Experts Develop 3rd-Party Patch For New Java Zero-Day

tsu doh nimh writes "A new exploit for a zero-day vulnerability in Oracle's Java JRE version 7 and above is making the rounds. A Metasploit module is now available to attack the flaw, and word in the underground is that it will soon be incorporated into BlackHole, a widely used browser exploit pack. KrebsOnSecurity.com talked to the BlackHole developer, who said the Java exploit would be worth at least $100,000 if sold privately. Instead, this vulnerability appears to have been first spotted in targeted/espionage attacks that used the exploit to drop the remote control malware Poison Ivy, according to experts from Deep End Research. Because Oracle has put Java on a quarterly patch cycle, and the next cycle is not scheduled until October, experts have devised and are selectively releasing an unofficial patch for the flaw."

A better idea...

[DrEnter]

You know what would be better idea than patching Java? Uninstalling it.

Re:A better idea...

[MyLongNickName]

Can somone explain why this is modded 'funny'? It should be informative. Eliminating attack vectors is the only sure-fire defense. Unless you need Java, you should dump it. If you need it, you should actively find ways to eliminate that dependency.

Re:A better idea...

[monkeyhybrid]

I locked it down so *only* those 2 things can use it. One of them is not the web browser...

But the other one is the web browser? ;)

Re:Quarterly security patch?

[plover]

The analysts figured that exploits only come out an average of four times a year, therefore they only need to send updates every quarter. Who can question the CIO's master stroke of logic?

Don't browse with Java

[JDG1980]

There is no good reason to have Java installed in your primary browser. The only reason why it's everywhere is that it often comes preinstalled for no good reason, and (even worse) the installer shoves its way into all your browsers, for even less reason. If there are specific business sites using Java that you must access, then use IE with Java exclusively for those, and Firefox or Chrome for normal browsing. Using Java on the open web is just asking to get 0wned.

Re:Don't browse with Java

[Megahard]

Agreed. Before HTML5, Java was an acceptable way to implement app-like stuff in the browser. Now with dynamic HTML, Canvas, SVG, and AJAX, Java in the browser has become an anachronism.

Re:You know its funny

[binarylarry]

This isn't a flaw in Java itself but yet another flaw in the browser plugin.

Given that virtually all the major browser plugins technologies I can think of have resulted in an unending stream of exploits, it seems silly to blame this entirely on Java. Adobe PDF, Flash, and the Java plugin have all been the main vectors of attack. Guess what the three most popular browser plugins are?

Maybe the real issue is a shitty plugin API and/or implementation?

Re:It's Worse for Apple Users

[MacColossus]

Not any more. Oracle is providing Java 7 and later for Mac. http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1637588.html

If I remind well

[Vapula]

During SUN's era, the motto for Java was : "if there is a vulnerability, stop everything until it's fixed"... Sun was quite responsive in order to keep java's secure reputation...

But now, it's Oracle... Oracle screwed on OpenOffice... Oracle is screwing up over MySQL... And it looks like Oracle is screwing up over Java... I wonder what treatement gets VirtualBox...

Re:It's Worse for Apple Users

It's up to Sun to release a JVM for OS X now

Boy, are you Apple users in trouble!

Re:Quarterly security patch?

[ruiner13]

The US doesn't use the metric system, therefore it is full of liars. :)