It’s time for another Java update — and it’s a relatively big one. Oracle is releasing fixes for 42 security bugs in its highly vulnerable Java programming language today. Thirty-nine of those bugs enable hackers to hit you with attacks you may never detect.

For security professionals, Java has been the gift that keeps on giving — if the gift was a stomach virus. Despite repeated updates to the programming language, cyber-criminals continue to find new ways to exploit it. They’ve hit hundreds of thousands of nameless individuals to big-time companies such as Apple, Microsoft, and Facebook with their variety of attacks.

Oracle announced the update in an announcement yesterday, saying the patch is slated for today. The company specifically states that the 39 called-out bugs “may be exploited over a network without the need for a username and password.”

New dialog boxes for the Java browser plugin are also being released. These are warning windows that pop up whenever Java is trying to run. The type of warning you receive is based on the quality of the digital certificate of that app.

Low-risk warnings will appear if the certificate can be identified and has been signed by a certificate authority, or if the identified certificate has extra information. For these you will see either the Java logo, publisher’s logo, or a blue shield. You’ll be able to hide future warnings for publishers who provide these credentials.

High-risk apps, however, will show you a yellow warning triangle for those apps that have an untrusted or expired certificate. A yellow shield is displayed for unsigned or invalid certificates. For these apps you will have to both check a box that says, “I accept the risk and want to runt his app” and then click “run.” Or you can immediately click cancel.

As we’ve seen with the last rounds of Java updates, however, there are more untapped vulnerabilities to be found. Consider keeping Java off (and if you haven’t turned it off yet, you should do so) and waiting to see if anything is uncovered in the weeks following the release.

hat tip Ars Technica; Oracle image via Peter Kaminski/Flickr, Unsigned cert dialogue box image via Oracle

A Google developer is celebrating an Apple success today. That is, the iPhone maker has finally enabled HTTPS for all of its App Store today, fixing a number of vulnerabilities the Google developer discovered and reported.

Elie Bursztein discovered and reported the issue to Apple in “early July,” according a blog post by the developer. He said that by not having HTTPS enabled across of all of the network traffic from Apple’s App Store, it opened itself (and its customers) up to a number of attacks. This includes password stealing, tricking a user to download an unwanted app, preventing app downloads or app updates, and stealing information about what apps are on a device.

An attacker only needs to be on the same network as the person who is using the App Store. From there, they can intercept the communications between the device and the App Store and insert their own commands, achieving the desired trickery. In the case of stealing a person’s Apple ID password, the attacker would only need to insert a fake prompt for the password when the person boots up the App Store. They are then tricked into thinking that opening the App Store is what caused the password prompt, and thus trust it.

Check out the video below to see Bursztein demonstrate this attack.

Apple, according to Bursztein, has finally turned on HTTPS, veritably plugging up these holes that fuel these attacks as well.

Usually, the Android system is the one dinged with criticisms about security. According to a recent study by security research firm F-Secure, 72 percent of mobile malware can be attributed to Android. But research such as Bursztein’s shows that nothing is really 100 percent safe, not even iOS.

hat tip The Verge; App Store image via Brusztein’s YouTube

Chrome, Internet Explorer, and Firefox all fell to the mercy of the hackers today. That is, in a controlled environment.

Security firms Vupen and MWR Labs were able to crack the browsers during a condoned bug-hunt today, with one company winning $100,000 for finding a huge hole.

The Pwn2Own competition is an event at the CanSecWest conference in Vancouver. HP’s DVLabs created the competition as part of its Zero Day Initiative: an attempt to get more people to find and report bugs as opposed to exploiting them for personal gains. This year’s Pwn2Own competition turned up a number of interesting hacks, with three major browsers all falling: Firefox, Internet Explorer, and Chrome.

Vupen, a security research firm based in France, cracked both Firefox and Internet Explorer. It roughly explained the attack in a tweet (warning: A lot of security vocabulary is incoming), “We’ve pwned Firefox using a use-after-free and a brand new technique to bypass ASLR/DEP on Win7 without the need of any ROP.”

The technique involves recalling memory that the browser had previously “freed,” (user-after-free), after which they were able to mess with the technology that protects a computer system from letting bad code execute.

In Internet Explorer’s case, Vupen says it found two separate “zero-days,” or previously unknown holes in a system, and used them to get inside a Microsoft Surface Pro tablet. From there, the company was able grab hold of Windows 8.

The company explained, again, in a tweet, “We’ve pwned MS Surface Pro with two IE10 zero-days to achieve a full Windows 8 compromise with sandbox bypass.”

