One big critical update from Redmond mends more than a dozen security problems with Internet Explorer. Another critical patch addresses flaws Microsoft Edge — including four that appear to share the same vulnerability identifiers (meaning Microsoft re-used the same vulnerable IE code in its newest Edge browser). Security vendor Qualys as usual has a good roundup of the rest of the critical Microsoft updates.

Adobe issued an update for Flash Player that fixes a slew of security problems with Flash, a very powerful yet vulnerable piece of software that is also unfortunately ubiquitous. After all, as Chris Goettl at Shavlik reminds us, fixing Flash on a modern computer can be a complicated affair: “You need to update Adobe Flash for IE, Flash for Google Chrome, and Flash for Firefox to completely plug all of these 22 vulnerabilities.” Thankfully, Chrome and IE should auto-install the latest Flash version on browser restart (I had to manually restart Chrome to get the latest Flash version).

If you decide to update (more on hobbling or uninstalling Flash in a moment), make sure you watch for unwanted add-ons that come pre-checked with Adobe’s Flash updater. The latest version of Flash for most Windows and Mac users will be v. 20.0.0.306. This page will tell you which version of Flash you have installed (if Flash isn’t installed, the page will offer a downloader to install it).

Patch away, please, but I’d also advise Flash users to figure out how to put the program in a box so that it can’t run unless you want it to. Doing without Flash (or at least without Flash turned on all the time) just makes good security sense, and it isn’t as difficult as you might think: See my post, A Month Without Adobe Flash Player, for tips on how to minimize the risks of having Flash installed.

Finally, Oracle pushed out the second security update (Java SE 8, Update 73) this week for Java JRE. as well as an emergency security update from Oracle for Java — the second patch for Java in a week. This piece explores the back story behind the latest Java update, but the short version is that Oracle is fixing a so-called “DLL side loading bug” that allows malicious applications to hijack Java’s legitimate system processes and avoid having to rely on convincing users double-clicking and executing the malicious file.

This DLL hijacking problem is not unique to Java or Oracle, but I still advise readers to treat Java just like I do Flash: Uninstall the program unless you have an affirmative use for it. If you can’t do that, take steps to unplug it from your browser (or at least from your primary browser).

If you have an specific use or need for Java, there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel.

Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Many people confuse Java with  JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.

According to Oracle, some 97 percent of enterprise computers and a whopping 89 percent of desktop systems in the U.S. run some form of Java. This has made Java JRE (the form of Java that runs most commonly on end-user systems) a prime target of malware authors.

“Exploit kits,” crimeware made to be stitched into the fabric of hacked and malicious sites, lie in wait for visitors who browse the booby-trapped sites. The kits can silently install malicious software on computers of anyone visiting or forcibly redirected to booby-trapped sites without the latest version of the Java plugin installed. In addition, crooks are constantly trying to inject scripts that invoke exploit kits via tainted advertisements submitted to the major ad networks.

These exploit kits — using names like “Angler,” “Blackhole,” “Nuclear” and “Rig” — are equipped to try a kitchen sink full of exploits for various browser plugins, but historically most of those exploits have been attacks on outdated Java and Adobe Flash plugins. As a result, KrebsOnSecurity has long warned users to remove Java altogether, or at least unplug it from the browser unless and until it is needed.

On Jan. 27, 2016, Oracle took a major step toward reducing the effectiveness of exploit kits and other crimeware when the company announced it was pulling the browser plugin from the next desktop version of Java – Java JRE 9.

“By late 2015, many browser vendors have either removed or announced timelines for the removal of standards based plugin support, eliminating the ability to embed Flash, Silverlight, Java and other plugin based technologies,” wrote Dalibor Topic, principle product manager for Open Java Development Kit (OpenJDK).

“With modern browser vendors working to restrict and reduce plugin support in their products, developers of applications that rely on the Java browser plugin need to consider alternative options such as migrating from Java Applets (which rely on a browser plugin) to the plugin-free Java Web Start technology,” Topic continued. “Oracle plans to deprecate the Java browser plugin in JDK 9. This technology will be removed from the Oracle JDK and JRE in a future Java SE release.”

