Oracle has issued a critical advisory for multiple (30) vulnerabilities in Java Runtime Environment. Most of the flaws involve Java Runtime Environment, however a couple of them are issued for JavaFX.
Here is our update table:
Version affected: JRE version 7 update 7 and previous => need update 9 now
Version affected: JRE version 6 update 35 and previous => need update 37 now
Version affected: JRE version 5 update 36 and previous => no patch available!
As always, you can get the latest Java updates from the following methods:
- WINDOWS = Access Start > Control Panel > Java. Click the Update Tab and select Update Now. (You can also enable automatic updates through this method)
- Any other method: http://www.java.com – click the Free Java Download. It should auto-detect your system.
NOTE: If you use the offline installer found on java.com, make sure you’re aware that it bundles either Ask Toolbar or McAfee Security Scan Plus. It isn’t recommended to install either one, but that choice is up to you.
Read more about different Java issues:
Facebook has announced the expansion of their alliance with antivirus companies in hopes to better secure its users and promote good privacy… here is a quick scope of the details:
Today, we are excited to announce the expansion of our AV Marketplace to include 7 new partners to our growing coalition of security companies. Starting now, Facebook users will be able to download software from – avast!, AVG, Avira, Kaspersky, Panda, Total Defense, and Webroot. Not only do we have new partners but also many of our existing partners – Microsoft, McAfee, Norton, TrendMicro, and Sophos – will begin offering anti-virus software for your mobile devices. You can visit the AV Marketplace now to download your free anti-virus software for PC, Mac and Mobile.
Our new anti-virus partners bring with them both the latest software and comprehensive intelligence. As with our existing partners, these seven companies will help protect Facebook’s community of over a billion users by improving our URL blacklist system. This system scans trillions of clicks per per day, and before each click, the system consults the databases of all our AV Marketplace partners to make sure the website you are about to visit is safe. This means that whenever you click a link on our site you are protected both by Facebook and 12 of the industry leaders in computer security. We will be cooperating with these partners more in the future, and look forward to announcing new tools soon.
Read more now at the Facebook blog
LulzSec member, Raynaldo Rivera, who was arrested at the end of August, appeared in court this past Thursday (Oct. 11), and has plead guilty to the charges of being involved in hacking into Sony Pictures, as well as for stealing personal information, passwords, and other personal data from thousands of users.
Under the plea agreement, Rivera will pay restitution to his victims and faces the maximum penalty: five year prison sentence and a fine of at least $250,000.
Because of this “simple SQL injection“, it costed Sony over $600,000 apparently, which is not cheap change by any means.
Rivera used the HideMyAss proxy service, illegally according to their Terms, to investigate potential vulnerabilities on Sony servers. HideMyAss proxy service cooperated with authorities, providing a report of the data transactions made by the hacker.
The town of Burlington, Washington fell victim to a recent attack by a band of unknown hackers, stealing $400,000 in the operation. Odds are that taxpayer data was stolen, also.
Burlington officials have warned residents in the city that their private data could have been stolen, and becoming targets for identity theft. A number of billing systems in the town were attacked, notably the online automatic utility billing system, which holds a large amount of resident data. Once these systems were attacked, the band of hackers were able to leak $400,000 out of the city’s funds.
According to Computer World, an alert [that was] issued this morning, city administrator Bryan Harrison said all autopay customers should assume that their name, bank account number and routing number was compromised following an intrusion into a city utility billing system.
Authorities are still investigating this issue, and will provide updates soon.
- Police: Hackers Take $400,000 From Washington City Account (seattle.cbslocal.com)
- Hackers steal $487K from Washington town (kgw.com)
The US Department of Homeland Security is warning about vulnerabilities in a common SCADA (supervisory control and data acquisition) package that is used to remotely monitor and manage solar energy-generating power plants.
The DHS’s ICS-CERT issued an advisory on Wednesday that exploit code was circulating on the internet for security holes affecting the Italian vendor Sinapsi’s eSolar Light Photovoltaic System Monitor.
The eSolar Light Photovoltaic System Monitor is a SCADA product that allows solar power stations to simultaneously monitor different components of photovoltaic arrays, such as photovoltaic inverters, energy meters, gauges and so on.
ICS-CERT said in its advisory that the vulnerabilities, if successfully exploited, could allow attackers to remotely connect to the management server, “executing remote code, possibly affecting the availability and integrity of the device.”
General information pulled from the blog on Naked Security:
- Hackers pwn the sun – Exploit code released for software used to manage solar energy plants (nakedsecurity.sophos.com)
As we reported yesterday, users were told to downgrade to Firefox 15.0.1 from version 16, because of a vulnerability. Now, that vulnerability has been fixed, and Firefox 16.0.1 is now available.
To get the newest version of Firefox now (if it hasn’t already prompted you), click the Orange Firefox button, select Help > hit About Firefox > Check for Updates.