Lastly, U.K.-based security firm MWR Labs cracked Chrome and also gained full control of the operating system, this time Windows 7. It also “demonstrated a full sandbox bypass exploit.” The company explained in a blog post that it found a zero-day in Chrome “running on a modern Windows-based laptop.” It was able to exploit the vulnerability by performing a very similar attack to what took down Facebook, Microsoft, and a number of other well-known companies: It had the laptop visit a malicious website. From there the website probed Chrome and was able to get control of the area of the browser that executes code “in the context of the sandboxed renderer process,” or the protective area that allows code to run, but restrict it from using any other part of the system but the CPU and memory.

The sandbox cannot, however, protect against any attacks against the kernel, or the root of the operating system, it exists in and that’s exactly what MWR took advantage of. It found a vulnerability in the kernel, exploited it, and gained full access to the Windows 7 system.

Shabam.

All of these browsers had been previously patched in preparation for the competition, showing just how much can be missed and how valuable these types of bug-finding events are. MWR won $100,000 as a result. Of course, both MWR and Vupen properly disclosed all the documentation of its findings to the appropriate browser security teams.

hat tip ZDNet; Chrome coffee image via yukop/Flickr

Facebook announced that it was hacked in a blog post today after some of its employees visited an infected mobile developer website in January. The company says it has found no evidence that the breach affected user data.

“They gained limited visibility into our systems,” Fred Wolens, a spokesperson for Facebook, told VentureBeat in an interview, “We’ve accelerated our program to disable Java in our environment.”

The company explained in the blog post that the laptops that were infected were “fully patched” and ran the most up-to-date antivirus software prior to the infection. It is currently working with law enforcement to dig into the hack’s details. The malware came through another issue with Java, the programming language that Oracle recently patched to fix a number of other issues. The Department of Homeland Security even recommended that people uninstall Java since hackers were finding new holes often.

“After analyzing the compromised website where the attack originated, we found it was using a ‘zero-day,’ previously unseen exploit to bypass the Java sandbox (built-in protections) to install the malware,” said Facebook in the blog post. “We immediately reported the exploit to Oracle, and they confirmed our findings and provided a patch on February 1, 2013, that addresses this vulnerability.”

Facebook has not specified who the attackers are, and it very well may not know. The company does, however, say that it was “not alone in this attack” and that it wanted to tell the world about this hack quickly so that others can start their own remediation.

hat tip AllThingsD; Thumbs down image via Shutterstock

If you’re running Adobe Acrobat or Reader, you might not want to open any PDFs unless you trust the sender. Adobe confirmed that hackers are currently exploiting a hole in the two programs, using PDFs to trick people into giving them full access to their computers.

The hole was revealed yesterday after security firm FireEye discovered it and reported it to Adobe. Adobe released a statement yesterday and updated it today to say that it is aware of the vulnerabilities and is currently working on a fix. The company went on to call the holes “critical” and confirmed that hackers are specifically using this attack to gain full control of your computer. Once in, they’d be able to access all your information, and if you’re a business, it could be an entry way into the broader network.

The vulnerability touches Adobe Reader XI, versions 11.0.01 and earlier; Reader X, 10.1.5 and earlier; Reader 9.5.3 (and earlier versions only for those Reader versions beginning with 9.x). All those versions affect both Windows and Macs except for the last, which also hits Linux. As far as Adobe Acrobat goes, it affects Acrobat XI, version 11.0.01 and earlier; X, versions 10.1.5 and earlier; and Acrobat 9.5.3, with all versions within the 9.x scheme also affected. Both Mac and Windows programs are hit here as well.

Aside from not opening PDFs, Adobe suggests Windows users protect themselves by using “Protected View.” You can set up Protected View by heading over to the Edit tab and going into Preferences, then Security (Enhanced) menu to turn it on.

Adobe has not yet said when it will release a fix.

Adobe image via midiman/Flickr

(Updated)

The U.S. Department of Homeland Security’s Computer Emergency Readiness Team says no one should use Java until Oracle fixes a hole that permits attackers to jump inside your computer and steal information.

“We estimate that about 100 million computer users are now in immediate danger of getting exploited. Given the current circumstances – wide availability of the exploit code and no fix from Oracle scheduled for the near future – disabling the Java feature in the browser is the wisest choice,” Bitdefender senior e-threat analyst Bogdan Botezatu told VentureBeat in an email.

Java is a widely-used programming language, now overseen by Oracle, that runs on many different platforms, including PCs, Macs, and mobile devices. Java programs are supposed to run in a secure “sandbox,” but security researchers recently found a vulnerability that allows attackers to infect that computer’s systems with software that further allows them to steal personally identifiable information. Of course, that can lead to bank accounts being drained or identity theft.

