Oracle Knew About Currently Exploited Java Vulnerabilities for Months, Researcher Says

Oracle knew since April about the existence of the two unpatched Java 7 vulnerabilities that are currently being exploited in malware attacks, according to Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations. Read More Click here

 Oracle’s emergency Java patch opens the door to more vulnerabilities After an exploit in the latest Java 7 framework was discovered, Oracle (ORCL) responded with an emergency patch to fix the problem. Read More Click here

 Internet Explorer Zero-Day Flaw Exploited by Same Java Gang Attackers are exploiting a new security vulnerability in Internet Explorer and security experts are recommending users stop using IE until the flaw is patched. Read More Click here

CRIME update, massive JAVA exploit, Samsung's remote wipe issue, Your questions, and more.

Researcher digs up another zero-day Java bug

Computerworld - A security researcher known for finding Java bugs has uncovered a new critical zero-day vulnerability in all currently-supported versions of the popular Oracle software.

The bug, which was publicly reported on the Full Disclosure security mailing list Tuesday by Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations, can be leveraged to hijack a machine equipped with Java, letting attackers install malware on the system.

Windows PCs and Macs are equally at risk if their users have installed Java, or in the case of OS X, are running 10.6, aka Snow Leopard, or earlier. Snow Leopard was the last edition where Apple bundled Java with the operating system.

All currently-support versions of Java, including Java 5, Java 6 and Java 7, contain the bug.

Read more about a researcher digs up another zero-day Java bug

SSL/TLS Zero-day flaw found in web encryption

"Security researchers Marsh Ray and Steve Dispensa unveiled the TLS (Transport Layer Security) flaw on Wednesday, following the disclosure of separate, but similar, security findings. TLS and its predecessor, SSL (Secure Sockets Layer), are typically used by online retailers and banks to provide security for web transactions.

The flaw in the TLS authentication process allows an outsider to hijack a legitimate user's browser session and successfully impersonate the user, the researchers said in a technical paper.

The fault lies in an "authentication gap" in TLS, Ray and Dispensa said. During the cryptographic authentication process, in which a series of electronic handshakes take place between the client and server, there is a loss of continuity in the authentication of the server to the client. This gives an attacker an opening to hijack the data stream, they said.

In addition, the flaw allows practical man-in-the-middle attacks against hypertext transfer protocol secure (Https) servers, the researchers said. Https is the secure combination of http and TLS used in most online financial transactions."

Read the full story at ZDnet UK