This newly discovered bugs in Java and Python is a big deal today. The two popular programming languages, Java and Python, contain similar security flaws that can be exploited to send unauthorized emails and bypass any firewall defenses.
And since both the flaws remain unpatched, hackers can take advantage to design potential cyber attack operations against critical networks and infrastructures. The unpatched flaws actually reside in the way Java and Python programming languages handle File Transfer Protocol links, where they don't syntax-check the username parameter, which leads to, what researchers call, protocol injection flaw.Read more
A patch released by Oracle in 2013 can be easily bypassed to attack the latest Java versions, security researchers said. A patch for a critical Java flaw released by Oracle in 2013 is ineffective and can be easily bypassed, security researchers warn.
This makes the vulnerability exploitable again, paving the way for attacks against PCs and servers running the latest versions of Java. The flaw was rated by Oracle 9.3 out of 10 using the Common Vulnerability Scoring System. It can be exploited remotely, without authentication, to completely compromise a system’s confidentiality, integrity and availability.Read more
Security issues have long tantalized over 850 Million users that have Oracle's Java software installed on their computers. The worst thing is that the software was not secure for years, exposing millions of PCs to attack.
And for this reason, Oracle is now paying the price. Oracle has been accused by the US government of misleading consumers about the security of its Java software. Oracle is settling with the Federal Trade Commission over charges that it "deceived" its customers by failing to warn them about the security upgrades. Java is a software that comes pre-installed on many computers and helps them run web applications.Read more
Exactly a month ago, we were reporting on an issue that exposed many Java applications to security holes due to how developers handled user-supplied deserialized data via the Apache Commons Collections library.
The vulnerability caused some waves in the Java community, but since the issue was not a bug in the library, but an incorrect way of handling deserialized data, there was nothing to do than to warn other developers and promote best coding practices. According to recent research carried out by Caleb Fenton from SourceClear, 70 other libraries have the same issue when dealing with user-supplied deserialized data.Read more
Several popular Java-based products are affected by a serious vulnerability that can be exploited by malicious actors to remotely execute arbitrary code.
FoxGlove Security experts showed how deserialization vulnerabilities in Java applications can be exploited for remote code execution via the popular Java library Apache Commons Collections. Building on previous research from Gabriel Lawrence and Chris Frohoff of Qualcomm, FoxGlove Security researchers demonstrated how easy it would be for an attacker to exploit Java-based application servers and other products that use Apache Commons Collections.Read more
Trend Micro has issued predictable-but-sensible advice that Java should be switched off, because there's a zero-day being exploited in the wild. Researchers said the exploit will hose systems running the latest Java platform. Because there's no patch, they added users should disable the code.
The attackers have been linked to Operation Pawn Storm, which targeted the likes of the North Atlantic Treaty Organisation and the White House. The attackers' tactics, techniques, and procedures suggest the exploit was used by the same actors behind 2014 attacks on the White House and NATO among others under the campaign dubbed Operation Pawn Storm.Read more
Four Columbia University boffins reckon they can spy on keystrokes and mouse clicks in a web browser tab by snooping on the PC's processor caches. The exploit is apparently effective against machines running a late-model Intel CPU.
Security researchers have discovered a number of critical vulnerabilities in the Java environment of the Google App Engine that enables attackers to bypass critical security sandbox defenses.
GAE offers to run custom-built programs using a wide variety of popular languages and frameworks, out of which many are built on the Java environment. By exploiting the vulnerabilities, security researchers were able to bypass Google App Engine whitelisting of Java Runtime Environment Classes and gain access to full JRE. They discovered 22 full Java VM security sandbox escape issues and were able to exploit 17 of them successfully.Read more