Slashdot Mirror

← Back to Stories (view on slashdot.org)

Java Zero-Day Vulnerability Rolled Into Exploit Packs

Posted by Unknown on from the just-can't-win dept.

tsu doh nimh writes "The miscreants who maintain Blackhole and Nuclear Pack — competing crimeware products that are made to be stitched into hacked sites and use browser flaws to foist malware — say they've added a brand new exploit that attacks a previously unknown and currently unpatched security hole in Java. The curator of Blackhole, a miscreant who uses the nickname 'Paunch,' announced yesterday on several Underweb forums that the Java zero-day was a 'New Year's Gift,' to customers who use his exploit kit. The exploit has since been verified to work on all Java 7 versions by AlienVault Labs. The news comes days after it was revealed that Paunch was reserving his best exploits for a more closely-held exploit pack called Cool Exploit Kit, a license for which costs $10,000 per month."

12 of 193 comments (clear)

  1. Just remove Java and get it over with by Tridus · · Score: 2, Insightful

    At this point there is no reason for most home user systems to have Java on them at all. Just uninstall it and remove this never ending hole from your life.

    If you do need it for something (like Minecraft), you can remove it from the browser, which tends to also solve the security problems (unless the Java updater adds itself back in, which it's been known to do). Still a better option than just leaving it. There's very few websites left that actually use Java for anything today.

    It sucks more in the corporate world, where there's a lot more Java and thus no easy answer for the security problems that plague it. But for home users? Just remove it and make your life easier.

    --
    -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
    1. Re:Just remove Java and get it over with by Bill_the_Engineer · · Score: 3, Insightful

      While we are at it let's get rid of Python and Ruby which are associated with web exploits in recent news (The Ruby SQL injection being the latest) . It would make more sense to say "Just remove java plugins".

      Don't punish an entire language because of a bad implementation of a function that either uses the language or extends the language into where it really isn't needed anymore.

      --
      These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
    2. Re:Just remove Java and get it over with by SplashMyBandit · · Score: 3, Insightful

      .... and get rid of C and C++ for all their buffer overrun holes. Oh, and let us also get rid of Javascript while we're at it for all its exploits. Then we'd better shut down Silverlight/C# as well (http://www.cvedetails.com/product/19887/Microsoft-Silverlight.html?vendor_id=26). By the same measure we'd better ditch our operating systems to (http://www.cvedetails.com/vendor/26/Microsoft.html).

      So what do we have left after scorching the earth? nothing? they're all vulnerable and all need to maintained and patched. Java is not alone and not really any worse than any other technology.

      Or instead we could get real and demand that browsers fix their plugin model and run plugins with almost no privileges, ya know, as Unix/Linux does for services. That way the inevitable security holes are not catastrophic as they are now, and we don't have to do "denial of service" on ourselves by removing useful tools and technologies.

  2. Re:Oh Java... by medv4380 · · Score: 4, Insightful

    It would be very difficult to cull Java in an Enterprise environment that was build on it even if you wanted to. Convincing your Boss that you have to redevelop the entire system just to do it would also be a difficult task.

  3. How has the exploit maker gone unfound? by Wokan · · Score: 4, Insightful

    Seriously? This person is licensing an exploit kit for $10,000 per month and nobody has bothered following the money to shut him down? I have a hard time believing anyone could make $10K/mo doing this anyway. Wouldn't the first order of business by the exploit buyers be to make it work without the payments? What's the author going to do? Sue them for non-payment?

    1. Re:How has the exploit maker gone unfound? by i+kan+reed · · Score: 3, Insightful

      The mechanism that keeps his clients from cheating him is presumably the same mechanism that operates in every black market. Threat of retaliation. As for why they don't just follow the money, my guess is that it goes through some completely unregulated bank with a quickly opened then closed account for each transaction, in combination with hush money to appropriate government officials.

  4. Re:Oh Java... by Mathematiker · · Score: 5, Insightful

    You know the difference between a browser plugin and the JRE?

    Do you really think that having eclipse or matlab installed on your computer (both contain a JRE) makes it magically vulnerable?

  5. Re:Oh Java... by Nerdfest · · Score: 4, Insightful

    Why would you not develop systemns in it, or rewrite existing ones? Just stop using the ridiculous browser plug-in. It's the new ActiveX.

  6. Re:Oh Java... by Bill_the_Engineer · · Score: 5, Insightful

    At this point does any tech savvy user still have the Java Runtime Environment installed?

    At this point does any tech savvy user don't know the difference between the Java Runtime Environment and the Java Browser Plugin? Just disable/remove the plugin.

    --
    These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
  7. Why does Slashdot glorify hackers? by GodfatherofSoul · · Score: 5, Insightful

    These are the idiots who make life so difficult for legit network guys. That summary reads like George Washington just raided another British outpost. Whether for curiosity or profit, remember who the bad guys are!

    --
    I swear to God...I swear to God! That is NOT how you treat your human!
  8. There are 2 archetypes of bad Java coders by Anonymous Coward · · Score: 3, Insightful

    I have been coding in Java for quite a long time and there are essentially two archetypes of very crappy coders:

    1) The people who don't have what it takes to be a decent engineer (in any language) and are just creating horrible crap because that's the only thing they were taught in college.

    2) The people who "Would rather be coding something else". Often (but not always) a bit older engineers who might not have had any education in Java and any understanding they do have (whether it's from formal education or from them having read half a book a decade ago) is horribly outdated and incomplete. They stubbornly insist that if some of the architectural structures that they learned decades ago for different type of applications and for different environments end up creating a bad Java application, Java is to blame.

    The first archetype are useless but harmless: They write bad code but do so very slowly and don't dare to touch anything that looks intimidating which means they generally can't screw anything important up. The second archetype is who I immediately blame whenever I get a "WTF was someone thinking?" moment when looking at some major design decision.

  9. Re:cluelessness of slashdot by cbhacking · · Score: 3, Insightful

    For fun? Minecraft.
    For work? Burp suite (there are other HTTP proxies, but none that do as well what I need them to do).
    There's also things like Eclipse and NetBeans (developers are people too... even if they are Java developers), of course... Java begets Java, to a certain degree, and there's already so much Java out there that it's pretty much impossible to stop creating more of it anytime in the reasonable future.

    --
    There's no place I could be, since I've found Serenity...