Java Zero-Day Vulnerability Rolled Into Exploit Packs

← Back to Stories (view on slashdot.org)

Java Zero-Day Vulnerability Rolled Into Exploit Packs

Posted by Unknown on Thursday January 10, 2013 @04:33AM from the just-can't-win dept.

tsu doh nimh writes "The miscreants who maintain Blackhole and Nuclear Pack — competing crimeware products that are made to be stitched into hacked sites and use browser flaws to foist malware — say they've added a brand new exploit that attacks a previously unknown and currently unpatched security hole in Java. The curator of Blackhole, a miscreant who uses the nickname 'Paunch,' announced yesterday on several Underweb forums that the Java zero-day was a 'New Year's Gift,' to customers who use his exploit kit. The exploit has since been verified to work on all Java 7 versions by AlienVault Labs. The news comes days after it was revealed that Paunch was reserving his best exploits for a more closely-held exploit pack called Cool Exploit Kit, a license for which costs $10,000 per month."

44 of 193 comments (clear)

Min score:

Reason:

Sort:

Just remove Java and get it over with by Tridus · 2013-01-10 04:38 · Score: 2, Insightful

At this point there is no reason for most home user systems to have Java on them at all. Just uninstall it and remove this never ending hole from your life.
If you do need it for something (like Minecraft), you can remove it from the browser, which tends to also solve the security problems (unless the Java updater adds itself back in, which it's been known to do). Still a better option than just leaving it. There's very few websites left that actually use Java for anything today.
It sucks more in the corporate world, where there's a lot more Java and thus no easy answer for the security problems that plague it. But for home users? Just remove it and make your life easier.

--
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
1. Re:Just remove Java and get it over with by nebulus4 · 2013-01-10 04:45 · Score: 2
  
  Easy for you to say. Here in Norway we are required to have it to do online banking :(
  
  --
  "It would be wrong to refuse to face the fact that everything is fundamentally sick and sad."
2. Re:Just remove Java and get it over with by TubeSteak · 2013-01-10 04:55 · Score: 2
  
  If you do need it for something (like Minecraft), you can remove it from the browser, which tends to also solve the security problems (unless the Java updater adds itself back in, which it's been known to do). Still a better option than just leaving it. There's very few websites left that actually use Java for anything today.
  This has been my situation for the last few years, )though not for minecraft.)
  Adobe's Flash/Shockwave more or less killed java for the average user.
  /the mass of exploits that is flash makes for another conversation entirely
  
  --
  [Fuck Beta]
  o0t!
3. Re:Just remove Java and get it over with by edxwelch · 2013-01-10 04:57 · Score: 2, Informative
  
  Please, stop the FUD already. All the security holes have been accessed via the java browser plugin, so just disabling the plugin is enough. .. and while you at it, disable the .NET browser plugin. Just as many security holes have been found in that component as java.
  There is no need to uninstall JRE (If you have Java installed on your system, then you probably need it for something)
4. Re:Just remove Java and get it over with by Minwee · 2013-01-10 05:02 · Score: 3, Funny
  
  But... but... Javascript is used all over the Web. You'd break almost everything if you uninstalled Java!
  I see. Have you tried turning it off and on again?
  Is it definitely plugged in?
5. Re:Just remove Java and get it over with by Bill_the_Engineer · 2013-01-10 05:06 · Score: 3, Insightful
  
  While we are at it let's get rid of Python and Ruby which are associated with web exploits in recent news (The Ruby SQL injection being the latest) . It would make more sense to say "Just remove java plugins".
  Don't punish an entire language because of a bad implementation of a function that either uses the language or extends the language into where it really isn't needed anymore.
  
  --
  These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
6. Re:Just remove Java and get it over with by DigiShaman · 2013-01-10 05:08 · Score: 4, Informative
  
  Ya, and when the next JRE update prompts the user to install from the system tray, the browser plugin gets re-enabled (re-installed really).
  
  --
  Life is not for the lazy.
7. Re:Just remove Java and get it over with by Bill_the_Engineer · 2013-01-10 05:23 · Score: 2
  
  Thanks! It would be more accurate to call it a "Ruby on Rails" exploit since just because it uses Ruby doesn't make it Ruby's fault which is the point of my parent post.
  