Crooks have used Java flaws to attack a broad range of systems, and not just Windows PCs: In 2013, the Flashback Trojan used a Java flaw to ensnare more than 600,000 Mac OS X systems in a massive botnet.

I look forward to a world without the Java plugin (and to not having to remind readers about quarterly patch updates) but it will probably be years before various versions of this plugin are mostly removed from end-user systems worldwide. And some businesses still reliant on very old versions of Java will continue to use outdated versions of the program.

But for most users, there is no better time like the present to determine whether you have Java installed and decide whether it’s time to give it the boot once and for all. Hopefully, this is the last time I will have to include these boilerplate instructions on how to do that:

Windows users can check for the program in the Add/Remove Programs listing in Windows, or visit Java.com and click the “Do I have Java?” link on the homepage. Oracle’s instructions for removing Java from Mac OS X systems are available here.

If you have an specific use or need for Java, make sure you have the latest version. Also, know that there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: Unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel.

Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Many people confuse Java with  JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.

The FTC sued Oracle over years of failing to remove older, more vulnerable versions of Java SE when consumers updated their systems to the newest Java software.  Java is installed on more than 850 million computers, but only recently (in Aug. 2014) did the company change its updater software to reliably remove older versions of Java during the installation process.

According to the FTC’s complaint, since acquiring Java in 2010, Oracle was aware of significant security issues affecting older versions of Java SE. The FTC charges that Oracle was aware of the insufficiency of its update process.

“Internal documents stated that the ‘Java update mechanism is not aggressive enough or simply not working,’ and that a large number of hacking incidents were targeting prior versions of Java SE’s software still installed on consumers’ computers,” the FTC said “The security issues allowed hackers’ to craft malware that could allow access to consumers’ usernames and passwords for financial accounts, and allow hackers to acquire other sensitive personal information through phishing attacks.”

Few sites require Java to display content anymore, and most regular users can likely do without the program given the incessant security holes introduced by the program and its record of being abused by malicious software to infect millions of systems. See this post for a more detailed breakdown of why I’ve so often encouraged readers to junk Java, and advice for users who absolutely still need to have Java installed. If you’re not sure whether you have Java installed, check out this page that Oracle has put up to help users detect and remove installations of Java.

LIFELOCK

The FTC’s $100 million settlement with LifeLock represents a record for monetary awards obtained by the agency It stems from alleged violations of a previous deceptive advertising settlement the company reached with the FTC back in 2010.

An ad for LifeLock services.

According to the FTC, LifeLock failed to establish and maintain a comprehensive information security program to protect users’ sensitive personal information — including their social security, credit card and bank account numbers. The FTC also alleged LifeLock falsely advertised that it protected consumers’ sensitive data with the same high-level safeguards used by financial institutions, and that it would send alerts “as soon as” it received any indication that a consumer may be a victim of identity theft.

The court documents related to the latest LifeLock settlement are still sealed, so it’s unclear how exactly LifeLock allegedly failed to protect customers’ sensitive personal data. Interestingly, the lone dissenter in the LifeLock case was FTC Commissioner Maureen K. Ohlhausen, who said she disagreed with the ruling because the commission hadn’t produced evidence that LifeLock somehow failed to secure its customer data, and noted that the company has complied with payment card industry security standards for accepting and handling credit card data.

For its part, LifeLock says in a statement that “there is no evidence that LifeLock has ever had any of its customers data stolen, and the FTC did not allege otherwise.”

This October 2015 story from About.com includes interesting perspective from Virginia Attorney Ken Cuccinelli, whose investigation into LifeLock’s business practices culminated in a class-action lawsuit pitting the FTC and 34 other state attorneys general against the company. According to that interview, Cuccinelli’s beef with LifeLock seems to have centered around allegations of false advertising about the level and quality of LifeLock’s identity protection service, as opposed to any specific data security issues at LifeLock.