Beyond that, however, the hole also lets the attacker hook your computer up to a botnet, or a string of computers that can be used to do the bidding of the cyber criminal.

The malicious software is distributed through infected websites that Homeland Security points out could be made to look like legitimate websites.

“This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered,” the Homeland Security advisory states. “To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available.”

This vulnerability only affects PCs, but a recent and similar incident involving the “Flashback Trojan” showed that Java has weaknesses in Macs as well. According to MacRumors Apple isn’t taking any chances this time and has blacklists Java entirely for its OS X.

We have contacted Oracle and will update the post if we hear back from the company.

UPDATE 1/12/2013: Oracle has stated that “a fix will be available shortly” for the Java flaw, Reuters reports.

via Reuters; Oracle image via Peter Kaminski/Flickr

Cisco released an advisory yesterday, warning that a number of its voice-over-IP phones can be hacked into, allowing anyone to listen in on phone calls and audio in the surrounding area.

The hack affects Cisco’s CiscoUnified IP Phones 7900 Series, versions 9.3(1)SR1 and lower. Once executed, the attacker will not only be able to monitor your phone calls, but it can also turn the microphone on and remotely, over the Internet, listen to any conversations being held in the vicinity. In order to do this, the attacker uses a piece of hardware that connects to the auxiliary port of the phone. With this, the attacker can “root” the phone, or gain full control of the phone.

A way to remotely hack into the phone systems also exists, but you must already have access to the internal corporate network.

Cisco notes that while it cannot patch the physical hardware that enables the hack, it will release a temporary software fix.

The vulnerability was originally exposed at the Chaos Communication Congress in Germany at the end of December. A professor and a doctoral candidate from Columbia University discovered the exploit and reported it to Cisco in November before bringing it public. Cisco only just released a security advisory yesterday, though it says it told customers privately after it was alerted to the issue.

via Ars Technica, Image via CCCen on YouTube

Cloud platform Heroku announced today that it has plugged up a hole in its account creation system that would have let hackers change existing account passwords and take control of any account.

Heroku first heard about the password vulnerability from security researcher Stephen Sclafani on Dec. 19. It says it released a patch the following day. Sclafani found the issue when he realized that Heroku used a two-step sign-in process. That is, you must first enter an email address and then wait for Heroku to send you an email with an activation link to set up your account.

“Multistep sign up processes are notorious for containing security vulnerabilities, and after taking a closer look at Heroku’s, I found that it was possible, given only their user ID, to obtain any user’s email address and to change their password,” said Scalfani in a blog post.

He discovered that a hacker need only play around with an HTTP POST request, or the part of the conversation between a website and a server that asks the server to store information, such as a new password. Before the patch, the server accepted any changes to an account’s password using this request, thus giving the person access to the account. Sclafani found a second vulnerability that let anyone use a similar “attack,” but on the password reset page. Instead of changing a specific account password, however, this vulnerability only let you change the password to a random account.

Patches for  both holes appeared Dec. 20, and Heroku says it could not find any instances where the vulnerability had been used in the past. It went on to say it is “extremely grateful” to him for practicing “responsible disclosure.”

“Despite finding these vulnerabilities I plan to host my startup at Heroku,” said Sclafani. “Security vulnerabilities happen and Heroku handled the reports well.”

You could classify Heroku as a platform as a service company. That is, it’s a cloud computing service that enables people build web applications in a variety of coding languages on top of Heroku’s development platform. It supports Ruby, Python, Node.js, and Java, among other languages and also supplies managing tools to keep your app afloat. The company was founded in 2007, and was bought by cloud customer relationship manager Salesforce in 2010.

Heroku image via igb/Flickr

Oracle patched the hole in Java 7 that allows hackers to secretly download malware to your computer today in an uncharacteristic update to its software, according to Forbes. But it seems the company knew about the issue far longer than the rest of us.

Oracle usually only pushes out updates to its Java software on a quarterly basis, and many did not expect the company to provide a patch for this hole. Indeed, researchers suggested people who did not need to use Java should turn it off just in case. But while the patch is a positive step toward protecting Java users, security researchers at Security Explorations are saying that they told Oracle about the issues four months ago.

The security firm released a list of all the vulnerability reports it supposedly sent to Oracle in April, as well as confirmation that the Java creator received the bug reports. In it, Oracle says it received the report, and pushes a code update in June, but “continues to investigate” other existing issues into August.

