itanium architecture."

Read More

Microsoft respondeu à acusação da Google

 Se não viu o Post original pode vê-lo aqui.


A Microsoft respondeu através do Twitter, que a Google não comprou em conjunto com a Microsoft, a Apple e a Oracle, porque não quis.
A Google tinha acusado a Microsoft, a Apple e a Oracle de planear contra a Google. Segundo a Google, o objectivo seria adquirir patentes, para poderem processar a Google, nomeadamente o Android.

Read More