“The problem, according to Cuccinelli, was not so much that LifeLock offered a flawed service, but that they were misrepresenting the level of security that they in fact provided,” wrote William Deutsch. “For years, LifeLock had been claiming to be an airtight guarantee against all forms of identity theft. LifeLock’s service is most effective against new account fraud, which is why members can expect an alert when someone tries to open up a new account in their name. But according to the Federal Trade Commission, the service wasn’t as effective in securing customers against the abuse of existing accounts, nor did it offer much protection against medical and employment related fraud.”

I have consistently urged readers to understand the limitations of credit monitoring services, which countless companies offer consumers each year in response to data breaches that expose customer personal and payment data. As I’ve noted time and again, credit monitoring services are unlikely to block thieves from opening new lines of credit in your name; the most you can hope for is that these services will alert you when the thieves succeed in getting new credit using your good name.

Credit monitoring services are useful for ID theft victims who are seeking help in removing fraudulent inquiries from their credit report. But if you want true protection against new account fraud committed in your name, place a security freeze on your credit file with the major credit bureaus. This article explains more about what’s involved in a security freeze and how to protect you and your family.

Adobe’s latest patch for Flash (it has issued more than a dozen this year alone) fixes at least 34 separate security vulnerabilities in Flash and Adobe AIR. Mercifully, Adobe said this time around it is not aware of malicious hackers actively exploiting any of the flaws addressed in this release.

Adobe recommends users of Adobe Flash Player on Windows and Macintosh update to Adobe Flash Player 18.0.0.232. Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 18.0.0.232 on Windows and Macintosh, and version 18.0.0.233 for Linux and Chrome OS.

However, I would recommend that if you use Flash, you should strongly consider removing it, or at least hobbling it until and unless you need it. Disabling Flash in Chrome is simple enough, and can be easily reversed: On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”). Windows users can remove Flash from the Add/Remove Programs panel, or use Adobe’s uninstaller for Flash Player.

If you’re concerned about removing Flash altogether, consider a dual-browser approach. That is, unplugging Flash from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Flash.

If you decide to proceed with Flash and update, the most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.)

MICROSOFT

Microsoft may have just released Windows 10 as a free upgrade to Windows 7 and 8 customers, but some 40 percent of the patches released today apply to the new flagship OS, according to a tally by security firm Qualys. There is even an update for Microsoft Edge, the browser that Microsoft wants to replace Internet Explorer.

Nevertheless, IE gets its own critical update (MS15-089), which addresses at least 13 flaws — most of which can be exploited remotely without any help from the user, save from perhaps just visiting a hacked or malicious site.

Another notable update plugs scary-looking flaws in Microsoft Office (MS15-081). Qualys says it appears the worst of the flaws fixed in the Office patch could be triggered automatically — possibly through the Outlook e-mail preview pane, for example.

According to security firm Shavlik, there are two flaws fixed in today’s release from Microsoft that are being actively exploited in the wild: One fixed in the Office Patch (CVE-2015-1642) and another in Windows itself (CVE-2015-1769). Several other vulnerabilities fixed today were publicly disclosed prior to today, increasing the risk that we could see public exploitation of these bugs soon.

If you run Windows, take some time soon to back up your data and update your system. As ever, if you experience any issues as a result of applying any of these updates, please leave a note about your experience in the comments section.

ORACLE

I’ve received questions from readers about a rumored software update for Java (Java 8, Update 60); I have no idea where this is coming from, but this should not be security-related patch. Generally speaking, even-numbered Java updates are non-security related. More importantly, Oracle has moved to releasing security updates for Java on a quarterly patch cycle, except for extreme emergencies (and I’m unaware of a dire problem with Java right now, aside perhaps from having this massively buggy and insecure program installed in the first place).

Alas, not to be left out of the vulnerability madness, Oracle’s Chief Security Officer Mary Ann Davidson published a provocative blog post titled “Don’t, Just Don’t” that stirred up quite a tempestuous response from the security community today.

Davidson basically said security researchers who try to reverse engineer the company’s code to find software flaws are violating the legal agreement they acknowledged when installing the software. She also chastised researchers for spreading “a pile of steaming FUD” (a.k.a. Fear, Uncertainty and Doubt).