  --
  These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
8. Re:Just remove Java and get it over with by DickBreath · 2013-01-10 05:31 · Score: 4, Funny
  
  Support: Have you tried pushing the 10 key?
  Customer: The 10 key? Do you mean F10?
  Support: No. The 10 key is a black rocker on the back of the computer with a 1 and a 0. Pushing that will make your computer secure.
  
  --
  
  I'll see your senator, and I'll raise you two judges.
9. Re:Just remove Java and get it over with by SplashMyBandit · 2013-01-10 05:58 · Score: 3, Insightful
  
  .... and get rid of C and C++ for all their buffer overrun holes. Oh, and let us also get rid of Javascript while we're at it for all its exploits. Then we'd better shut down Silverlight/C# as well (http://www.cvedetails.com/product/19887/Microsoft-Silverlight.html?vendor_id=26). By the same measure we'd better ditch our operating systems to (http://www.cvedetails.com/vendor/26/Microsoft.html).
  So what do we have left after scorching the earth? nothing? they're all vulnerable and all need to maintained and patched. Java is not alone and not really any worse than any other technology.
  Or instead we could get real and demand that browsers fix their plugin model and run plugins with almost no privileges, ya know, as Unix/Linux does for services. That way the inevitable security holes are not catastrophic as they are now, and we don't have to do "denial of service" on ourselves by removing useful tools and technologies.
10. Re:Just remove Java and get it over with by edxwelch · 2013-01-10 06:50 · Score: 2
  
  Sorry, to correct my previous post.
  Java does indeed overwrite system settings, however both Chrome and Firefox ignore the system setting and the plugin remains disabled.
11. Re:Just remove Java and get it over with by mcgrew · 2013-01-10 07:13 · Score: 3, Interesting
  
  Here in Norway we are required to have it to do online banking :(
  
  I refuse to bank online, and I would ESPECIALLY refuse to bank online if the bank demanded java. If I want to check my balance I'll call them; I never heard of anyone getting rooted over a voice-only phone call.
  In fact, I use my credit card as little as possible online. Yes, I'm paranoid... but my computers haven't been infected with anything since my daughter installed the XCP trojan Sony provided on a CD she bought at the store she worked at.
  If I do get rooted, there's no sensitive information whatever on my PCs or phone.
  
  --
  Free Martian Whores!
12. Re:Just remove Java and get it over with by Anonymous+Brave+Guy · 2013-01-10 07:24 · Score: 2
  
  You must have an old computer. My 10 key is next to the cup holder on the front.
  
  --
  If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
13. Re:Just remove Java and get it over with by lgw · 2013-01-10 07:31 · Score: 2
  
  never heard of anyone getting rooted over a voice-only phone call.
  Bank fraud is hardly new to the internet. You can bank on the internet quite safely if you do it from a VM that you only use for thta purpose - and I strongly recommend that approach. I use a credit card freely online, but it's one with a $0 fraud protection guarentee.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
14. Re:Just remove Java and get it over with by zixxt · 2013-01-10 09:07 · Score: 2
  
  Here here, The amount of updates released to keep .Net secure is the same or more than the security updates for JRE/JDK/JVM.
  People just seem to get off on basing Java it seems.
  
  --
  ---- GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
Re:Oh Java... by medv4380 · 2013-01-10 04:46 · Score: 4, Insightful

It would be very difficult to cull Java in an Enterprise environment that was build on it even if you wanted to. Convincing your Boss that you have to redevelop the entire system just to do it would also be a difficult task.
Re:Oh Java... by gstoddart · 2013-01-10 04:48 · Score: 5, Informative

At this point does any tech savvy user still have the Java Runtime Environment installed?
Sure, but I have No Script installed to keep it from running except when I need it to.
Sadly, I find myself needing Java for a lot of work related stuff. I even have a couple of machines that still have Flash on them because it's occasionally called for.
In the real world, you can't always get away from using it since there's always some company required thing you need to access -- but that doesn't mean I'm prepared to let it run by default on just any web site.
Hell, a lot of the tools I need to run daily for work are in Java.

