Oracle has released a software update that will repair the Java vulnerability. CIS advises users to apply the important security patch now, available here.
Please note that that some computers may utilize both Java 6 and Java 7, so it may not be apparent which versions are installed on your computer. As a result, CIS recommends that the fix be manually installed via the above link instead of the Java auto-update feature.
Issue: Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
How you could be affected: By convincing you to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.
Mitigating actions you can take: At this time there is no practical solution to this problem. Since Java is required to run various business applications, ISG recommends that you only visit websites that you trust and use Firefox as your primary browser. You may also consider installing its NoScript add-on for extra protection (read more about the NoScript add-on to see if it’s right for you). Chrome offers similar settings for its plugins which block them from running without asking you first.
How to unplug Java from a browser: http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/
Details from US-CERT: Vulnerability Note VU#625617 http://www.kb.cert.org/vuls/id/625617
UPDATE 9/21 2:50 PM: Microsoft released MS12-063 (KB2744842), its Cumulative Security Update for Internet Explorer, earlier this afternoon. According to their bulletin, “The majority of customers have automatic updates enabled and will not need to take any action because protections will be downloaded and installed automatically.”
Continue reading Alert for IE Users: MS releases security update for zero-day flaw
According to several news sources, millions of LinkedIn passwords have been reported leaked online. One of those sources, CNET, says that “a hacker says he’s posted 6.5 million LijnkedIn passwords on the Web — hot on the heels of security researchers’ warnings about privacy issues with LinkedIn’s iOS app. . . Twitter users are already reporting that they’ve found their hashed LinkedIn passwords on the list.” (Read the rest of story the story here. Follow the stories on Google News here.)
Continue reading LinkedIn Passwords Leaked
If you missed Microsoft’s “Patch Tuesday” announcements this week, Microsoft reported that there is a vulnerability in the RDP service that may allow a remote unauthenticated attacker to execute arbitrary code on the host running RDP. This vulnerability is labeled critical.
The Internet Storm Center is warning that hackers will likely reverse engineer the patch to “understand the details of the bug and craft an exploit.” They estimate that a viable exploit will probably be available in less than 30 days.
It is imperative that you apply the patch for this vulnerability as soon as possible. First, many departments are still wide open to the Internet (i.e., not as yet behind a firewall) and secondly, being behind a firewall doesn’t protect you from a computer on our networks that is compromised. Successful exploitation may mean an attacker can install a backdoor onto your system, among other things.
Please consult the following links for additional information about this vulnerability.
UPDATE: US-CERT announced today that Apple has released Security Update 2011-003 for Mac OS X in response to the recent Mac fake anti-virus software. This update:
>> Adds a malware definition to the File Quarantine application
>> Causes the File Quarantine application to automatically update its malware definition list daily
>> Removes MacDefender fake anti-virus software if detected
Continue reading Mac Attacks
In our efforts to prevent the further spread of the HomeRun spam attack within the Brown community we have blocked the domain homerun.com. Currently, the graphics and links in the spam point back to this domain. Blocking the domain will insure that not only will the graphics not appear in the spam email but clicking on the links will not work either.
Continue reading HomeRun.com domain blocked
The HomeRun.com (free movie ticket offer) email scam is still plaguing the Brown community.
You can help stem the tide by:
1. Not responding to the offer. This results in sending the message to those in your contact list.
Continue reading HomeRun.com phish still surfacing
The Information Security Group has received questions about various data breach notifications, from retailers such as Best Buy and New York & Company.
In letters to their customers, these major businesses (some 2,500 affected) say that they had been informed by their email service provider — Epsilon — that email addresses they manage had been “exposed by unauthorized entry into their system.”
Continue reading Epsilon Email Database Breach
The Information Security Group (ISG) may periodically post detailed advisories to the Brown community via the CIS blog (located in the “Security Advisories” section). These posts will be used to alert the campus to:
- rapidly spreading threats of high impact and/or broad distribution;
- recommendations for remedial as well as proactive responses to existing and developing situations;
- updates on information security situations; and
- general reminders of safe computing best practices in light of shifting security trends and attack vectors.