Oracle later unpublished the post (it is still available in Google’s cache here), but not before Davidson’s rant was lampooned endlessly on Twitter and called out by numerous security firms. My favorite so far came from Twitter user small_data, who said: “The City of Rome’s EULA stipulates Visigoths cannot recruit consultants who know about some hidden gate to gain entry.”

Images posted by Twitter users posting to the sacrastic hashtag #oraclefanfic

Oracle’s update brings Java 7 to Update 75 and Java 8 to Update 31, and fixes at least 19 security vulnerabilities in the program. Security vendor Qualys notes that 13 of those flaws are remotely exploitable, with a CVSS score of 10 (the most severe possible score).

Java 7 users should know that Oracle plans to start using the auto-update function built into the program to migrate those users to Java 8 this week.

According to a new report (PDF) from Cisco, online attacks that exploit Java vulnerabilities have decreased by 34 percent in the past year. Cisco reckons this is thanks to security improvements in the program, and to bad guys embracing new attack vectors — such Microsoft Silverlight flaws (if you’re a Netflix subscriber, you have Silverlight installed). Nevertheless, my message about Java will remain the same: Patch it, or pitch it.

The trouble with Java is that it has a very broad install base, but many users don’t even know if they have it on their systems. There are a few of ways to find out if you have Java installed and what version may be running. Windows users can check for the program in the Add/Remove Programs listing in Windows, or visit Java.com and click the “Do I have Java?” link on the homepage. Updates also should be available via the Java Control Panel or from Java.com.

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. In the past, updating via the control panel auto-selected the installation of third-party software, so be sure to look for any pre-checked “add-ons” before proceeding with an update through the Java control panel.

Otherwise, seriously consider removing Java altogether. I have long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

For Java power users — or for those who are having trouble upgrading or removing a stubborn older version — I recommend JavaRa, which can assist in repairing or removing Java when other methods fail (requires the Microsoft .NET Framework).

Many people confuse Java with  JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.

This update brings Java 7 to Update 45, and addresses a whole mess of security flaws. Oracle says that all but one of the 51 vulnerabilities fixed in this update may be remotely exploitable without authentication.

Updates are available from Java.com and the Java Control Panel. Apple has issued an update to its supported version of Java, which brings Java on the Mac to 1.6.0_65 for OS X 10.6.8 or later. As CNet notes, Apple is using this update to further encourage users to switch to Oracle’s Java runtime, especially for Web-based Java services.

“When this latest update is installed, according to Apple’s documentation it will remove the Apple-supplied Java plugin, and result in a ‘Missing plug-in’ section of a Web page that tries to run a Java applet,” CNet’s Topher Kessler writes. “If you click on the missing plug-in message, the system will direct you to Oracle’s Java Web site so you can download the latest version of Java 7, which will not only support the latest features in the Java runtime, but also include the latest bug and vulnerability fixes. Apple’s last supported version of Java is Java SE 6, and since handing the reigns over to Oracle, has progressively stepped back from supporting the runtime in OS X.”

Broken record alert: If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. Oracle likes to remind everyone that 3 billion devices worldwide run Java, and that 89 percent of desktops run some form of Java (that roughly matches what vulnerability management firm Secunia found last year). But that huge install base — combined with a hit parade of security bugs and a component that plugs straight into the Web browser — makes Java software a perennial favorite target of malware and malcontents alike.

If you have an affirmative use or need for Java, unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play). Java 7 lets users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Otherwise, seriously consider removing Java altogether.  I’ve long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

There are a couple of ways to find out if you have Java installed and what version may be running.  Windows users can click Start, then Run, then type “cmd” without the quotes. At the command prompt, type “java -version” (again, no quotes). Users also can visit Java.com and click the “Do I have Java?” link on the homepage. Updates also should be available via the Java Control Panel or from Java.com.

Java’s security dialog box.

Running a Java applet now pops up a security dialog box that presents users with information about the name, publisher and source of the application. Oracle says this pop-up is designed to warn users of potential security risks, such as using old versions of Java or running applet code that is not signed from a trusted Certificate Authority.

Security experts differ over whether regular users pay any mind whatsoever to these warnings. But to make matters worse, new research suggests most of the information contained in the pop-ups can be forged by malware writers.

