Java attacks reach critical mass
This was a rough year for Java in the browser – major Java attacks were everywhere. Major new vulnerabilities repeatedly battered Java browser plugins, encouraging many organizations to get rid of Java in the browser if possible.
In April, more than 600,000 Mac users found themselves recruited into the global Flashback, or Flashplayer botnet, courtesy of a Java vulnerability left unpatched on OS X for far too long. After Apple issued a removal tool and a Java patch, Oracle assumed direct responsibility for publishing Java for OS X in the future, and promised to deliver Java patches for OS X and Windows and to release OS X Java patches at the same time as those for Windows.
Oracle’s Java developers were soon called upon to deliver prompt patches. Within days of the discovery of a new zero-day vulnerability affecting Java 7 on all platforms and operating systems, the flaw was already being exploited in targeted attacks, was integrated into the widely used Blackhole exploit kit, and had even shown up in a bogus Microsoft Services Agreement phishing email. According to one detailed analysis, this exploit enabled untrusted code to access classes that should be off-limits, and even disabled the Java security manager.
As Oracle had promised, it released an out-of-band fix more rapidly than some observers had expected. But, within weeks, more major Java flaws surfaced. Security Explorations, the same researchers who discovered the first flaw, found another way to bypass Java’s secure application sandbox—this time, not just on Java 7, but also on Java 5 and 6, and in all leading browsers. The new exploit put 1 billion devices at risk.
Many users today have little or no need for browser-based Java programs, known as applets. JavaScript and other technologies have largely taken over from applets inside the browser. Unless you genuinely need, and know you need, Java in your browser, Sophos recommends that you turn it off.
Our website offers detailed instructions for doing so within Internet Explorer, Firefox, Google Chrome, Safari, and Opera. 23 If you do rely on websites that require Java, consider installing a second browser and turning Java on in that browser only. Use it for your Java-based websites only, and stick to your Java-disabled main browser for everything else.
Java isn’t the only plugin platform that’s caused security headaches. In previous years, Adobe’s Flash has also been victimized by high-profile exploits. Fortunately, the need for browser plugins such as Flash is diminishing. HTML5-enabled browsers have capabilities such as playing audio and video built in, making customary plugins obsolete.
Our take: we always tell people that security is in no small part, keeping on top of updates.. Microsoft (or Apple) security updates, Adobe Flash, Adobe Reader and Oracle’s Java – with those and a good antivirus, you’re doing most of what you can do – apart from not clicking on links you have no idea about! 😉