Update JAVA or get pwned – Sun Releases Emergency Java Patch
ALL YOUR BROWSERS ARE BELONG TO US
Nice one with my morning coffee: Sun Releases Emergency Java Patch
A week ago, Oracle claimed the vulnerability that had been discovered in Java was not a big deal at all. Apparently, they’ve changed their minds on that.
Yesterday afternoon, Oracle pushed an update to Java that fixes a vulnerability that exposed Windows users to drive-by attacks. While Sun had claimed that the issue wasn’t serious enough for them to release a patch prior to the next scheduled version’s release, once Google’s Travis Ormandy released details of how the attack could be used, Sun relented and released a fix.
The vulnerability was independently discovered by Ruben Sanamarta as well, and occurs because ofthe Java-Plugin Browser which runs “javaws.exe” withough validating command-line parameters.
The new version, Sun Java 1.6.0_20 is available at the Java web site, or you can wait until it’s automatically pushed to you version. Which will happen within 30 days. Which you probably shouldn’t wait for.
You can also read the full release notes on Oracle’s site.
Don’t walk, run to update your Java… This affects ALL YOUR BROWSERS.
Personally after getting pwned two weeks ago I’m running all browsers inside Sandboxie – See here for other ideas.
ALL YOUR BROWSERS ARE BELONG TO US
Enjoy watching videos in your VM lol. I’ve gotten into a habit of launching a VM full screen whenever I have company over. Being a IT guy I never run a virus scanner at home on my Server 08 box and my girlfriend had some friends over and someone sat down on my computer and launched IE to browse some sites (AAHHHHHH!). The next morning I noticed that something snagged my open FTP credentials and replaced a javascript viri code before the tag on every page in my http://ftp….nice when I was hosting like 15 sites on that account.
My recent post Scraper Sites Stealing Your Clicks and Cash