News & Information for Technology Purchasers NewsFactor Sites:       NewsFactor.com     Enterprise Security Today     CRM Daily     Business Report     Sci-Tech Today  
   
Home Enterprise I.T. Cloud Computing Applications Hardware More Topics...
You are here: Home / Enterprise Software / Did Oracle Drop the Java Patch Ball?
Gartner's #1 for endpoint backup
Did Oracle Drop the Java Patch Ball?
Did Oracle Drop the Java Patch Ball?
By Jennifer LeClaire / NewsFactor Network Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
SEPTEMBER
04
2012



Just when you thought you were safe from the Java exploit: Beyond Apple device IDs being allegedly hacked from an FBI agent's laptop via last week's Java flaw, a security firm in Poland, Security Explorations, is saying a patch issued by Oracle still leaves the software insecure.

And Symantec, the SANS Institute's Internal Storm Center and Websense are sounding the alarm about new approaches being used for the Java exploit. Oracle could not immediately be reached for comment.

Nitro Attacks Revisited

In October 2011, Symantec documented a particular targeted attack campaign dubbed The Nitro Attacks. Attackers were primarily targeting chemical companies. Symantec said those attackers have escalated their efforts through a zero-day Java vulnerability in the wild.

"The traditional modus operandi of the Nitro attackers is to send an e-mail to victims," Symantec reports in its Security Response blog. "That e-mail contains an attachment, which is a password-protected self-extracting zip file. The e-mail claims to be an update for some piece of commonly installed software. The targeted user extracts it, runs it, and is infected with a copy of Backdoor.Darkmoon (also known as Poison Ivy)."

In these latest attacks, Symantec said, the attackers have developed a more sophisticated technique. They are using a Java zero-day, hosted as a .jar file on Web sites, to infect victims. Like the October 2011 attacks, Symantec said the attackers are using Backdoor.Darkmoon, re-using command-and-control infrastructure, and even re-using file names such as "Flash_update.exe".

"It is likely that the attackers are sending targeted users e-mails containing a link to the malicious jar file," the firm said. "The Nitro attackers appear to be continuing with their previous campaign."

Infamous Amazon E-Mail

Meanwhile, SANS and Websense are both pointing to a Java exploit that, if successful, could allow cyber criminals to deliver more malicious payloads to victims' machines. And that, Websense said, could lead to the exfiltration of personal and financial data. It comes in the form of an e-mail supposedly from Amazon that directs victims to a page containing the recent Java exploit.

"On 1st September, Websense ThreatSeeker Network intercepted over 10,000 malicious e-mails with the subject 'You Order With Amazon.com' enticing the recipient to 'click here' to verify a fictitious order...." Websense wrote on its blog.

"Once the victim has clicked the link, they are redirected to an obfuscated page hosting the Blackhole Exploit Kit....This e-mail campaign further illustrates the ingenuity and speed at which cyber-criminals package and propagate malicious content along with social-engineering techniques in order to exploit both recent software vulnerabilities and the trusting nature of end-users."

Java Mismanagement?

Charles King, principal analyst at Pund-IT, said the drama around the Oracle Java patch underlines the danger of Java -- but it also highlights the challenges that a vendor unfamiliar with a given technology can experience when it becomes largely responsible for that technology.

"By all accounts, one of the most attractive factors of the Sun acquisition for Oracle was the company's investment in Java. Oracle considered that to be a potentially very valuable property," King said.

"I can't say that the company's management of Java, and this is a good example, has been particularly stellar. Just because you buy a Ferrari doesn't mean that you become a great race-car driver. It takes a certain amount of skill and willingness and responsibility that, when absent, can lead to some embarrassing situations like the one Oracle is in right now."

Tell Us What You Think
Comment:

Name:

Like Us on FacebookFollow Us on Twitter
TOP STORIES NOW
MAY BE OF INTEREST
IT departments are embracing cloud backup, but there's a lot you need to know before choosing a service provider. Learn all the critical things you need to know by accessing the white paper, "5 Things You Didn't Know About Cloud Backup". Access the White Paper now.
MORE IN ENTERPRISE SOFTWARE
Product Information and Resources for Technology You Can Use To Boost Your Business

Network Security Spotlight
Dairy Queen Latest Retailer To Report Hack
Known for its hot fries and soft-serve ice cream, Dairy Queen just made cyber history as the latest victim of a hack attack. The fast food chain said that customer data at some stores may be at risk.
 
Lessons from the JPMorgan Chase Cyberattack
JPMorgan Chase is investigating a likely cyberattack. The banking giant is cooperating with law enforcement, including the FBI, to understand what data hackers may have obtained.
 
Who Is the Hacker Group Lizard Squad?
Are they dangerous or just obnoxious? That’s what many are wondering about the hacker group Lizard Squad, which tweeted out a bomb threat that grounded a flight with a Sony exec aboard.
 

Enterprise Hardware Spotlight
Intel Intros Lightning-Fast PC Processors
Call it extreme. Intel just took the covers off its first-ever eight-core desktop processor, which is aimed at hardcore power users who expect more than the status quo from their computers.
 
HP Previews ProLiant Gen9 Data Center Servers
Because traditional data center and server architectures are “constraints” on businesses, HP is releasing new servers aimed at faster, simpler and more cost-effective delivery of computing services.
 
Apple Set To Release Largest iPad Ever
Tech giant Apple seems to have adopted the mantra “go big or go home.” The company is planning to introduce its largest iPad ever: a 12.9-inch behemoth that will dwarf its largest existing models.
 

Mobile Technology Spotlight
iWatch Watch: What Will Apple Ask Us To Wear?
There are still more questions than answers when it comes to details about the smart watch Apple seems poised to debut on Sept. 9. In fact, nobody seems completely sure that it will be a smart watch at all.
 
Google Successfully Tests Its Own Delivery Drone
While top technology companies are engaged in an "arms race" to develop drones that can quickly deliver goods to anyone anywhere, Google has revealed it successfully tested its own version.
 
Will iPhone Finally Catch Up with NFC Mobile Payment Ability?
Apple's latest version of the iPhone may have a mobile wallet to pay for purchases with a tap of the phone. The iPhone 6 reportedly is equipped with near-field communication (NFC) technology.
 

Navigation
NewsFactor Network
Home/Top News | Enterprise I.T. | Cloud Computing | Applications | Hardware | Mobile Tech | Big Data | Communications
World Wide Web | Network Security | Data Storage | CRM Systems | Microsoft/Windows | Apple/Mac | Linux/Open Source | Personal Tech
Press Releases
NewsFactor Network Enterprise I.T. Sites
NewsFactor Technology News | Enterprise Security Today | CRM Daily

NewsFactor Business and Innovation Sites
Sci-Tech Today | NewsFactor Business Report

NewsFactor Services
FreeNewsFeed | Free Newsletters

About NewsFactor Network | How To Contact Us | Article Reprints | Careers @ NewsFactor | Services for PR Pros | Top Tech Wire | How To Advertise

Privacy Policy | Terms of Service
© Copyright 2000-2014 NewsFactor Network. All rights reserved. Article rating technology by Blogowogo. Member of Accuserve Ad Network.