--
Lost at C:>. Found at C.
How has the exploit maker gone unfound? by Wokan · 2013-01-10 04:50 · Score: 4, Insightful

Seriously? This person is licensing an exploit kit for $10,000 per month and nobody has bothered following the money to shut him down? I have a hard time believing anyone could make $10K/mo doing this anyway. Wouldn't the first order of business by the exploit buyers be to make it work without the payments? What's the author going to do? Sue them for non-payment?
1. Re:How has the exploit maker gone unfound? by durrr · 2013-01-10 04:55 · Score: 3, Interesting
  
  Follow the money and you probably find that various three letter agencies are his main customers.
2. Re:How has the exploit maker gone unfound? by Mathematiker · 2013-01-10 04:58 · Score: 2
  
  Is finding a bug and writing an exploit for it illegal yet?
3. Re:How has the exploit maker gone unfound? by i+kan+reed · 2013-01-10 04:59 · Score: 3, Insightful
  
  The mechanism that keeps his clients from cheating him is presumably the same mechanism that operates in every black market. Threat of retaliation. As for why they don't just follow the money, my guess is that it goes through some completely unregulated bank with a quickly opened then closed account for each transaction, in combination with hush money to appropriate government officials.
4. Re:How has the exploit maker gone unfound? by CanHasDIY · 2013-01-10 04:59 · Score: 2
  
  Seriously? This person is licensing an exploit kit for $10,000 per month and nobody has bothered following the money to shut him down?
  Shut him down? For what? Selling something that someone somewhere might use to break a law? That's not a crime in itself, you know.
  
  If the government could legally 'shut down' anyone and everyone capable of using a tool for crime, we'd all be in some seriously deep shit.
  
  --
  An enigma, wrapped in a riddle, shrouded in bacon and cheese
5. Re:How has the exploit maker gone unfound? by Nerdfest · 2013-01-10 05:00 · Score: 5, Interesting
  
  There's a person finding exploits for $10,000 per month and Oracle, Microsoft and Adobe don't subscribe to it? That's just silly.
6. Re:How has the exploit maker gone unfound? by Bill_the_Engineer · 2013-01-10 05:20 · Score: 2
  
  Shut him down? For what? Selling something that someone somewhere might use to break a law? That's not a crime in itself, you know. If the government could legally 'shut down' anyone and everyone capable of using a tool for crime, we'd all be in some seriously deep shit.
  Explain laws against selling drug paraphernalia, subsections of the DMCA, or consumer protection against malware laws in several states like California, Arizona, Indiana and others...
  
  --
  These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
Re:Oh Java... by Mathematiker · 2013-01-10 04:51 · Score: 5, Insightful

You know the difference between a browser plugin and the JRE?
Do you really think that having eclipse or matlab installed on your computer (both contain a JRE) makes it magically vulnerable?
Re:Oh Java... by gl4ss · 2013-01-10 04:51 · Score: 2

my bank requires it.
most browsers today though ask per page if you want to run it, don't they? at least firefox does..

--
world was created 5 seconds before this post as it is.
Safer browsing by ArcadeMan · 2013-01-10 04:56 · Score: 2

Disable Flash and Java. Most websites with video will work fine, even if some require to change your user-agent to "iPad".
What do you mean, your browser can't display H.264 natively? Get a real browser.

--
Get free satoshi (Bitcoin) and Dogecoins
Re:Oh Java... by Nerdfest · 2013-01-10 04:57 · Score: 4, Insightful

Why would you not develop systemns in it, or rewrite existing ones? Just stop using the ridiculous browser plug-in. It's the new ActiveX.
Re:Oh Java... by Anonymous Coward · 2013-01-10 05:00 · Score: 4, Informative

If you use IE you can disable Java for all sites except the "enterprise ones". Even on IE6 - assuming an Enterprise environment typical of the sort you are talking about ;).
Re:Oh Java... by Bill_the_Engineer · 2013-01-10 05:13 · Score: 5, Insightful

At this point does any tech savvy user still have the Java Runtime Environment installed?
At this point does any tech savvy user don't know the difference between the Java Runtime Environment and the Java Browser Plugin? Just disable/remove the plugin.

--
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
Why does Slashdot glorify hackers? by GodfatherofSoul · 2013-01-10 05:17 · Score: 5, Insightful

These are the idiots who make life so difficult for legit network guys. That summary reads like George Washington just raided another British outpost. Whether for curiosity or profit, remember who the bad guys are!

