Slashdot Mirror
A Tidal Wave of Java Flaw Exploitation
tsu doh nimh writes "Microsoft warned today that it is witnessing a huge spike in the exploitation of Java vulnerabilities on the Windows platform, and that attacks on Java security holes now far outpace the exploitation of Adobe PDF bugs. The Microsoft announcement cites research by blogger Brian Krebs, who has been warning for several months that Java vulnerabilities are showing up as the top moneymakers for those peddling commercial crimeware exploitation kits, such as Eleonore, Crimepack and SEO Sploit Pack."
Several days ago, Oracle released a patch that fixed 29 Java security flaws.
The one question this article doesn't really clarify is pretty important: How are these exploits being loaded onto the user's computer?
Are we talking applets, Java web start, or some other mechanism?
There's no -1 for "I don't get it."
Seeing Oracle and Java all in the same sentence gives me a nervous tick...the same nervous tick that I developed when I read MS was in talks to acquire Adobe.
I've run out of space in my head for all the different tools I need to seperately manage updates for.
Socialism: a lie told by totalitarians and believed by fools.
For reasons I have never been able to figure out, Java has significant issues auto updating on all my home Windows computers (XP, Vista, and 7). Sure enough, just last week I had to spend a night sanitizing one of the systems, for now I've uninstalled Java until I have the chance to figure out just what the problem is but honestly not having it hasn't been a problem so I'll probably just leave it off until I find something that actually requires it.
Java updates contain unrelated bugfixes and functionality, breaking applications. They are far from being minimal updates. Back in the Sun days, this was addressed by enabling parallel installation of many JVM versions. It was even possible for web content to request a specific JVM version, which means that you actually had to update to a newer version and delete all the old versions. I'm not complete sure that this part has actually been addressed. It's certainly a problem for those who still need to use Java 1.4 or Java 5 (which are out of security support now, but are still widely mandated in the industry).
Honestly? Or is it more likely one individual organization of malware authors suddenly realized that Oracle was being lazy about updating?
What's annoying is there is no real "patch" as such. You have to install the entire 77mb package from scratch and it installs crap like the yahoo toolbar by default.
I'm still in the process of repairing my Windows system after a Java-transmitted virus. A hacked website was sending out malware to visitors via Java applet, and the only solution I found was a format/reinstall. Since then, I've disabled Java on all my machines; the only things I've seen it used for are crappy browser games and malware.
I've run out of space in my head for all the different tools I need to seperately manage updates for.
Sounds like you need a computer.
Yeah, they should have used ActiveX, right?
There's no -1 for "I don't get it."
There are maybe 3 major versions of Java still in somewhat standard use: 1.4, 1.5, and 1.6. Unless the application in question has some very specific quirks, users should always be able to use the latest and greatest version of 1.6 to run them. The allowance for using older versions of the platform is a feature, not a hindrance.
It means that if I want to use "BadSoftwareCompany"'s piece of java software, I'm not confined with downloading and breaking my host's latest version of the java if their code only works with 1.4 or 1.5. If I didn't have the feature, I just couldn't use the software without a huge head-ache. To assume that every version of every software will work forever is delusional, but at least there are facilities to support the older tech.
Bye!
He seemed pretty accurate other than some exaggeration. If you want to see a "Massive amount of crapware" buy a PC from a big box store, not "java tried to install the yahoo toolbar boo hoo".
The funniest Java related thing I've seen, is amongst the non-computer cow orkers "Oh man, another java program, that thing is gonna be slow and take IT forever to install (actually they mean the JVM) and crash all the time". Computer people have known that for over a decade now, the funny part is hearing non computer people start to complain.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
I guess Windows isn't ready for the desktop.