In a series of scathing blog posts, longtime Java developer Jerry Jongerius details the various ways that attackers can subvert the usefulness of these dialog boxes. To illustrate his point, Jongerius uses an applet obtained from Oracle’s own Web site — javadetection.jar — and shows that the information in two out of three of its file descriptors (the “Name” and “Location” fields) can be changed, even if the applet is already cryptographically signed.

“The bottom line in all of this is not the security risk of the errors but that Oracle made such incredibly basic ‘101’ type errors — in allowing ‘unsigned information’ into their security dialogs,” Jongerius wrote in an email exchange. “The magnitude of that ‘fail’ is huge.”

Jongerius presents the following scenario in which an attacker might use the dialog boxes to trick users into running unsafe applets:

“Imagine a hacker taking a real signed Java application for remote desktop control / assistance, and placing it on a gaming site, renaming it ‘Chess’. An unsuspecting end user would get a security popup from Java asking if they want to run ‘Chess’, and because they do, answer yes — but behind the scenes, the end user’s computer is now under the remote control of a hacker (and maybe to throw off suspicion, implemented a basic ‘Chess’ in HTML5 so it looks like that applet worked) — all because Oracle allowed the ‘Name’ in security dialogs to be forged to something innocent and incorrect.”

Oracle has not responded to requests for comment. But Jongerius is hardly the only software expert crying foul about the company’s security prompts. Will Dormann, writing for the Carnegie Mellon University’s Software Engineering Institute, actually warns Java developers against adopting a key tenet of Oracle’s new security guidelines.

Oracle recommends that all Java applets be cryptographically signed regardless of the privileges required by the program. Unsigned Java applets will run within a web page with a scary red warning that, “Running this application may be a security risk.” One of Java’s most-touted features is a “sandbox” security mechanism that is supposed to prevent certain functions when the applet is sent as part of a Web page. But according to both Jongerius and Dormann, Oracle made the default behavior for signed code to be full access to the computer (essentially, negating the usefulness of the sandbox).

“What about Oracle’s vision of a Java future where every Java applet is signed?,” asks Dormann, a longtime security research with the Department of Homeland Security’s US Computer Emergency Readiness Team (US-CERT). “What this vision means is that every Java applet, which would be signed, would also now be in a state where it could be repurposed because it is now no longer restricted by the sandbox. A poorly designed sandboxed Java applet can’t do much of anything.  However, a poorly designed signed Java applet can do pretty much anything that native code can.”

Both Dormann and Jongerius offer a number of ideas that Oracle could use to remedy the situation. Only time will tell if the company will take notice of the recommendations. In the meantime, I’ll continue to urge regular Internet users to get rid of Java completely, or at least to disconnect the Java plugin from any Web browsers (obligatory disclaimer: this advice does not scale for business users, whose computers may rely on Java for specific applications).

A Nuclear Exploit Pack administrative panel made to serve malware.

According to Peter Kruse, a partner and cybercrime specialist with CSIS Security Group, that’s what happened late last month when a Twitter user “Paunchbighecker” started messaging security researchers on Twitter. Paunch the nickname of a Russian hacker who for the past few years has sold the wildly popular Blackhole exploit kit, a crimeware package designed to be stitched into hacked or malicious sites and foist browser exploits on visitors. The person behind Paunchbighecker Twitter account probably figured that invoking Paunch’s name and reputation would add to the allure of his scam.

The Paunchbighecker Twitter account appears to have been created on July 30 for the sole purpose of sending tweets to several security researchers, including this author, Mikko Hypponen of Finnish security firm F-Secure, French malware researcher Kafeine, Polish security researcher tachion24, and SecObsecurity. Strangely enough, the other Twitter account that received messages from this user belongs to Sauli Niinistö, the current president of Finland.

The link that Paunchbighecker sent to researchers displays what appears to be the back-end administrative panel for a Nuclear Pack exploit kit. In fact, the landing page was a fake merely made to look like a Nuclear pack statistics panel. Rather, embedded inside the page itself is a series of active Java exploits. 

