Slashdot Mirror
Java Zero-Day Vulnerability Rolled Into Exploit Packs
tsu doh nimh writes "The miscreants who maintain Blackhole and Nuclear Pack — competing crimeware products that are made to be stitched into hacked sites and use browser flaws to foist malware — say they've added a brand new exploit that attacks a previously unknown and currently unpatched security hole in Java. The curator of Blackhole, a miscreant who uses the nickname 'Paunch,' announced yesterday on several Underweb forums that the Java zero-day was a 'New Year's Gift,' to customers who use his exploit kit. The exploit has since been verified to work on all Java 7 versions by AlienVault Labs. The news comes days after it was revealed that Paunch was reserving his best exploits for a more closely-held exploit pack called Cool Exploit Kit, a license for which costs $10,000 per month."
At this point there is no reason for most home user systems to have Java on them at all. Just uninstall it and remove this never ending hole from your life.
If you do need it for something (like Minecraft), you can remove it from the browser, which tends to also solve the security problems (unless the Java updater adds itself back in, which it's been known to do). Still a better option than just leaving it. There's very few websites left that actually use Java for anything today.
It sucks more in the corporate world, where there's a lot more Java and thus no easy answer for the security problems that plague it. But for home users? Just remove it and make your life easier.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
Is this exploit possible via Java Web Start, or only applets?
It would be very difficult to cull Java in an Enterprise environment that was build on it even if you wanted to. Convincing your Boss that you have to redevelop the entire system just to do it would also be a difficult task.
But Java is supposed to prevent all these security issues according to its evangelists! Seems to be meaningless when its own JVM is a threat vector. Apparetly the JVM writers fail at writing secure code. Throw Java on the trash heap and be done with it. Even Flash Player has less vulnerabilities. And that's really saying something when your software is less secure than shit that Adobe puts out.
Sure, but I have No Script installed to keep it from running except when I need it to.
Sadly, I find myself needing Java for a lot of work related stuff. I even have a couple of machines that still have Flash on them because it's occasionally called for.
In the real world, you can't always get away from using it since there's always some company required thing you need to access -- but that doesn't mean I'm prepared to let it run by default on just any web site.
Hell, a lot of the tools I need to run daily for work are in Java.
Lost at C:>. Found at C.
The repetitive use of miscreant in TFS begs the question: aren't there more modern pejoratives that might be applied here? You know: blackguard, knave, footpad, malefactor, cad, ...
INTERNET SURFERS: Enforce your browser/s so not run scripts and remove all instances of Java - congratulations, you're almost safe to browse the internet now but have you updated your flash player, Windows and all your non-Windows software? ...there are programs out there that can scan yout machine to alert you of out-of-date software. I seem to remember Trend Micro online scanner doing this, but you needed Java to run it! I know there are others but I can't name them... just use legitimate ones and don't just ask google to look for anitvirus 2013 lol.
There's a hacker called Paunch? You are Kevin Smith and I claim my five pounds!
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
Seriously? This person is licensing an exploit kit for $10,000 per month and nobody has bothered following the money to shut him down? I have a hard time believing anyone could make $10K/mo doing this anyway. Wouldn't the first order of business by the exploit buyers be to make it work without the payments? What's the author going to do? Sue them for non-payment?
You know the difference between a browser plugin and the JRE?
Do you really think that having eclipse or matlab installed on your computer (both contain a JRE) makes it magically vulnerable?
my bank requires it.
most browsers today though ask per page if you want to run it, don't they? at least firefox does..
world was created 5 seconds before this post as it is.
If you play Minecraft you need Java installed.
I do. I administrate/develop for/run a server that is built on java :-(
Also, anyone who plays mincraft would have it installed.
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
Disable Flash and Java. Most websites with video will work fine, even if some require to change your user-agent to "iPad".
What do you mean, your browser can't display H.264 natively? Get a real browser.
Get free satoshi (Bitcoin) and Dogecoins
Why would you not develop systemns in it, or rewrite existing ones? Just stop using the ridiculous browser plug-in. It's the new ActiveX.
If you use IE you can disable Java for all sites except the "enterprise ones". Even on IE6 - assuming an Enterprise environment typical of the sort you are talking about ;).
