Slashdot Mirror
Java Zero-Day Vulnerability Rolled Into Exploit Packs
tsu doh nimh writes "The miscreants who maintain Blackhole and Nuclear Pack — competing crimeware products that are made to be stitched into hacked sites and use browser flaws to foist malware — say they've added a brand new exploit that attacks a previously unknown and currently unpatched security hole in Java. The curator of Blackhole, a miscreant who uses the nickname 'Paunch,' announced yesterday on several Underweb forums that the Java zero-day was a 'New Year's Gift,' to customers who use his exploit kit. The exploit has since been verified to work on all Java 7 versions by AlienVault Labs. The news comes days after it was revealed that Paunch was reserving his best exploits for a more closely-held exploit pack called Cool Exploit Kit, a license for which costs $10,000 per month."
At this point there is no reason for most home user systems to have Java on them at all. Just uninstall it and remove this never ending hole from your life.
If you do need it for something (like Minecraft), you can remove it from the browser, which tends to also solve the security problems (unless the Java updater adds itself back in, which it's been known to do). Still a better option than just leaving it. There's very few websites left that actually use Java for anything today.
It sucks more in the corporate world, where there's a lot more Java and thus no easy answer for the security problems that plague it. But for home users? Just remove it and make your life easier.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
It would be very difficult to cull Java in an Enterprise environment that was build on it even if you wanted to. Convincing your Boss that you have to redevelop the entire system just to do it would also be a difficult task.
Sure, but I have No Script installed to keep it from running except when I need it to.
Sadly, I find myself needing Java for a lot of work related stuff. I even have a couple of machines that still have Flash on them because it's occasionally called for.
In the real world, you can't always get away from using it since there's always some company required thing you need to access -- but that doesn't mean I'm prepared to let it run by default on just any web site.
Hell, a lot of the tools I need to run daily for work are in Java.
Lost at C:>. Found at C.
There's a hacker called Paunch? You are Kevin Smith and I claim my five pounds!
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
Seriously? This person is licensing an exploit kit for $10,000 per month and nobody has bothered following the money to shut him down? I have a hard time believing anyone could make $10K/mo doing this anyway. Wouldn't the first order of business by the exploit buyers be to make it work without the payments? What's the author going to do? Sue them for non-payment?
You know the difference between a browser plugin and the JRE?
Do you really think that having eclipse or matlab installed on your computer (both contain a JRE) makes it magically vulnerable?
my bank requires it.
most browsers today though ask per page if you want to run it, don't they? at least firefox does..
world was created 5 seconds before this post as it is.
I do. I administrate/develop for/run a server that is built on java :-(
Also, anyone who plays mincraft would have it installed.
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
Disable Flash and Java. Most websites with video will work fine, even if some require to change your user-agent to "iPad".
What do you mean, your browser can't display H.264 natively? Get a real browser.
Get free satoshi (Bitcoin) and Dogecoins
Why would you not develop systemns in it, or rewrite existing ones? Just stop using the ridiculous browser plug-in. It's the new ActiveX.
If you use IE you can disable Java for all sites except the "enterprise ones". Even on IE6 - assuming an Enterprise environment typical of the sort you are talking about ;).
Because some people deployed the applications using Applets and WebStart so just getting rid of it becomes a bit of an issue.
The Java exploit is much less surprising to me than how casually we include the fact that this guy (and others) are selling exploit kits online. I remember when stuff like this used to be so underground you had to "know someone who knew someone" to find it. Perhaps what he's selling isn't technically illegal, but it's still surprising to read.
Create a browser instance/profile solely for your banking. Then configure the browser to have everything off except for your bank's URLs.
My normal browser runs as a different user from my logged in user account. My bank browser runs as yet another user. So pwning my normal browser still requires a privilege escalation to affect my main user account or my banking stuff.
My main account has access to the files and folders of the normal browser account. But not the other way around.
Sappeur:
+ Memory Safe
+ No VM
+ No GC but reference-counted smart pointers
+ extremely quick startup times (down to 10ms)
+ almost all C and C++ style high-performance features such as stack allocation, value arrays, destructors available
+ memory safe even for multithreaded applications
+ destructors
+ RAII
http://sourceforge.net/p/sappeurcompiler/code-0/2/tree/trunk/doc/SAPPEUR.pdf?format=raw
http://sourceforge.net/p/sappeurcompiler/code-0/2/tree/trunk/
Is it 100% delivering the security it promises ? Probably not at this point, but my guess is that with the same amount of engineering work as has been put into the JVM, Sappeur could be almost 100% delivering the advertised security. It is actually a quite simple concept.