Update, 1:56 p.m.: Security researcher Kafeine said he does not believe this was an attack against security researchers, but rather an intentional leak of badguy credentials.  Furthermore, Kafeine notes that visitors to the site link in the Twitter messages would have to take an additional step in order to infect their own computers.

Original story: Looking at a Virustotal automated analysis of the malware pushed by this exploit kit, it seems the hackers behind this ruse were trying to foist the ZeuS Trojan on unsuspecting (and unpatched) visitors. A separate Virustotal analysis shows that some components of this attack may have been very poorly detected by antivirus tools, if any of the recipients were incautious enough to have clicked through to the fake panel. Also, many of the domains used in this malware attack have long been associated with ZeuS Trojan activity. According to a reverse WHOIS lookup ordered from domaintools.com, the email address  has been used to register more than 1,100 domains (CSV), including a large number with a very colorful history.

Assuming this is a trap, it would not be the first time malware purveyors have sought to trick security researchers with fake exploit pack administration panels. In 2010, noted botnet researcher Brett Stone-Gross wrote about another Zeus Trojan attack that hid behind a phony administrative exploit kit panel with fake victim statistics.

Styx Pack victims, by browser and OS version.

Aptly named after the river in Greek mythology that separates mere mortals from the underworld, the Styx exploit pack is a high-end software package that is made for the underground but marketed and serviced at the public styx-crypt[dot]com. The purveyors of this malware-as-a-service also have made a 24 hour virtual help desk available to paying customers.

Styx customers might expect such niceties for the $3,000 price tag that accompanies this kit. A source with access to one Styx kit exploit panel that was apparently licensed by a team of bad guys shared a glimpse into their operations and the workings of this relatively slick crimeware offering.

The Styx panel I examined is set up for use by a dozen separate user accounts, each of which appears to be leveraging the pack to load malware components that target different moneymaking schemes. The account named “admin,” for example, is spreading an executable file that tries to install the Reveton ransomware.

Other user accounts appear to be targeting victims in specific countries. For example, the user accounts “IT” and “IT2” are pushing variants of the ZeuS banking trojan, and according to this Styx panel’s statistics page, Italy was by far the largest source of traffic to the malicious domains used by these two accounts. Additional apparently country-focused accounts included “NL,” AUSS,” and “Adultamer” (“amer” is a derisive Russian slur used to describe Americans).

ZeuS Trojan variants targeted at Italian victims were detected by fewer than 5 out 17 antivirus tools.

An exploit kit — also called an “exploit pack” (Styx is marketed as “Styx Pack”) is a software toolkit that gets injected into hacked or malicious sites, allowing the attacker to foist a kitchen sink full of browser exploits on visitors. Those visiting such sites with outdated browser plugins may have malware silently installed.

Unlike other kits, Styx doesn’t give a detailed breakdown of the exploits used in the panel. Rather, the panel I looked at referred to its bundled exploits by simple two-digit numbers. This particular Styx installation used just four browser exploits, all but one of which targets recent vulnerabilities in Java. The kit referred to each exploit merely by the numbers 11, 12, 13 and 32.

According to the considerable legwork done by Kafeine, a security blogger who digs deeply into exploit kit activity, Styx Kit exploit #11 is likely to be CVE-2013-1493, a critical flaw in a Java browser plugin that Java maker Oracle fixed with an emergency patch in March 2013. Exploit 12 is almost certainly CVE-2013-2423, another critical Java bug that Oracle patched in April 2013. In an instant message chat, Kafeine says exploit #13 is probably CVE-2013-0422, a critical Java vulnerability that was patched in January 2013. The final exploit used by the kit I examined, number 32, maps to CVE-2011-3402, the same Microsoft Windows font flaw exploited by the Duqu Trojan.

The Styx stats page reports that the hacked and malicious sites used by this kit have been able to infect roughly one out of every 10 users who visited the sites. This particular Styx installation was set up on June 24, 2013, and since that time it has infected approximately 13,300 Windows PCs — all via just those  four vulnerabilities (but mostly the Java bugs).

One very interesting pattern I observed in poking at this exploit pack — and 0thers recently — is the decreasing prevalence or complete absence of reported infections from Google Chrome users, and to a lesser extent users of recent versions of Mozilla Firefox. As we can see from the graphic at the top of this blog post, users browsing with Microsoft’s Internet Explorer made up the lion’s share of victims.