I disable the Java plugin in all browsers except one, for that one I leave the 64bit JRE installed, Since there's only one 64bit browser, clearly I'm talking about MSIE, the browser you usually don't want this crap to run in. Blame Google and Mozilla.
Because some people deployed the applications using Applets and WebStart so just getting rid of it becomes a bit of an issue.
The Java exploit is much less surprising to me than how casually we include the fact that this guy (and others) are selling exploit kits online. I remember when stuff like this used to be so underground you had to "know someone who knew someone" to find it. Perhaps what he's selling isn't technically illegal, but it's still surprising to read.
Create a browser instance/profile solely for your banking. Then configure the browser to have everything off except for your bank's URLs.
My normal browser runs as a different user from my logged in user account. My bank browser runs as yet another user. So pwning my normal browser still requires a privilege escalation to affect my main user account or my banking stuff.
My main account has access to the files and folders of the normal browser account. But not the other way around.
Sappeur:
+ Memory Safe
+ No VM
+ No GC but reference-counted smart pointers
+ extremely quick startup times (down to 10ms)
+ almost all C and C++ style high-performance features such as stack allocation, value arrays, destructors available
+ memory safe even for multithreaded applications
+ destructors
+ RAII
http://sourceforge.net/p/sappeurcompiler/code-0/2/tree/trunk/doc/SAPPEUR.pdf?format=raw
http://sourceforge.net/p/sappeurcompiler/code-0/2/tree/trunk/
Is it 100% delivering the security it promises ? Probably not at this point, but my guess is that with the same amount of engineering work as has been put into the JVM, Sappeur could be almost 100% delivering the advertised security. It is actually a quite simple concept.
Currently, it is in the proof-of-concept stage.
False. You don't need the Java browser plugin for Minecraft, only the JRE.
Of course you need Java (JRE). More so on servers. Of course you don't need Java plugin, which is the only thing that has security issues. Clueless "security researchers" feeding bad info to clueless consumers.
At this point does any tech savvy user don't know the difference between the Java Runtime Environment and the Java Browser Plugin? Just disable/remove the plugin.
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
These are the idiots who make life so difficult for legit network guys. That summary reads like George Washington just raided another British outpost. Whether for curiosity or profit, remember who the bad guys are!
I swear to God...I swear to God! That is NOT how you treat your human!
..is one of the few really good Java apps. But I certainly suggest to disable Java except for these occasions. It is clearly a major security risk, if "on by default".
Which is what AlphaBro wanted us to uninstall.
Java isn't just applets.
Entire application servers run on J2EE ( JBoss, Glassfish, WAS to name a few ).
In this case the exploit is related to applets, but what if there was a zero day in say, the implementation of java.net.ServerSocket ?
Well, I guess that just means patching all the application servers with a hotfix. There goes my vacation.
Did he say you needed the browser plugin?
Can any of you idiots with 7-digit ids even fucking read?
If that guy had been a real engineer as opposed to something else, this thing would have never been this bag of fleas.
But hey, robustness is not hip. Let's deliver 1001 "standard library classes" and give shit about security. Make it complex as hell, because That's Cool !!
Instead they set up all sorts of cool crap-processes such as the "JCP" and pile more poo on their already sizeable craphill. These guys never understood what really matters, namely reliability and quality. I take a reliable, old Pascal compiler any time over a fancy bag of fleas with all sorts of "cool" features. And yes, I did some serious Java time. Now I am back to C++ for work.
Many tech savvy users write Android applications, for instance. Others play Minecraft. Others contribute to OpenStreetMap. Others even use the Netbeans IDE, lazy them.
> > If you play Minecraft you need Java installed.
> False. You don't need the Java browser plugin for Minecraft, only the JRE.
His statement is true. Having the JRE installed is having Java installed. It is correct that the browser plugin is unnecessary. But his original statement is entirely correct.
I'll see your senator, and I'll raise you two judges.
Sure, I have the JRE installed on my work laptop - but I sure as hell don't have the browser plugin installed. Nor Flash, nor AdobePDF. When I need Flash, I fire up Chrome for that particular site. When I need Java (which us Danes sadly do for online banking and government interaction), I fire up a virtual machine image dedicated just for that.
