Jump to content

Security of the Java software platform

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Tony1 (talk | contribs) at 11:21, 6 March 2013 (per overlinking, date formats per WP:MOSNUM by script). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

The Java software platform and programming language have been criticized for vulnerability in security.

History

2012

An OS X trojan referred to as Flashback exploited a vulnerability in Java, which had not been patched by Apple, although Oracle had already released a patch.[1] In April, Apple later released a removal tool for Lion users without Java.[2] With Java 7 Update 4, Oracle began to release Java directly for Lion and later.[3]

In October, Apple released an update that removed the Java plugin from all browsers.[4] This was seen as a move by Apple to distance OS X from Java.[5]

2013

In January, a zero-day vulnerability was found in all versions of Java 7, including the latest version Java 7 Update 10, which was already exploited in the wild.[6] The vulnerability was caused by a patch to fix an earlier vulnerability.[7] In response, Apple blacklisted the latest version of the Java plugin.[8] Oracle released a patch (Update 11) within three days.[9] Microsoft also released a patch for Internet Explorer versions 6, 7, and 8.[10]

Cyberespionage malware Red October was found exploiting a Java vulnerability that was patched in October 2011.[11] The website for Reporters Without Borders was also compromised by a Java vulnerability in versions prior to Update 11.[12]

After the release of Update 11, another vulnerability began circulating online,[13] which was later confirmed.[14] It was also found that Java's security mode itself was vulnerable due to a bug.[15] In response, Mozilla disabled Java (as well as Adobe Reader and Microsoft Silverlight) in Firefox by default,[16] while Apple blacklisted the latest Java plugin again.[17]

In February, Twitter reported that it had shut down an attack. Twitter advised users to disable Java, although it did not explain why.[18] Later in the month, Facebook reported that it had been hacked by a zero-day Java attack.[19] Apple also reported an attack.[20] It was found that a breach of an iPhone developer forum was used to attack Twitter, Facebook, and Apple.[21] The forum itself was unaware of the breach.[22] Following Twitter, Facebook, and Apple, Microsoft reported that it was also similarly compromised.[23]

Another vulnerability discovered allowed for the Java security sandbox to be completely bypassed in the original release of Java 7, as well as Updates 11 and 15.[24] In March, trojan called McRat was found exploiting a zero-day Java vulnerability.[25] Oracle then released another patch to address the vulnerability.[26]

See also

References

  1. ^ http://arstechnica.com/apple/2012/04/mac-trojan-exploits-unpatched-java-vulnerability-no-password-needed/
  2. ^ http://arstechnica.com/apple/2012/04/flashback-malware-removal-tool-for-java-less-mac-users/
  3. ^ http://arstechnica.com/apple/2012/04/oracle-updates-java-to-se-7-for-os-x-brings-full-jdk-support/
  4. ^ http://arstechnica.com/apple/2012/10/apple-removes-java-from-all-os-x-web-browsers/
  5. ^ http://arstechnica.com/apple/2012/12/where-os-x-security-stands-after-a-volatile-2012/
  6. ^ http://arstechnica.com/security/2013/01/critical-java-zero-day-bug-is-being-massively-exploited-in-the-wild/
  7. ^ http://arstechnica.com/security/2013/01/critical-java-vulnerability-made-possible-by-earlier-incomplete-patch/
  8. ^ http://arstechnica.com/apple/2013/01/apple-blacklists-java-on-os-x-to-prevent-latest-critical-exploits/
  9. ^ http://arstechnica.com/security/2013/01/oracle-patches-widespread-java-zero-day-bug-in-just-three-days-that-is/
  10. ^ http://arstechnica.com/security/2013/01/microsoft-releases-emergency-update-to-patch-internet-explorer-bug/
  11. ^ http://arstechnica.com/security/2013/01/massive-espionage-malware-relied-on-java-exploit-to-infect-pcs/
  12. ^ http://arstechnica.com/security/2013/01/just-patched-java-ie-bugs-used-to-snare-human-rights-sites/
  13. ^ http://arstechnica.com/security/2013/01/5000-will-buy-you-access-to-another-new-critical-java-vulnerability/
  14. ^ http://arstechnica.com/security/2013/01/critical-java-vulnerabilies-confirmed-in-latest-version/
  15. ^ http://arstechnica.com/security/2013/01/javas-new-very-high-security-mode-cant-protect-you-from-malware/
  16. ^ http://arstechnica.com/security/2013/01/firefox-to-block-content-based-on-java-reader-and-silverlight/
  17. ^ http://arstechnica.com/apple/2013/01/for-second-time-in-a-month-apple-blacklists-java-web-plug-in/
  18. ^ http://arstechnica.com/security/2013/02/twitter-detects-and-shuts-down-password-data-hack-in-progress/
  19. ^ http://arstechnica.com/security/2013/02/facebook-computers-compromised-by-zero-day-java-exploit/
  20. ^ http://arstechnica.com/apple/2013/02/apple-hq-also-targeted-by-hackers-will-release-tool-to-protect-customers/
  21. ^ http://arstechnica.com/security/2013/02/web-forum-for-iphone-developers-hosted-malware-that-hacked-facebook/
  22. ^ http://arstechnica.com/security/2013/02/dev-site-behind-apple-facebook-hacks-didnt-know-it-was-booby-trapped/
  23. ^ http://arstechnica.com/security/2013/02/microsoft-joins-apple-facebook-and-twitter-comes-out-as-hack-victim/
  24. ^ http://arstechnica.com/security/2013/02/javas-latest-security-problems-new-flaw-identified-old-one-attacked/
  25. ^ http://arstechnica.com/security/2013/03/another-java-zero-day-exploit-in-the-wild-actively-attacking-targets/
  26. ^ http://arstechnica.com/security/2013/03/oracle-releases-new-java-patch-to-address-this-weeks-mcrat-problem/
Retrieved from "https://en.wikipedia.org/w/index.php?title=Security_of_the_Java_software_platform&oldid=542357839"