PureBasic Forums - English

As I related here > http://www.purebasic.fr/english/viewtop ... 17&t=51098 there is a bug in Java that hackers have been exploiting to attack systems and gain complete control over users computers. All operating systems (eg. Windows, Mac, all Linux versions) with any browser that uses Java are affected. There are now hundreds of web sites that have been compromised affected and if you visited one of these you are considered 100% for a fact infected and your system compromised, even if your anti-virus/security software gave no warning, if you had the affected java version installed and had not disabled it. The attack vector/exploit has gone mainstream, and is now part of the hacking "kits" sold on underground forums to criminals and malicious hackers. The vunlerability explot has been designated as CVE-2012-4681 https://cve.mitre.org/cgi-bin/cvename.c ... =2012-4681 . The temporary solution was to disable java (or uninstall it).

Oracle has issued a fix and its recommended that you install it, the fixed update can be found here > http://www.oracle.com/technetwork/java/ ... 36441.html.

The alternative is to remove Java completly and in doing so will significantly decrease the attack surface target, or, keep Java disabled in the browser (any browser). Although there are some things in which its said that Java is required that function just fine without Java, there are also many things that do need Java to work properly especially on the internet. Its your system, its your responsibility and decision.

Thanks for mentioning the hotfix!
I'll keep Java disabled in my browser though (don't really need it anyway).

In reference to the first post in this thread:

After the updated fix was provided by Oracle, a security researcher has uncovered a further bug in the Java update that allows attackers to take complete control of end user computers. In the mean time the number of compromised web sites has grown and the likelyhood of encountering one of these sites is increasing especially for sites outside the U.S, if you visited one of these you are considered 100% for a fact infected and your system compromised even if you have received no warnings from anti-virus/security packages. In some cases you do not even need to actually visit the compromised site if a web site you are viewing has a link on it to a compromised site. Therefore, until such time as Oracle gets its act together and releases an update that actually fixes the vulnerability its highly recommended that Java be completly uninstalled to remove/decrease the attack surface target, or disabled in the browser (any browser).

If you choose to disable Java for the browser and are using MS Internet Explorer (any version), Microsoft has put up some information to help you disable Java properly (if you don't already know how). You can view this information here > http://blogs.technet.com/b/mmpc/archive ... loits.aspx .... and here > http://support.microsoft.com/kb/2751647 (Note: Please read the instructions fully before continuing)

Further information: These bugs in Java allows attackers to silently install virus/trojans, or other malware, on the user system simply by visiting a compromised web site even if you do not click on or select anything on the site. In some cases you do not even need to actually visit the compromised site if a web site you are viewing has a link on it to a compromised site. This activity does not allow any indication this is happening; In most cases anti-virus/security software will not detect anything at all, or until its too late, or may improperly detect the malware and not remove the actual malware payload that is really present leaving the user to think the removal worked and they are safe when in reality the actual payload is still present and goes undetected and performs its function hidden from the user and anti-virus/security software packages.

Yeah pretty nasty stuff. I heard Oracle knew about this security hole for like three months
but didn't do anything until it got that much attention by the media.

Shield wrote:Yeah pretty nasty stuff. I heard Oracle knew about this security hole for like three months
but didn't do anything until it got that much attention by the media.

Wait till you hear how many months it takes for Apple to patch Java on OSX after Oracle releases security patches

kermit wrote:

Shield wrote:Yeah pretty nasty stuff. I heard Oracle knew about this security hole for like three months
but didn't do anything until it got that much attention by the media.

Wait till you hear how many months it takes for Apple to patch Java on OSX after Oracle releases security patches

Apple are probably running JRE 6 still so no worries!