[ISN] New security protection, fixes for 39 exploitable bugs coming to Java

http://arstechnica.com/security/2013/04/new-security-protection-fixes-for-39-exploitable-bugs-coming-to-java/ By Dan Goodin Ars Technica Apr 15 2013 Oracle plans to release an update for the widely exploited Java browser plugin. The update fixes 39 critical vulnerabilities and introduces changes designed to make it harder to carry out drive-by attacks on end-user computers. The update scheduled for Tuesday comes as the security of Java is reaching near-crisis levels. Throughout the past year, a series of attacks hosted on popular websites has been used to surreptitiously install malware on unwitting users’ machines. The security flaws have been used to infect employees of Facebook and Apple in targeted attacks intended to penetrate those companies. The vulnerabilities have also been exploited to hijack computers of home and business users. More than once, attackers have exploited one previously undocumented bug within days or weeks of patching a previous “zero-day,” as such vulnerabilities are known, creating a string of attacks on the latest version of the widely used plugin. In all, Java 7 Update 21 will fix at least 42 security bugs, Oracle said in a pre-release announcement. The post went on to say that “39 of those vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.” The advisory didn’t specify or describe the holes that will be patched. Security Exploration, a Poland-based security company that has discovered dozens of “security issues” in Java, has a running list of them here. In addition to the bug fixes, Oracle developers plan to roll out changes to Java that are intended to help end users make better decisions about when (and when not) to allow Java code to be executed in their browsers. Under the update, Java will display a variety of messages and dialog boxes, such as the one shown above, when it encounters websites that host Java applets. In some cases, the code will be executed only after an end user clicks an “OK” button. […] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org