The vulnerability in Java 7 Runtime allowed malware writers to push viruses to both PC and Mac computers since both are compatible with the software. It reminded researchers of the Java vulnerability that enabled the Flashback virus that forced Mac users to realize that the Apple-made computers are not impervious to malware. Exploits seen in the wild, however, only attacked PC computers, more than likely because PCs are a larger, more profitable market for hackers.

People “caught” the virus by visiting infected websites. The malware executed a download when the webpage opened, and it did not give any signals that it was downloading other than a few people who saw a “loading” sign over a java icon pop up and disappear.

The vulnerability was even being sold as part of an exploit kit in the hacker underground market. Find the patch for the hole on Java’s website.

via Forbes; Oracle HQ image via Mark Coggins/Flickr

Def Con and Black Hat, while both security conferences held together in Las Vegas, are two very different beasts. One attracts the corporate security type, another the hacker underbelly.

Black Hat could almost be described as mellow in comparison to Def Con, one of the largest running hacker conferences in the world, often attracting up to 12,000 attendees. The con is held at the Rio in Las Vegas, compared to Black Hat, which is held at Caesar’s Palace on the strip.

The two conferences attract chief security officers, hackers, Feds, and press alike. Because of the that, the talks vary too, from those like former FBI executive assistant director Shawn Henry who spoke about finding and getting rid of “the adversary” to hacking planes in mid-air. Indeed, there is a nice mix of preaching to the choir coupled with vulnerabilities and exploits that may or may not have been found illegally.

But both conferences are important to a community of CSOs and hackers that generally are pretty segregated. Black Hat celebrated its 15th year running last week, and Def Con celebrated its 20th.

Check out our gallery below comparing tell which one you’d rather go to next year.

There’s a reason 2011 was called the year of the hack. We saw an 81 percent increase in cyber attacks, according to Symantec, which says it stopped 5.5 billion malicious attacks last year alone.

“It’s really the automation and tool-kits that these folks are using,” said Symantec project manager John Harrison in an interview with VentureBeat. “I think we’re finding we’re not just up against a couple individuals — it’s more and more folks who are doing this. And they’re doing it primarily for financial reasons.”

Harrison explained that hackers from everywhere are able to quickly create malware due to automated tools. In 2011, over 403 million unique malware variants were found, according to a report by Symantec. That’s 41 percent higher than the year prior, and enough variants that every human living in the U.S. could have their own personal malware named after them. Of those 403 million malware variants, many were just slight tweaks on a previous type of malware. For instance, if you have a piece of malware that entered a system through a vulnerability that was recently closed, the malware writer can change the virus using automation to exploit a new hole.

The recent Mac Flashback Trojan is a good example of this. Within a few weeks of the Trojan being discovered, two new variants — Flashback.N and Flashback. S — were found infecting Macs after Apple had patched up its hole in Java.

“It’s definitely becoming wider scale,” said Harrison. “With web attack tool-kits, anyone with $100 and very little knowledge [can create malware]. We call it the consumerization of malware attack kits.”

Symantec warns that it’s not just big businesses and executives who are being targeted by cyber criminals. Any size company and any level of employee can attract a hack. Most hackers seem to be looking for personally identifiable and financial information to be sold on the black market. In 2011, 1.1 million identities were stolen per large breach, small breaches add up as well.

Another reason a small business might be hacked is the opportunity to gain access to a bigger fish through that company. “What’s [a] better [way] to attack the U.S. government than attacking it from inside a company in the U.S.?” said Harrison.

He predicts that 2012 is going to be the year of the mobile hack, as the devices become a part of who we are, and carry much of our sensitive data. Rogue applications are infiltrating app marketplaces like Google Play every day. In addition to mobile, it’s time for Apple computers to watch out. Harrison says now is the time to buy Mac antivirus software.

Mac viruses will increase as hackers gain the tools to create cross-platform viruses that can travel from mobile to Mac to PC without needing new variants.

Map image via Symantec

July 9-10, 2013
San Francisco, CA

Early Bird Tickets on Sale

Attacking smartphones with malware is to become a profitable business in 2012, according to a report by Lookout Mobile Security. Criminals took an estimated $1 million from Android owners this year, and the threat is only getting bigger.

“Bad guys will always follow the money, and with the meteoric growth of mobile devices there is more money to be made in mobile fraud than ever before,” the company said in a blog post.

It has taken mobile malware writers two years to accomplish what took many over 15 years on the PC, according to Lookout’s chief technology officer Kevin Mahaffey. Mobile is, in essence, the new frontier for people who make money through cyber attacks, and their efforts aren’t going to waste. The Android operating system continues to be a target for mobile malware. Users can expect to encounter attacks four percent of the time, a three percent increase from 2011′s prediction. Web browsing is also becoming a big threat, with 38 percent of Android owners encountering a malicious link — 40 percent if you only consider the United States.