And my main browser, FireFox, has NoScript, AdBlockPlus, Ghostery and Certificate Patrol (any more addons I should know about?), work laptop as well as my own machines. But I digress. JRE: not a problem in and by itself. Just stay way clear off the browser plugin. And Flash. And AdobePDF.
Coffee-driven development.
and the latest Java 7 update added features to disable Java applets and JNLP from browsers, that way if you need Java for an application like Eclipse, but don't need Java on the browser, you can secure yourself
In Opera Preferences you can set that any plugins should only start after you explicitly click on the rectangle in which they appear. Chrome by default does prompts the user before running Java applets. Internet Explorer 9 by default enables installed add-ons everywhere, but you can remove the "*" from the list of allowed sites, and after that it prompts before it runs that plugin. I do not find a solution for Firefox yet.
Bitcoin, TOR.
Don't forget 64-bit Firefox.
"When information is power, privacy is freedom" - Jah-Wren Ryel
The IT department would like you to no loner turn on your computer to protect you from harmful viruses. We are going to coming around over lunch and install a safety device (by drilling a hole through your CPU / Disk). After the install you will be safe to use your computer as you see fit.
In the world of MBAs they want CHEAP developers. How do they get that ? Use a "simple" language many people are fluent in. That's Java.
What the MBAs will never grasp that "cheap" is only cheap on the short run. On the long run, using Java means buying whopping amounts of hardware and attracting lots of Junior and generally crappy developers. On the long run, investment into expensive C++ developers and their more expensive development efforts pays off nicely. These people know that the "new" operator comes at a price and use it wisely. Just as an example.
Now, I am a C++ guy, so maybe I am not objective on this. I am confident the darwinism of the market will sort this out. Let's see.
How can a _license_ for an exploit kit cost anything? A license is a legal term, and I would expect that you can't enforce a license for an exploit kit, neither from the position of the buyer nor of the seller.
It's like saying that the Mafia gives out licenses for blackmail.
I don't know why it isn't enabled by default, but Firefox has a click-to-play plugins option that should dramatically reduce the exposure to exploits like this. So NoScript isn't required.
about:config
plugins.click_to_play = true
no more please
Noscript also stops most JavaScript, which is another potential source of nuisance.
I prefer to have everything blocked and controllable by default, if I want it, I'll run it -- otherwise, your flashing monkey isn't going to happen.
Lost at C:>. Found at C.
I have been coding in Java for quite a long time and there are essentially two archetypes of very crappy coders:
1) The people who don't have what it takes to be a decent engineer (in any language) and are just creating horrible crap because that's the only thing they were taught in college.
2) The people who "Would rather be coding something else". Often (but not always) a bit older engineers who might not have had any education in Java and any understanding they do have (whether it's from formal education or from them having read half a book a decade ago) is horribly outdated and incomplete. They stubbornly insist that if some of the architectural structures that they learned decades ago for different type of applications and for different environments end up creating a bad Java application, Java is to blame.
The first archetype are useless but harmless: They write bad code but do so very slowly and don't dare to touch anything that looks intimidating which means they generally can't screw anything important up. The second archetype is who I immediately blame whenever I get a "WTF was someone thinking?" moment when looking at some major design decision.
Folks like Paunch need to get got if for no other reason than to remove a justification for governents around the world (China and the US getting closer to the same page everyday) to regulate the Internet and render online anonymity a crime (all in the name of Snowflake Security, of course).
This guy is doing everbody a service, because he openly sells exploits. He demonstrates what kind of royal crap Java actually is. Then, there is freedom of speech. There are people who do not believe in the infinite wisdom and power of government.
Does the guy kill, rape or maim ? No he does not. He demonstrates how insanely crappy a certain piece of software is. Something to be defended against government meddling - I am quite positive.
But, I will be nice to you Mr $hill and ask you what would happen if we outlawed his activity: Chinese intelligence would silently use Java to subvert thousands of critical computers worldwide. So would the Russian Mafia do.
This guy ensures people simply deinstall or disable this abomination called Java. Thank God this man exists and does his business !
Don't forget 64-bit Firefox.
Or all the other 64-bit browsers.
Oh, I just realised he's running on that wacky Windows thing, where the OS is 64-bit but 99% of apps are still 32-bit.