On the same blog post pointed to yesterday, Mozilla developer(s) placed an update:
- An update to Firefox for Windows, Mac and Linux was released at 12pm PT on Oct 11. Users will be automatically updated and new downloads via http://www.mozilla.org/firefox/new/ will receive the updated version (16.0.1).
- A fix for the Android version of Firefox was released at 9pm PT on Oct 10.
Issue:Mozilla is aware of a security vulnerability in the current release version of Firefox (version 16). We are actively working on a fix and plan to ship updates tomorrow. Firefox version 15 is unaffected.Impact:The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters. At this time we have no indication that this vulnerability is currently being exploited in the wild.Status:
Firefox 16 has been temporarily removed from the current installer page and users will automatically be upgraded to the new version as soon as it becomes available.
Reference: Mozilla Blog
How to downgrade the easy way?
If you’re using version 16, it is highly recommended to downgrade now. If you want to downgrade the easy way for Firefox, go to http://getfirefox.com and download the installer for 15.0.1.
Once you have downloaded the installer, run or double-click it to run, and allow it to “Upgrade” the install, which technically the installer would not recognize that it’s truly downgrading Firefox.
Once that’s done, start up Firefox again, and it shall be back to 15.0.1, and vulnerability free!
Now, spam makers have more juice with a sex tape leak on Hulk Hogan. The alleged porn tape appeared earlier this year, place in at least one studio, and now it is a key spam topic in email/IM/SEO spamming.
If that isn’t bad enough, Heather Clem, one alleged to be involved in the footage, and is “completely devastated” by it.
There are many other stories popping up about the tape and it’s becoming a big buzz. What’s sad is, with the rise of social networking, contributes to the rise of celebrity problems, which was predicted I’m sure. Celebrities don’t belong with normal people, because either the celebrity goes crazy, or the fan goes crazy.
As usual, if you receive any emails containing information about the Hogan sex tape, kindly ignore it, and do not download the attached EXE file or video that apparently has the footage. Doing so can cause malware to take control of your computer.
To prevent spam from causing problems on your computer, it’s best to secure your computer Surfright Anti-Spam.
Various parts of the Islamic Republic were disrupted yesterday (their Internet access) after hackers attacked Iran’s infrastructure and communications companies. “Yesterday we had a heavy attack against the country’s infrastructure and communications companies which has forced us to limit the Internet,” the secretary of the High Council of Cyberspace, Mehdi Akhavan Behabadi, is said by Reuters as having told the Iranian Labour News Agency about the issues.
Some officials claim that their Internet access in Iran is constantly disrupted by cyberattacks, however, the ones yesterday were the most noticeable. This attack would be one of the largest cyberattacks so far, after several gigabytes of traffic overwhelmed the Iranian infrastructure. This is still widely accusative that the US and Israel could be involved, as a response to the nuclear program developed by Iran.
It is noticed also that the cyberwar is heating up for Iran, and that Iran could be constructing counterattacks, such as the recent one against US banks. All of these concentrated attacks are all part of military plans, which are developing “cyber warriors” or a “cyber army”. As always, news about cyberwar will continue to be on this blog.
Yesterday, the Federal Trade Commission (FTC) announced a crackdown on tech support and fake antivirus scams that have been problematic for years. The scams such as bogus computer cleanup programs, phone-based tech support scares, etc. is subject to freezing of assets, as well as lawsuits for the six companies involved in the crackdown. Some of these Technogennie, Virtual PC Solutions, and Connexions InfoTech Services, among others.
Scareware scams have gone on for years, whether the classic ones such as SpySheriff (2005) to Personal Antivirus (2009). Many bouts of scareware have been apparent over the years, and they have really fell off the planet more and more the last couple of years. Why is this? Scareware crackdown from the FBI, FTC, etc. Many scams are being sought out a lot faster so the damage to the user communities is very limited.
These companies caught in the current wrap-up/crackdown from the FTC were boiler-room based, making cold calls to people in English speaking communities. Their attempts were to subject the potential customers to fear that their computer is infected, and telling them to purchase solutions to their problems by paying right away with credit card. However, when the users realized their computer was either not infected at all, or that it was a scam, it was too late and the customer was ripped off. Many banks have given the opportunity for chargeback, but that’s only if the person can truly identify that it was a scam. If no evidence can be drawn up, then it’s hard to get the chargeback.
After getting over 2,000 complaints (estimated 2,400), the FTC immediately froze assets of those companies, shut down their phone numbers used for the cold calling, and began a rapid investigation. Victims were usually charged between $49 to $450 to have a “techie” clean their system. Many of the cold callers posed as Dell, Symantec, or even McAfee.
More news about this freezing on the FTC website.
Now, earlier this week, the FTC won a $163 million settlement in a three year-old case against Innovative Marketing Inc. (IMI) and Kristy Ross, former officer of the company. More on that at the FTC website as well.
Kaspersky Lab offers an award-winning line of antivirus software, anti-spyware and Internet security solutions for your home computer or laptop. Block scareware… Download today!