Slashdot Mirror

← Back to Stories (view on slashdot.org)

Browser Exploit Kits Using Built-In Java Feature

Posted by kdawson on from the corruptable-cuppa dept.

tsu doh nimh writes "Security experts from several different organizations are tracking an increase in Windows malware compromises via Java, although not from a vulnerability in Windows itself: the threat comes from a feature of Java that prompts the user to download and run a Java applet. Kaspersky said it saw a huge uptick in PCs compromised by Java exploits in December, but that the biggest change was the use of this Java feature for social engineering. Brian Krebs writes about this trend, and looks at two new exploit packs that are powered mainly by Java flaws, including one pack that advertises this feature as an exploit that works on all Java versions."

4 of 96 comments (clear)

  1. Nothing new here by WD · · Score: 5, Informative

    It's been known for a while (among those in the security field at least) that signed Java applets have been a concern. A little more info:

    http://www.cert.org/blogs/vuls/2008/06/signed_java_security_worse_tha.html

  2. What people do not realize... by Parker+Lewis · · Score: 3, Informative

    ... is that a signed Java applet is like any binary running on your box. People have the illusion that any applet is secure, signed or unsigned. And if you have admin rights, the hole will awesome.

  3. Re:Um ... Java != Javascript by mark-t · · Score: 4, Informative

    The name Javascript was picked as a marketing ploy by the developers of Netscape in the 1990's, owing to the Java Programming Language, which at the time was seen as the next big thing for the web. Thus, they were hoping to capitalize on the term. I agree that the similarity of names has caused a lot of confusion, however... although there's squat all that can be done about it now.

    --
    File under 'M' for 'Manic ranting'
  4. Re:Unsigned is the ONLY way to deploy Java Applets by Rary · · Score: 5, Informative

    I wish there was a way in the browser to disable only signed applets.

    Not in the browser, because that's not the browser's job, but it's in the JRE. There's a setting labeled "Allow user to grant permissions to signed content", which, if turned off, will prevent signed applets from ever being run, while still allowing unsigned applets.

    It would be nice for Oracle to make the default settings more tightly secured, and let users "unsecure" as they see fit.

    --

    "You cannot simultaneously prevent and prepare for war." -- Albert Einstein