Security research firm Security Explorations reported two new zero day exploits hit Java on February 25. Since then, the company has provided a number of updates on the progress its made with Oracle to patch these security holes:

25-Feb-2013

27-Feb-2013

28-Feb-2013

The issues referenced above – 54 and 55 – can apparently be combined to “gain a complete Java security bypass in the environment of Java SE 7 (Update 15).” Issue 54 is being labeled by Oracle as a non-issue, but issue 55 has been picked up for further investigation.

This latest discovery only further stains Java’s reputation as it has not only been exploited twice in the past two months, but said exploits led to major firms like Apple and Facebook being hacked. Granted, Oracle can’t predict every new exploit that comes its way, but you would think it would be more thorough before releasing updates.

So, what can you do to prevent any Java-based attacks? It’s rather simple really – just disable Java. Firefox automatically disables it for you, and it’s easy enough to disable on other browsers as well.

[h/t: ZDNet]

Computer security company FireEye found yesterday that Adobe Reader was hit by a zero-day exploit. The exploit is currently found in the latest Adobe Reader versions – 9.5.3, 10.1.5 and 11.0.1. Here’s what the exploit does:

Upon successful exploitation, it will drop two DLLs. The first DLL shows a fake error message and opens a decoy PDF document, which is usually common in targeted attacks. The second DLL in turn drops the callback component, which talks to a remote domain.

FireEye has alerted Adobe to the threat, and the company is now investigating the report. It will have an update on what actions it plans to take soon.

Instead of waiting for Adobe to act, you should probably switch to a different PDF reader. There are numerous free, open-source PDF readers that do a marvelous job without relying on a Web browser plugin that can be exploited to insert malware onto your system.

The Firefox 19 Beta is also testing out a new native HTML5 PDF reader plugin that would be far more secure than traditional plugins. It’s only a matter of time before the HTML5-friendly Chrome follows suit with its own.

[h/t: The Next Web]

Computer World reports that Adobe has issued a patch ahead of schedule that fixes the two zero-day exploits that hackers were using to hijack Windows PCs and Macs. Here’s the report from Adobe:

Adobe is aware of reports that CVE-2013-0633 is being exploited in the wild in targeted attacks designed to trick the user into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content. The exploit for CVE-2013-0633 targets the ActiveX version of Flash Player on Windows.

Adobe is also aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content.

If you don’t want to be hit by something that nasty, you might want to update to the latest version of Flash now. Most Flash users probably have automatic updating turned on, however, and won’t need to worry as the update will take care of itself. For those who do not, you’ll want to download the latest version from Adobe’s Web site.

There might be other zero-day vulnerabilities floating around in Flash for hackers to find and exploit users with. Always stay on guard and only use Flash on trusted Web sites. You can do this by installing a plugin that disables any Flash content from automatically playing unless you authorize it. This technology is built into Firefox. Chrome users can grab the popular FlashControl extension here. If you’re using Internet Explorer, especially IE8, you should probably just stop.

Krebs on Security reports that a hacker has already found a hole in the Java fix that Oracle uploaded this week. This particular hacker relayed the news to others on a private Web forum, and began looking for buyers. Here’s the sales pitch:

New Java 0day, selling to 2 people, 5k$ per person

And you thought Java had epically failed when the last 0day came out. I lol’d. The best part is even-though java has failed once again and let users get compromised… guess what? I think you know what I’m going to say… there is yet another vulnerability in the latest version of java 7. I will not go into any details except with seriously interested buyers.

Code will be sold twice (it has been sold once already). It is not present in any known exploit pack including that very private version of [Blackhole] going for 10$k/month. I will accepting counter bids if you wish to outbid the competition. What you get? Unencrypted source files to the exploit (so you can have recrypted as necessary, I would warn you to be cautious who you allow to encrypt… they might try to steal a copy) Encrypted, weaponized version, simply modify the url in the php page that calls up the jar to your own executable url and you are set. You may pm me.

What’s worrisome is that the thread is reportedly gone as of today which means that the exploit has been sold to two people already. That means we could be seeing another potentially dangerous zero-day attack on Java in the near future.

