Very recently, Facebook employees were hit by a malware and good to know that organizations have now started accepting that they were under attack. Unlike in previous instances wherein , it used to take organizations months or maybe years even to admit these crude facts.
https://m.facebook.com/note.php?note_id=10151249208250766
Last month, Facebook Security discovered that our systems had been targeted in a sophisticated attack. This attack occurred when a handful of employees visited a mobile developer website that was compromised. The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops. The laptops were fully-patched and running up-to-date anti-virus software. As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day.
One interesting fact about this incident is that a Java 0-day was used to infiltrate into the laptops.
After analyzing the compromised website where the attack originated, we found it was using a “zero-day” (previously unseen) exploit to bypass the Java sandbox (built-in protections) to install the malware. We immediately reported the exploit to Oracle, and they confirmed our findings and provided a patch on February 1, 2013, that addresses this vulnerability.
In the past too, Java based exploits have been used to a very great effect, partially because of Oracle’s patch releasing schedule, this time however, Oracle was quick to identify the flaws and patch them up.
Critical Patch Updates are collections of security fixes for Oracle products. They are available to customers with valid support contracts. They are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are: 16 April 2013 16 July 2013 15 October 2013 14 January 2014 For Oracle Java SE Critical Patch Updates, the next scheduled dates are: 18 June 2013 15 October 2013 14 January 2014 Please note above: Oracle is planning to release an updated version of the February 2013 Java Critical Patch Update. This updated February 2013 Java Critical Patch Update will be published on February 19th and will include the fixes that were originally planned for distribution but were not ready in time to be released on February 1st. For more information, see https://blogs.oracle.com/security.
Just follow the thumb rule – when no use for Java – remove it, doesn’t matter whether your are an individual or a corporate.
On a lighter note :
Java Power
