Java Zero-Day Vulnerability Rolled Into Exploit Packs

tsu doh nimh writes "The miscreants who maintain Blackhole and Nuclear Pack — competing crimeware products that are made to be stitched into hacked sites and use browser flaws to foist malware — say they've added a brand new exploit that attacks a previously unknown and currently unpatched security hole in Java. The curator of Blackhole, a miscreant who uses the nickname 'Paunch,' announced yesterday on several Underweb forums that the Java zero-day was a 'New Year's Gift,' to customers who use his exploit kit. The exploit has since been verified to work on all Java 7 versions by AlienVault Labs. The news comes days after it was revealed that Paunch was reserving his best exploits for a more closely-held exploit pack called Cool Exploit Kit, a license for which costs $10,000 per month."

Re:Oh Java...

[medv4380]

It would be very difficult to cull Java in an Enterprise environment that was build on it even if you wanted to. Convincing your Boss that you have to redevelop the entire system just to do it would also be a difficult task.

How has the exploit maker gone unfound?

[Wokan]

Seriously? This person is licensing an exploit kit for $10,000 per month and nobody has bothered following the money to shut him down? I have a hard time believing anyone could make $10K/mo doing this anyway. Wouldn't the first order of business by the exploit buyers be to make it work without the payments? What's the author going to do? Sue them for non-payment?

Re:How has the exploit maker gone unfound?

[i+kan+reed]

The mechanism that keeps his clients from cheating him is presumably the same mechanism that operates in every black market. Threat of retaliation. As for why they don't just follow the money, my guess is that it goes through some completely unregulated bank with a quickly opened then closed account for each transaction, in combination with hush money to appropriate government officials.

Re:Oh Java...

[Mathematiker]

You know the difference between a browser plugin and the JRE?

Do you really think that having eclipse or matlab installed on your computer (both contain a JRE) makes it magically vulnerable?

Re:Oh Java...

[Nerdfest]

Why would you not develop systemns in it, or rewrite existing ones? Just stop using the ridiculous browser plug-in. It's the new ActiveX.

Re:Just remove Java and get it over with

[Bill_the_Engineer]

While we are at it let's get rid of Python and Ruby which are associated with web exploits in recent news (The Ruby SQL injection being the latest) . It would make more sense to say "Just remove java plugins".

Don't punish an entire language because of a bad implementation of a function that either uses the language or extends the language into where it really isn't needed anymore.

Re:Oh Java...

[Bill_the_Engineer]

At this point does any tech savvy user still have the Java Runtime Environment installed?

At this point does any tech savvy user don't know the difference between the Java Runtime Environment and the Java Browser Plugin? Just disable/remove the plugin.

Why does Slashdot glorify hackers?

[GodfatherofSoul]

These are the idiots who make life so difficult for legit network guys. That summary reads like George Washington just raided another British outpost. Whether for curiosity or profit, remember who the bad guys are!

Re:Just remove Java and get it over with

[SplashMyBandit]

.... and get rid of C and C++ for all their buffer overrun holes. Oh, and let us also get rid of Javascript while we're at it for all its exploits. Then we'd better shut down Silverlight/C# as well (http://www.cvedetails.com/product/19887/Microsoft-Silverlight.html?vendor_id=26). By the same measure we'd better ditch our operating systems to (http://www.cvedetails.com/vendor/26/Microsoft.html).

So what do we have left after scorching the earth? nothing? they're all vulnerable and all need to maintained and patched. Java is not alone and not really any worse than any other technology.

Or instead we could get real and demand that browsers fix their plugin model and run plugins with almost no privileges, ya know, as Unix/Linux does for services. That way the inevitable security holes are not catastrophic as they are now, and we don't have to do "denial of service" on ourselves by removing useful tools and technologies.

There are 2 archetypes of bad Java coders

I have been coding in Java for quite a long time and there are essentially two archetypes of very crappy coders:

1) The people who don't have what it takes to be a decent engineer (in any language) and are just creating horrible crap because that's the only thing they were taught in college.

2) The people who "Would rather be coding something else". Often (but not always) a bit older engineers who might not have had any education in Java and any understanding they do have (whether it's from formal education or from them having read half a book a decade ago) is horribly outdated and incomplete. They stubbornly insist that if some of the architectural structures that they learned decades ago for different type of applications and for different environments end up creating a bad Java application, Java is to blame.

The first archetype are useless but harmless: They write bad code but do so very slowly and don't dare to touch anything that looks intimidating which means they generally can't screw anything important up. The second archetype is who I immediately blame whenever I get a "WTF was someone thinking?" moment when looking at some major design decision.

Re:cluelessness of slashdot

[cbhacking]

For fun? Minecraft.
For work? Burp suite (there are other HTTP proxies, but none that do as well what I need them to do).
There's also things like Eclipse and NetBeans (developers are people too... even if they are Java developers), of course... Java begets Java, to a certain degree, and there's already so much Java out there that it's pretty much impossible to stop creating more of it anytime in the reasonable future.