2. Home
  3. News

News at Rhye Media

Java and Flash Vulnerabilities

Java update 8.51 is now available and it is necessary to make the upgrade if you wish to run the program without security threats. General support for Java versions 6 and 7 has ended, yet many people don't use it often enough to even realise that their version is outdated. Java is still widely used for web-based applications in a lot of business environments, making complete installation often impractical - so it's extremely important to ensure you're running the latest, patched version.

There is also an option in the Java control panel to disable support for Java-based content across all browsers. 

23 of the 25 vulnerabilities able to be fixed in this recent patch can be remotely exploited with no authentication necessary. Sixteen of the flaws affect only the client deployment, while five of them affect both client and server deployments.

Until this update was released, one of the vulnerabilities - CVE-2015-2590 - had zero-day status, meaning that it was already being exploited by a prominent group of hackers known as Pawn Storm or APT28. The group used the vulnerability to target governmental, military and media organisations. Trend Micro (yep, the anti-virus software Trend Micro) researchers discovered the group cyber-attacking the armed forces of an unnamed NATO country as well as a US defense organisation. The targets were sent spear-phishing emails that contained links to pages hosting the exploit. There are rumours that the group are linked to Russia's security services, which may explain their choice of targets.

While Java was the most frequently attacked browser plug-in just a few years ago, Oracle increased security efforts with version 8 and this latest zero-day exploit is the first in almost two years.

Java's parent company, Oracle, also released a range of updates for other products and services to fix a further 193 vulnerabilities within the software. 

You can read more about the Critical Patches on the blog of Eric Maurice, director of software security assurance at Oracle.

Unrelated by equally serious is the discovery of three zero-day vulnerabilities within Adobe Flash Player. Two of these newly found Flash vulnerabilities have already been integrated into exploit kits that are being exploited in malvertising attacks. Fortunately Chrome's security seems to be holding strong around Flash, but there's been no news as to the fate of the plug in on other browsers.

Do you still use Java? What about Flash? Let us know on Facebook, Twitter and Google+.

If you'd like to generally keep up to date with our news and latest projects, you can subscribe to the RSS feed of these news articles, and if you need to get in contact with us create a ticket in our User Support system or give use a call.