Week in Geek: New Critical Java Security Hole is Being Actively Exploited

Note: This article is part of our archive and is likely out of date.
(Links may not work, downloads have not been recently tested for safety)

By Akemi Iwaya on January 13th, 2013

Our latest edition of WIG is filled with news link coverage on topics such as Windows 8 Fast Startup feature can put data at risk on dual-boot systems, a critical Ruby on Rails bug threatens 200,000+ sites, Microsoft confirms Windows Live Messenger – Skype transition bugs, and more.

Skull and crosshair targeting scope clipart courtesy of Clker.com.

Weekly News Links

Security News

Skull and crosshair targeting scope clipart courtesy of Clker.com.

Special Note: You can view our article on how to disable and/or unistall Java on your computer here.

  • Critical Java zero-day bug is being “massively exploited in the wild”
    Your fully patched installation of Java isn’t safe. – A previously unknown and currently unpatched security hole in the latest version of the Java software framework is under attack online, according to security researchers and bloggers.
  • Apple blacklists Java on OS X to prevent latest “critical” exploits
    Apple has blacklisted the latest version of the Java browser plugin to protect Mac users from the latest Java exploits. As noted by MacRumors, OS X now requires a newer, as-yet unreleased version of the Java plugin which is expected to patch a flaw that resulted from an incomplete patch added to Java last year.
  • Mozilla touts ‘Click to Play’ in defense against Java vulnerability
    Mozilla has chimed in with its own tips and resources amidst the brewing Java vulnerability scare. – As worries about the Java 7 Update 10 vulnerabilities continue to escalate, Mozilla has addressed the issue in reference to how this concerns Firefox.
  • What You Need to Know About the Java Exploit
    On Thursday, the world learned that attackers were breaking into computers using a previously undocumented security hole in Java, a program that is installed on hundreds of millions of computers worldwide. This post aims to answer some of the most frequently asked questions about the vulnerability, and to outline simple steps that users can take to protect themselves.
  • Extremely critical Ruby on Rails bug threatens more than 200,000 site
    Servers that run the framework are by default vulnerable to remote code attacks. – Hundreds of thousands of websites are potentially at risk following the discovery of an extremely critical vulnerability in the Ruby on Rails framework that gives remote attackers the ability to execute malicious code on the underlying servers.
  • Microsoft Admits It Has to Fix Its Fix for Internet Explorer
    Microsoft is still working on a patch to fix a recently discovered bug in Internet Explorer 8 and older, but security companies across the globe warn that several websites are getting compromised to take advantage of the flaw.
  • Current Foxit Reader can execute malicious code
    Security expert Andrea Micalizzi has discovered a critical vulnerability in the current Foxit Reader’s browser plugin; according to the researcher, the hole can be exploited to inject malicious code. When a web page instructs the npFoxitReaderPlugin.dll plugin to open a PDF document from a very long URL, a buffer overflow is created on the stack.
  • Adobe warns of critical ColdFusion hole being exploited in the wild
    ColdFusion developers have been warned by Adobe to set usernames and passwords for the remote development service and to disable access to certain directories in order to avoid risk of being compromised.
  • Critical security update for MoinMoin wiki released
    The developers of MoinMoin have closed a critical security vulnerability with the release of version 1.9.6 of their open source wiki software. A vulnerability in the twikidraw and anywikidraw components which could be exploited to execute arbitrary code has been closed. The problem affects MoinMoin 1.9.5 and earlier versions.
  • Critical vulnerabilities in Asterisk
    Digium has fixed several critical vulnerabilities which could be exploited by an attacker to inject code onto the server into its open source telephone system application Asterisk. The vulnerabilities are buffer overflows on the stack which can be exploited using the HTTP, SIP and XMPP protocols.
  • VLC Media Player 8 Banned on Windows 8
    While everyone’s waiting for the official app, a so-called VLC Media Player 8 has been approved for Windows Store, so it may trick people into believing that they’re downloading the software solution developed by VideoLAN. The app is, however, a fake, even though it promises to play “most of the latest formats of video as well as audio files.”
  • Another Fake VLC for Windows 8 App Available for Download
    Even though an official VLC media player for Windows 8 is yet to be released, some software developers across the world are trying to make the most of VideoLAN’s success with similar apps that copy one or more of the original features.
  • Hack turns the Cisco phone on your desk into a remote bugging device
    No fix yet for attack that allows eavesdropping on private conversations. – Internet phones sold by Cisco Systems are vulnerable to stealthy hacks that turn them into remote bugging devices that eavesdrop on private calls and nearby conversations.
  • Nokia ‘hijacks’ mobile browser traffic, decrypts HTTPS data
    A security researcher has found that some Nokia phones pass secure HTTPS data through Nokia’s servers, and this data is decrypted so it can be compressed, in order to reduce data bills.
  • Lost+Found: Password klutzes, cat payloads and a lulzy-PoC
    Too small for news, but too good to lose, Lost+Found is a compilation of the other stories that have been been on The H’s radar this week. In this edition: the offensive uses of plain text, proof of concepts for the lulz, 29C3 videos, payload enabled cats and Inception opens up Windows 8.
  • Crimeware Author Funds Exploit Buying Spree
    The author of Blackhole, an exploit kit that booby-traps hacked Web sites to serve malware, has done so well for himself renting his creation to miscreants that the software has emerged as perhaps the most notorious and ubiquitous crimeware product in the Underweb. Recently, however, the author has begun buying up custom exploits to bundle into a far more closely-held and expensive exploit pack, one that appears to be fueling a wave of increasingly destructive online extortion schemes.
  • Yahoo adds HTTPS support to Yahoo mail
    Yahoo has begun to catch up with the other webmail providers and is now offering HTTPS as an option on its service.
  • Polish prof discovers way to encrypt secret messages into silence on Skype (even if the FBI is listening)
    Skype calls use 256-bit advanced encryption by default, but that’s not secure enough for some people. So a prof at the Warsaw University of Technology has created a way to communicate even more privately on Skype — by using silence.
  • Windows RT Jailbreak Tool available, makes running unsigned apps a breeze
    Jailbreaking Windows RT just got easy. Merely days after a complicated method to run unsigned apps on Microsoft’s tablet operating system was uncovered, there is now an automated method available, dubbed RT Jailbreak Tool. No more messing around with debuggers and assemblers.
  • Microsoft Not Pleased with Windows RT Jailbreak Tool, Says It May Block the Hack
    Microsoft is apparently having a change of heart over the recently-released jailbreak tool for Windows RT devices, with the company now suggesting that it may block the hack after all.

TinyHacker Links

Image courtesy of Microsoft.

How-To Geek Weekly Article Recap

Geeky Goodness from the ETC Side

One Year Ago on How-To Geek

How-To Geek Comics Weekly Roundup

How-To Geek Weekly Trivia Roundup

Akemi Iwaya is a devoted Mozilla Firefox user who enjoys working with multiple browsers and occasionally dabbling with Linux. She also loves reading fantasy and sci-fi stories as well as playing "old school" role-playing games. You can visit her on Twitter and .

  • Published 01/13/13
More Articles You Might Like

Enter Your Email Here to Get Access for Free:

Go check your email!