This Styx installation reports installing malware on systems of just a handful of Firefox users, and against not a single Chrome user. In fact, the author of this kit freely states in a Q&A from an underground forum sales thread that his kit doesn’t even work against Chrome. For a complete breakdown of victims by browser and operating system, see this graphic.

Kafeine said he, too, has noticed a pronounced shift in the browser breakdowns from different exploit kits.

“Not many exploit kits [perform] very well against Chrome,” Kafeine said, noting that both Chrome and Firefox both now include integrated PDF readers, and that exploits against Adobe’s PDF reader have traditionally been a key contributor to exploit kit infection statistics.

Kafeine said one malware gang whose work he has followed — an organized crime crew that uses the Gameover ZeuS variant —  doesn’t even attempt to infect Chrome users who wander into its malware traps. Instead, those users are hit with a social engineering attack that tries to trick them into installing the malware by disguising it as a Chrome browser update.

“Those users are automatically redirected to a fake Chrome update page,” Kafeine said.

For more details on Styx and the different flavors of this exploit kit that have emerged in recent months, check out these blog posts:

Styx Exploit Kit Takes Advantage of Vulnerabilities

Styx Exploit Kit Analysis – Building a Bridge to the Underworld

Crossing the Styx

A “Styxy” Cool EK!

Java 7 Update 21 contains 42 new security fixes for Oracle Java SE. A majority of these flaws are browse-to–a-hacked-site-and-get-infected vulnerabilities. According to Oracle, “39 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password” [emphasis mine].

There does not appear to be any update for Java 6. Oracle was to stop shipping security fixes for Java 6 in February, but it broke from that schedule last month when it shipped an emergency update for Java 6 to fix a flaw that was being used in active attacks. When I updated a machine running the latest Java 6 version (Update 43) it prompted me to install Java 7 Update 21. Update, 5:42 p.m. ET: Twitter follower @DonaldOJDK notes that Java 6 Update 45 is indeed available here.

Java 7 Update 21 also introduces some new security warnings and message prompts for users who keep the program plugged into a Web browser (on installation and updating, Java adds itself as an active browser plugin). Oracle said the messages that will be presented depend upon different risk factors, such as using old versions of Java or running applet code that is not signed from a trusted Certificate Authority.

Apps that present a lower risk display a simple informational message. This includes an option to prevent showing similar messages for apps from the same publisher in the future. Java applications considered to be higher risk — such as those that use an untrusted or expired certificate — will be accompanied by a prompt with a yellow exclamation point in a yellow warning triangle.

As Ars Technica writes, Oracle introduced a similar dialog message scheme late last year, but as previously reported by Ars, it doesn’t check the validity of application certificates. It’s a shortcoming that makes it easy for attackers to bypass the protection. That’s because it presents certificates as trustworthy even when they’ve been reported as stolen and added to publicly available revocation databases. The failure of Java to check certificate revocation lists came to light last month after Java gave the green light to a malicious app even though the digital certificate signing it had been revoked by the company that owned it.

I’ve long urged end users to uninstall Java unless they have a specific use for it (this advice does not scale for businesses, which often have complex custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a favorite target of malware writers and miscreants. Rather than ask users to discern the safety of applications using yellow triangles, blue shields, green clovers or orange stars, I’ll keep telling users to get rid of Java entirely.

If you do need it, unplug it from the browser unless and until you need it. Java 7 lets users disable Java content in web browsers through the Java control panel applet. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

There are a couple of ways to find out if you have Java installed and what version may be running.  Windows users can click Start, then Run, then type “cmd” without the quotes. At the command prompt, type “java -version” (again, no quotes). Users also can visit Java.com and click the “Do I have Java?” link on the homepage. Updates also should be available via the Java Control Panel or from Java.com. Mac OS X 10.6 (Snow Leopard) users who have Java should check Software Update for any available updates. Mac OS X 10.7 (Lion) and 10.8 (Mountain Lion) users can grab the updated version of Java from Java.com.