This Paunch guy needs to watch his ass. There are larger, darker players who were using this exploit for their own purposes. Some of them invested heavily in developing it. By bringing it out into the open like this, Paunch has directly limited their use of this vulnerability. I would not be surprised if this is the last we hear of mr. Paunch. A cleanup team has likely been engaged and is working on tracking him down in the physical world as I type this...
Seth
$5 / month hosted VPS on linux = awesome!
The people you refer to use pork-companies such as HBGary. And they do know they need to shut up or the pork will stop flowing.
You should stop viewing cheap men-in-black movies.
..I think you nailed it. But you could explain your opinion next time to those who never got a proper education. Maybe some of them would understand and change their language.
what the guy does is expose crappy work which poses a risk. He earns money in the process. 100% the right thing to do.
If the Java crappers have issues with him, they can switch to Perl, FreePascal, Ada, C++ or Sappeur any time. But these people are so shallow they will never consider this option. It would require some effort without instant reward.
Your bank requires Java, not Javascript? Are you in the US? I've never seen that before, though I hear web-based banking varies considerably between countries.
Socialism: a lie told by totalitarians and believed by fools.
So you need Eclipse to debug other pieces of bloated, randomly freezing crap ?
Hint: there are real languages and real IDEs out there to create excellent, efficient and cross-plaform software.
Here is a little list:
Lazarus
Delphi
Code::Blocks
Qt Creator
I think the last time I saw a Java plugin was on a code example site that showed different types of sorting algorithms or something and that was about 3 years ago. Perhaps you're thinking of Javascript or Flashplayer?
No but online Java applications such as minecraft may be a problem.
All the Java problems were with applets. Considering how many security problems were with Flash too, maybe the problem is with the browser APIs.
Because some people deployed the applications using Applets and WebStart so just getting rid of it becomes a bit of an issue.
Nobody uses applets for anything anymore - except the baddies - disable the java browser plugin and be done with it. Webstart is not the problem.
what is this now? 4chan?
At this point does any tech savvy user still think that Java isn't built into every modern web browser and that you need a plugin for it?
I love java - jQuery is great, especially with HTML5 :D
We're talking about Java, not JavaScript.
I was about to enquire why this got a -1 score... until I saw your sig.
Lol?
Java Zero-Day Vulnerability Rolled Into Exploit Packs?
AccountKiller
What does "online java application" mean? The app opens a network connection and communicates with some other host?
Such an app would not become more safe if it were written in, say, C++ or C# or most other languages.
The danger about java is in the browser plugin, because it downloads and runs untrusted byte code. This is about as unsafe as using an ordinary browser with java script enabled - which also downloads and runs untrusted code.
Java Runtime Environment, Java Browser Plugin and JavaScript are three separate things. You're the only one talking about JavaScript.
Are you responding to me? jQuery is a JavaScript library, and the Java plugin and JRE aren't bundled with every modern browser (or really any that I can think of).
Can any of you idiots with 7-digit ids even fucking read?
What I do in the toilet is none of your business.
The new right fascists are bilingual. They speak English and Bullshit.
Are you a $hill, by chance ?
No such luck, I wish I could get paid for promoting Java. I just use it everyday for development. If find that there is still no alternative to Java that meets *my* requirements (and I understand it meets the needs of many others for lots of reasons, which I won't go into here). That's why I choose to address the anti-Java hysteria.
Applets run in the same environment as webstart these days.
Applets run in the same environment as webstart these days.
Not really. They obey similar sandbox rules.
But key here is that applets are embedded objects running in the context of the browser (Java plugin). A webstart application is essentially a download of an xml description file (jnlp) and a new javaws process handles this. You can easily configure your browser to download jnlp files instead of opening them with javaws.
Applets now run within separate processes. Additionally, they are now deployed using jnlp in the same way as webstart.
Java plugin2 (from Java6u10) changed a lot...
Several HR-related systems (including the one I unfortunately have to support at work) use java applets.
I really wanted to change my sig to something witty, but all I could come up with is this.
Does this security hole affect OpenJDK/IcedTea (6 or 7)? Or is it only an issue with Oracle's code? If OpenJDK/IcedTea is affected, which versions (if any) have been fixed?