Java Security

Automated attackers are trawling the web for vulnerable WordPress blogs so they can silently redirect users to dangerous exploits. So far, however, the number of victims is in the hundreds.

An update from Oracle clears up, among other vulnerabilities, an issue that caused Java 6 Update 29 to break SSL connectivity. Meanwhile, Adobe offered a fix for its ColdFusion development platform.

A new exploit, which has made its way into the Metasploit framework, underscores the danger posed by Java vulnerabilities, which are responsible for many of today's enterprise malware threats.

In its February Critical Patch Update (CPU) released this week, Oracle is patching 21 vulnerabilities across its popular Java SE and Java for Business products. In a release, the company said 19 of the Java flaws affecting the Java Runtime Environment could be exploited remotely in network attacks without needing a username and password. Eight of the patches come with the highest rating on the Common Vulnerability Scoring System (CVSS). Oracle is "strongly" urging customers to apply the new fixes, as well as previous patches, as soon as possible. - GM

Apple this week released security updates for Java for Mac OS X Leopard (10.5) and Snow Leopard (10.6), but hinted in its release notes that the software may be removed from future versions of its operating systems. The updates, here and here, fix several bugs that could allow an attacker to execute arbitrary code, according to a Thursday advisory from US-CERT. "Developers should not rely on the Apple-supplied Java runtime being present in future versions of Mac OS X," the release notes state. The Java runtime shipping in Leopard and Snow Leopard will, however, continue to be supported, Apple said. The declaration from Apple comes the same week as Microsoft warned of mass exploitation of Java to foist malware. — AM

The number of attacks on vulnerable Java code spiked during the third quarter of the year and have reached "unprecedented" levels, a Microsoft malware expert said on Monday.

Oracle on Tuesday released a massive quarterly security update with fixes for a number of enterprise products, as well as a separate batch of security fixes for Java.

A Firefox developer has discovered a new phishing attack method dubbed "tabnabbing," which preys on browser tabs and the fact that users generally don't keep track of all the tabs they have open at one time.

After the release last week of its new Snow Leopard operating system, Apple has issued a security update for the Java component in its Leopard OS, Mac OSX 10.5.