Oracle releases new Java patch to address this week’s McRat problem

Oracle has released an emergency Java patch addressing the latest in-the-wild exploit targeting the software. The company suggests users apply this update "as soon as possible" due to "the severity of these vulnerabilities." The full patch description and download is available through Oracle's Technology Network (you can also get the patch through the software's auto-update).

This particular vulnerability is being exploited to install a remote-access trojan dubbed McRat. The attacks targeted Java versions 1.6 Update 41 and 1.7 Update 15, which are the latest available releases of the widely used software. Security Editor Dan Goodin reported on the issue just three days ago, as attacks were being triggered when people with a vulnerable Java version visited a booby-trapped website.

It almost goes without saying—Java security has left something to be desired lately. High profile companies such as Facebook, Apple, and Twitter all fell at the hands of Java recently. These businesses disclosed that their computers were compromised by exploits later linked to a developer website hacked into a platform for Java exploits. Here at Ars, you can peruse nine separate stories involving Java exploits within the last month alone.

Read on Ars Technica | Comments

Critics: Substandard crypto needlessly puts Evernote accounts at risk

Security experts are criticizing online note-syncing service Evernote, saying the service needlessly put sensitive user data at risk because it employed substandard cryptographic protections when storing passwords on servers and Android handsets.

The scrutiny of Evernote's security comes two days after Evernote officials disclosed a breach that exposed names, e-mail addresses, and password data for the service's 50 million end users. Evernote blog posts published over the past few years show that the company protects passwords and sensitive user data with encryption algorithms and schemes that contain known weaknesses. That is prompting criticism that the company's security team isn't doing enough to protect its customers in the event that hackers are able to successfully compromise the servers or end-user phones.

The chief complaint involves Evernote's use of the MD5 cryptographic algorithm to convert user passwords into one-way hashes before storing them in a database. Use of MD5 to store passwords has long been frowned on by security experts because the algorithm is an extremely fast and computationally inexpensive way to convert plaintext such as "password" into a unique string of characters such as "5f4dcc3b5aa765d61d8327deb882cf99." MD5 makes an attacker's job of cracking the hashes much easier by allowing billions of guesses per second, even on computers of relatively modest means.

Read 13 remaining paragraphs | Comments