So what exactly is infecting our phones? More cases of smartphone-specific SMS fraud are arriving in the marketplace. But many of these attacks have similarities to PC counterparts. For instance, botnets, malicious advertising and web browser links are becoming more of an issue for mobile devices.

SMS fraud allows a criminal to take over your phone’s messaging permissions to send and receive text messages to a “premium rate number.” Every time the number is used, that malware writer can charge you money. Some instances saw charges of up to $9.99 with the GGTracker Android infection, an attack that focused on US users. More recently, the RuFraud scam was identified. This attacked mostly Eastern European users who downloaded an app skinned to look like a horoscope, Twilight wall paper app, or free versions of popular games such as Angry Birds. When the person clicked through the initial start screen, they “agreed” (see photo right) to a terms of service clause that allowed the app to take over messaging privileges. The ToS was less than legitimate, however, and buried under links so users could not find it. Google removed 22 applications with the RuFraud scam inserted. Lookout expects that a few infected apps will re-enter the marketplace every few days.

Botnets, or a series of interconnected mobile phones that can work together to infect other phones on a large scale have been found. These have not, however, been used to their full potential. Attacks such as Geinimi, which originated out of China, have the ability to take over your phone after receiving commands from a remote server, according to Lookout. They can take your information and can attempt to infect other phones from your own.

Malicious advertising and web links are most similar to their PC counterparts. In order to become affected by malware, a smartphone user must simply click an infected link or advertisement that takes them to a malware website. This is where Apple’s usually protective iOS is actually put at risk. Jailbreaking is not uncommon with the iPhone and many people use jailbroken phones for interesting hacks intended for personal use, not for malicious attacks. For instance, some break into their iPhones to create interesting uses for the Siri application, run different carriers’ services, or port incompatible apps to older operating systems. Some of these jailbreaking websites, however, come with malware that piggy backs onto your newly vulnerable phone.

In-app advertising doesn’t come out unscathed either, with some “malvertisements” popping up right in the app itself.

There are new ways to speed up the process, which can save a malware writer time and money, and new mobile vulnerabilities to exploit. As in any business, the less money you spend on operating costs, the more you get to keep when the revenue starts pouring in. Mobile criminals want to find new, faster, cheaper ways of distributing their malware, and have seemingly figured out a way to automate the “packaging” process. That is, a criminal takes legitimate, existing applications and re-packs them with new mobile malware. The app still looks legitimate, but has picked up a malware hitchhiker. Lookout Mobile is seeing the rapid repackaging of apps exceed rates that are possible when done manually. Some repackaging attempts have been successfully completed in only seconds, thus criminals must have developed a technology to allow them to do this faster.

The other issue with the mobile operating system is the time it takes to update vulnerabilities. Sending patches out to the OS takes time, which means criminals can wring a vulnerability dry before a fix ever arrives.

Apps that are most likely to come with these mobile attacks are gaming, utility (such as flashlights and battery saver apps), and porn applications. Be careful when downloading these, particularly if you are downloading them from third-party app stores such as GetJar. According to Lookout Mobile, these third-party marketplaces are where malware writers try out their new tricks.

As we always advise, be careful what you click — particularly if you are an Android user — and keep a discerning eye in 2012.

[Android image via Shutterstock]

Now that Mozilla has put itself on a rapid release development cycle, similar to what Google does with Chrome, old numbered versions of the product will no longer get security updates. Users that don’t update will likely be exposed to vulnerabilities as they are discovered.

A mozilla.dev.planning mailing list indicates that Mozilla views Firefox as “end of life” for security patches. The last update to Firefox 4 was 4.0.1 on April 28, which fixed eight vulnerabilities.

Chrome has solved the problem of lagging security updates by having the browser automatically update, which means users almost always run the latest and most secure version. Unfortunately, Mozilla does not have automatic updating in place. Instead, a pop-up window shows up on screen to let the user know about the latest major update.

I’ve used both Firefox and Chrome extensively, and I much prefer the Chrome approach. When you see a pop-up telling you to upgrade, you’ll likely only upgrade if you’re not busy doing something else. Automatically upgrading to the latest version forces the user to be safe rather than letting him or her sit there as a hacker takes advantage of a security hole in an old version of the browser.

The only reason users may choose not to update to the new version is to keep their add-ons working if the latest version does not support them. But those users need to ask themselves if a certain add-on or two not working in a new version is worth added security risks.

If you’re a Firefox user and haven’t updated to 5, I’d recommend doing so immediately. If you’re using Chrome, well, let it ride.