Currently, it is in the proof-of-concept stage.
False. You don't need the Java browser plugin for Minecraft, only the JRE.
At this point does any tech savvy user don't know the difference between the Java Runtime Environment and the Java Browser Plugin? Just disable/remove the plugin.
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
These are the idiots who make life so difficult for legit network guys. That summary reads like George Washington just raided another British outpost. Whether for curiosity or profit, remember who the bad guys are!
I swear to God...I swear to God! That is NOT how you treat your human!
Which is what AlphaBro wanted us to uninstall.
Many tech savvy users write Android applications, for instance. Others play Minecraft. Others contribute to OpenStreetMap. Others even use the Netbeans IDE, lazy them.
> > If you play Minecraft you need Java installed.
> False. You don't need the Java browser plugin for Minecraft, only the JRE.
His statement is true. Having the JRE installed is having Java installed. It is correct that the browser plugin is unnecessary. But his original statement is entirely correct.
I'll see your senator, and I'll raise you two judges.
Sure, I have the JRE installed on my work laptop - but I sure as hell don't have the browser plugin installed. Nor Flash, nor AdobePDF. When I need Flash, I fire up Chrome for that particular site. When I need Java (which us Danes sadly do for online banking and government interaction), I fire up a virtual machine image dedicated just for that.
And my main browser, FireFox, has NoScript, AdBlockPlus, Ghostery and Certificate Patrol (any more addons I should know about?), work laptop as well as my own machines. But I digress. JRE: not a problem in and by itself. Just stay way clear off the browser plugin. And Flash. And AdobePDF.
Coffee-driven development.
and the latest Java 7 update added features to disable Java applets and JNLP from browsers, that way if you need Java for an application like Eclipse, but don't need Java on the browser, you can secure yourself
Don't forget 64-bit Firefox.
"When information is power, privacy is freedom" - Jah-Wren Ryel
I don't know why it isn't enabled by default, but Firefox has a click-to-play plugins option that should dramatically reduce the exposure to exploits like this. So NoScript isn't required.
about:config
plugins.click_to_play = true
Noscript also stops most JavaScript, which is another potential source of nuisance.
I prefer to have everything blocked and controllable by default, if I want it, I'll run it -- otherwise, your flashing monkey isn't going to happen.
Lost at C:>. Found at C.
Name any piece of irreplaceable software for any user. Windows? nope, not for Mac users or Linux users. Firefox? not for Chrome users. The only irreplaceable software is based on C, but customers don't need to be aware of that. There are plenty of great Java programs out there that are without peer for users that need them (which doesn't happen to include you). So your argument is bunk - you just made it because you don't like Java - but you are lacking the insight to see that your argument extends to all software technologies (with the exception of C, which is pretty much core to all systems). So get real, eh? Java has plenty of uses - unless all you do all day is consume web content like Facebook and make mindless statements as an AC on Slashdot.
I have been coding in Java for quite a long time and there are essentially two archetypes of very crappy coders:
1) The people who don't have what it takes to be a decent engineer (in any language) and are just creating horrible crap because that's the only thing they were taught in college.
2) The people who "Would rather be coding something else". Often (but not always) a bit older engineers who might not have had any education in Java and any understanding they do have (whether it's from formal education or from them having read half a book a decade ago) is horribly outdated and incomplete. They stubbornly insist that if some of the architectural structures that they learned decades ago for different type of applications and for different environments end up creating a bad Java application, Java is to blame.
The first archetype are useless but harmless: They write bad code but do so very slowly and don't dare to touch anything that looks intimidating which means they generally can't screw anything important up. The second archetype is who I immediately blame whenever I get a "WTF was someone thinking?" moment when looking at some major design decision.
Folks like Paunch need to get got if for no other reason than to remove a justification for governents around the world (China and the US getting closer to the same page everyday) to regulate the Internet and render online anonymity a crime (all in the name of Snowflake Security, of course).
Don't forget 64-bit Firefox.
Or all the other 64-bit browsers.
Oh, I just realised he's running on that wacky Windows thing, where the OS is 64-bit but 99% of apps are still 32-bit.
For fun? Minecraft.