Oracle can’t predict the future, and its engineers obviously can’t predict what exploits are going to be found in its software. Hackers will always be one step ahead of software developers. All Oracle can do is remain vigilant and quickly put out a fix whenever a new exploit is found. Java’s presence on over 1 billion PCs must put a ton of pressure on the company, but hopefully it can push out fixes just as quickly as the last one.

And next time, maybe check the fix to make sure there aren’t any security holes left in it.

[h/t: Ars Technica]

Originally spotted in the wild by @kafeine, other security research teams, including AlienVault Labs, have confirmed that a new zero day exploit has been found in Java. This particular exploit looks like it can hijack your PC into executing malicious code. It seems that one group is even using the exploit to install ransomware on affected PCs.

So, what can you do to protect yourself from this particular exploit? The easiest solution is to just disable Java in your browser. Since it seems to affect all browsers and all operating systems, there’s really not much else you can do.

The good news is that Oracle is already working on a fix. According to @kafeine, Oracle has already assigned a security ticket to the exploit. While that’s nice and all, there’s still no word on how long it’s going to take to patch. Oracle could even wait until its next Patch Tuesday to issue the fix leaving millions of PCs in limbo until then.

Despite the severity of the exploit, it’s not that surprising. In a report from AVG earlier this month, the security company said that Java would remain the most exploited software on PCs. It’s unfortunate that the report has already proven itself accurate so soon in the new year, but perhaps this will push Oracle to stay one step ahead of hackers that look for these exploits.

[h/t: Sydney Morning Herald]

The security researchers at FireEye discovered a zero-day exploit in Internet Explorer 6, 7 and 8 in late December that allows malware to be installed on PCs running these older versions of Microsoft’s browsers. Microsoft is now working on a comprehensive fix, but has pushed out a small emergency fix for the time being. It’s highly recommended that you download the fix until Microsoft can finish its current investigation.

Thankfully, the exploit doesn’t appear to be that widespread. Only a small number of sites have been found to be hosting the exploit, and a fix is already present. Of course, Microsoft’s investigation may show that the exploit has been around much longer than anybody previously thought. A report out of Sophos indicates that the exploit may have been in place as early as December 7. Thus, the exploit could have been infecting computers for almost a month without anybody’s knowledge.

Even with the emergency fix, it’s recommend that you upgrade to Internet Explorer 9 if you can. If you’re on Windows XP and can’t, you can always take Twitter’s advice and switch to another browser. Microsoft even makes it easy for you with the European Browser Choice site. Opera, Chrome and Firefox are all presumably immune to the IE8 exploit and you’ll probably have a better browsing experience anyway.

[h/t: The Register]

Spider.io, a Web analytics platform, reports that they found an exploit in Internet Explorer 6-10 that allowed hackers to track a user’s mouse movement. This exploit was reported to Microsoft at the beginning of October, but no action was taken beyond admitting that the exploit existed. In an attempt to get Microsoft moving towards a fix, the company has gone public with its original report.

So, why is it so bad for hackers to track your mouse movements? The team at Spider.io explains the security risks in its original letter to Microsoft:

A security vulnerability in Internet Explorer, versions 6–10, allows your mouse cursor to be tracked anywhere on the screen, even if the Internet Explorer window is inactive, unfocused or minimised. The vulnerability is notable because it compromises the security of virtual keyboards and virtual keypads.

As a user of Internet Explorer, your mouse movements can be recorded by an attacker even if you are security conscious and you never install any untoward software. An attacker can get access to your mouse movements simply by buying a display ad slot on any webpage you visit. This is not restricted to lowbrow porn and file-sharing sites. Through today’s ad exchanges, any site from YouTube to the New York Times is a possible attack vector. Indeed, the vulnerability is already being exploited by at least two display ad analytics companies across billions of webpage impressions each month. As long as the page with the exploitative advertiser’s ad stays open—even if you push the page to a background tab or, indeed, even if you minimise Internet Explorer—your mouse cursor can be tracked across your entire display.