For work? Burp suite (there are other HTTP proxies, but none that do as well what I need them to do).
There's also things like Eclipse and NetBeans (developers are people too... even if they are Java developers), of course... Java begets Java, to a certain degree, and there's already so much Java out there that it's pretty much impossible to stop creating more of it anytime in the reasonable future.
There's no place I could be, since I've found Serenity...
This Paunch guy needs to watch his ass. There are larger, darker players who were using this exploit for their own purposes. Some of them invested heavily in developing it. By bringing it out into the open like this, Paunch has directly limited their use of this vulnerability. I would not be surprised if this is the last we hear of mr. Paunch. A cleanup team has likely been engaged and is working on tracking him down in the physical world as I type this...
Seth
$5 / month hosted VPS on linux = awesome!
Exploit kits are not illegal. They have legit uses for testing your own security. For example, see Metasploit, which includes a large suite of exploits.
There's no place I could be, since I've found Serenity...
Your bank requires Java, not Javascript? Are you in the US? I've never seen that before, though I hear web-based banking varies considerably between countries.
Socialism: a lie told by totalitarians and believed by fools.
C was never used as a platform for web applets. Guess what could happened in that way (hint: 99% of the Microsoft Windows/Office/Adobe/etc viruses.)
I think the last time I saw a Java plugin was on a code example site that showed different types of sorting algorithms or something and that was about 3 years ago. Perhaps you're thinking of Javascript or Flashplayer?
No but online Java applications such as minecraft may be a problem.
All the Java problems were with applets. Considering how many security problems were with Flash too, maybe the problem is with the browser APIs.
Because some people deployed the applications using Applets and WebStart so just getting rid of it becomes a bit of an issue.
Nobody uses applets for anything anymore - except the baddies - disable the java browser plugin and be done with it. Webstart is not the problem.
We're talking about Java, not JavaScript.
Java Zero-Day Vulnerability Rolled Into Exploit Packs?
AccountKiller
Eclipse is not just for Java developers, you insensitive clod! For example, I use it for c#/.NET, Flash, Python, any kind of web development, etc.
Fanboy Status: Apache Flex, C#, Eclipse, KDE, Pirate Party, Ron Paul, Slackware, Windows 7
Secunia PSI will do what you're looking for - it pulls down a list of the latest versions of common applications, checks them against the applications you have installed and alerts you to any that require updates or that are no longer supported. It's free for non-commercial home use, and gets installed as standard on any machine I use at home. I believe they do a corporate version as well, but I never paid any attention to it beyond the fact that it exists, and has a price tag somewhere in the general region of "my boss is never going to approve it".
What does "online java application" mean? The app opens a network connection and communicates with some other host?
Such an app would not become more safe if it were written in, say, C++ or C# or most other languages.
The danger about java is in the browser plugin, because it downloads and runs untrusted byte code. This is about as unsafe as using an ordinary browser with java script enabled - which also downloads and runs untrusted code.
Are you responding to me? jQuery is a JavaScript library, and the Java plugin and JRE aren't bundled with every modern browser (or really any that I can think of).
Can any of you idiots with 7-digit ids even fucking read?
What I do in the toilet is none of your business.
The new right fascists are bilingual. They speak English and Bullshit.
Are you a $hill, by chance ?
No such luck, I wish I could get paid for promoting Java. I just use it everyday for development. If find that there is still no alternative to Java that meets *my* requirements (and I understand it meets the needs of many others for lots of reasons, which I won't go into here). That's why I choose to address the anti-Java hysteria.
In Soviet Russia Java exploits you!
Applets run in the same environment as webstart these days.
Applets run in the same environment as webstart these days.
Not really. They obey similar sandbox rules.
But key here is that applets are embedded objects running in the context of the browser (Java plugin). A webstart application is essentially a download of an xml description file (jnlp) and a new javaws process handles this. You can easily configure your browser to download jnlp files instead of opening them with javaws.
Applets now run within separate processes. Additionally, they are now deployed using jnlp in the same way as webstart.
Java plugin2 (from Java6u10) changed a lot...
Several HR-related systems (including the one I unfortunately have to support at work) use java applets.
I really wanted to change my sig to something witty, but all I could come up with is this.
Does this security hole affect OpenJDK/IcedTea (6 or 7)? Or is it only an issue with Oracle's code? If OpenJDK/IcedTea is affected, which versions (if any) have been fixed?