For those who prefer a visual example, here’s a video of the exploit in action:

The real danger here is that the virtual keypad was created to combat the already widely in use keylogger that hackers use to steal passwords and other information entered via keyboard. Now with this hack, no password is safe until Microsoft patches it up. Unfortunately, it’s looking like Microsoft has no plans to do so.

It’s ridiculous that a company that so adamantly supported Do Not Track is blatantly allowing ad companies to track IE users with an exploit. It’s also reminiscent of a major security flaw found in Java that Oracle refused to patch until its next scheduled patch Tuesday. In the end, the company patched the exploit after enough people raised a stink. By going public, it’s obvious that Spider.io wants people to complain and push Microsoft into fixing this potentially dangerous exploit.

Until Microsoft fixes the exploit, I’d suggest using any one of the other browsers available, especially if you use virtual keypads. Who knows? You might even like it enough to stay. It’s obvious that Microsoft doesn’t care about its users if it doesn’t fix an exploit this dangerous.

[h/t: Wired UK]

Security Explorations says that they have found a new vulnerability in the latest version of Java that was released yesterday. If discovered, the vulnerability would allow hackers to escape the Java sandbox and run code on the underlying system. It sounds pretty bad, but there’s no reason to worry yet.

In an email to CSO, Security Explorations CEO Adam Gowdiak said that Oracle’s patch was effective in stopping the previously used attacks that were infecting computers. The patch from yesterday only took care of the immediate threat however. Security Explorations submitted 29 vulnerabilities in April and only the most pressing issues have been fixed so far.

The concern comes in the form of a new vulnerability that was just recently discovered. Gowdiak says that hackers could combine the new exploit with other unpatched exploits to “achieve a full JVM sandbox bypass.” It’s certainly a cause for concern, but Security Explorations has already submitted a report to Oracle.

For now, it’s safe to use Jave if you have the latest patch installed. There’s no indication that hackers are using new Java exploits to break into your system. If everything goes according to plan, hackers won’t have access to any such exploits until they have been patched by Oracle.

Oracle issued a security alert today that addresses the three vulnerabilities that were discovered in Java back in April by Security Explorations. The vulnerability, if exploited, would allow a hacker to take control over a user’s computer and steal confidential information. It also had the potential to add any number of PCs to a botnet for other illegal actions.

Oracle’s security alert does give us a bit more information in regards to what versions of Java are affected. The previous reports said that it was only Java 7 that was affected, but Oracle says that Java 6 update 34 and before are also affected by the exploit.

Oracle has released updated versions of Java for developers and end users that patches the security holes. Developers can hit up Oracle’s developer site for the latest versions of the Java SDK and JRE 7/6 releases. End users can either download the newest version from Java’s Web site or just get it through automatic updates on the Windows platform.

It’s a relief that Oracle fixed this latest exploit so quickly. I, like a lot of other people, was concerned that Oracle would hold on updating Java until October. It’s pretty much a given, but everybody should go download the Java fix as soon as they can. System administrators should be especially hasty in applying the patch lest their entire network falls victim to an attack.

A YouTube user by the name of ZeldaFreaksGlitcha has used a recently found exploit to complete the seminal Nintendo 64 classic Ocarina of Time in less than 25 minutes. Let’s put that into perspective here: It took me over 30 hours to beat Ocarina of Time when I first played it years ago. I have tried to do speed runs before and it still took me about 15 hours to get through the entire game.

I’m sure many of you are wondering how a massive game like Ocarina of Time can even be completed in that time without the use of cheats. This is where the exploit comes in. If you fight the boss of the Deku Tree, Queen Gohma, in such a way that kills Link as soon as Queen Gohma dies, you can use an exploit that transports Child Link to the end of the game right as Ganondorf dies.

It’s an impressive feat and made all the more impressive by the fact that it took gamers over a decade to find it. Just to clarify, this is a legitimate exploit with the player not using any kind of cheat. This means that you can go bust out that copy of Ocarina of Time and try it for yourself.

If you don’t want to watch the entire 25-minute run, just skip to the end to watch the hilarious fight between Child Link and Ganon. Nothing is better than watching Link kill Ganon with a Deku Stick.

[h/t: Kotaku]