--
I swear to God...I swear to God! That is NOT how you treat your human!
1. Re:Why does Slashdot glorify hackers? by girlintraining · 2013-01-10 06:48 · Score: 4, Interesting
  
  I suppose because on some level, we identify with the hacker. Our way of life is under constant assault by well-financed interests. The collective geek culture rejects the notion that ideas can be owned. Knowledge is power, and because of that, it should be shared freely and widely. Our culture rejects the limitations of online freedom that everyone wants -- whether it's bloggers in Iran being disappeared for providing updates on what their government is up to, to China's appetite for supressing western influences, to our own government's desire for internet kill switches and pervasive monitoring. All of this gets in the way of free and unfettered access to information, something geeks believe is a cultural heritage and the right to access granted to all human beings. Geeks... are idealists and creatives.
  And when we see our creations turned against us, used to corrupt the ideals that gave birth to them, there is a certain artistic desire to destroy it because its beauty has been tarnished. It's something that you can find historical and literary examples of dating back to pre-greek times. So on some level, we identify with the so-called "bad guys", because they're hurting the people who are hurting us.
  Sure, morally, ethically, we can recognize that its wrong and destructive. We know that it only emboldens the destroyers and usurpers of our lifestyle to pass even more restrictive edicts and arrest more people, but psychologically it doesn't matter. We ourselves are powerless so when we see others in the same boat doing powerful things against powerful people, it's very enticing to support them no matter their motivations.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
Re:Oh Java... by DickBreath · 2013-01-10 05:25 · Score: 3, Informative

> > If you play Minecraft you need Java installed.

> False. You don't need the Java browser plugin for Minecraft, only the JRE.

His statement is true. Having the JRE installed is having Java installed. It is correct that the browser plugin is unnecessary. But his original statement is entirely correct.

--

I'll see your senator, and I'll raise you two judges.
Re:Oh Java... by snemarch · 2013-01-10 05:27 · Score: 2

Sure, I have the JRE installed on my work laptop - but I sure as hell don't have the browser plugin installed. Nor Flash, nor AdobePDF. When I need Flash, I fire up Chrome for that particular site. When I need Java (which us Danes sadly do for online banking and government interaction), I fire up a virtual machine image dedicated just for that.
And my main browser, FireFox, has NoScript, AdBlockPlus, Ghostery and Certificate Patrol (any more addons I should know about?), work laptop as well as my own machines. But I digress. JRE: not a problem in and by itself. Just stay way clear off the browser plugin. And Flash. And AdobePDF.

--
Coffee-driven development.
Re:Oh Java... by robmv · 2013-01-10 05:30 · Score: 5, Informative

and the latest Java 7 update added features to disable Java applets and JNLP from browsers, that way if you need Java for an application like Eclipse, but don't need Java on the browser, you can secure yourself
Re:Oh Java... by molotov303 · 2013-01-10 05:55 · Score: 3, Informative

I don't know why it isn't enabled by default, but Firefox has a click-to-play plugins option that should dramatically reduce the exposure to exploits like this. So NoScript isn't required.
about:config
plugins.click_to_play = true
Re:cluelessness of slashdot by SplashMyBandit · 2013-01-10 06:13 · Score: 2

Name any piece of irreplaceable software for any user. Windows? nope, not for Mac users or Linux users. Firefox? not for Chrome users. The only irreplaceable software is based on C, but customers don't need to be aware of that. There are plenty of great Java programs out there that are without peer for users that need them (which doesn't happen to include you). So your argument is bunk - you just made it because you don't like Java - but you are lacking the insight to see that your argument extends to all software technologies (with the exception of C, which is pretty much core to all systems). So get real, eh? Java has plenty of uses - unless all you do all day is consume web content like Facebook and make mindless statements as an AC on Slashdot.
There are 2 archetypes of bad Java coders by Anonymous Coward · 2013-01-10 06:14 · Score: 3, Insightful

I have been coding in Java for quite a long time and there are essentially two archetypes of very crappy coders:
1) The people who don't have what it takes to be a decent engineer (in any language) and are just creating horrible crap because that's the only thing they were taught in college.
2) The people who "Would rather be coding something else". Often (but not always) a bit older engineers who might not have had any education in Java and any understanding they do have (whether it's from formal education or from them having read half a book a decade ago) is horribly outdated and incomplete. They stubbornly insist that if some of the architectural structures that they learned decades ago for different type of applications and for different environments end up creating a bad Java application, Java is to blame.
The first archetype are useless but harmless: They write bad code but do so very slowly and don't dare to touch anything that looks intimidating which means they generally can't screw anything important up. The second archetype is who I immediately blame whenever I get a "WTF was someone thinking?" moment when looking at some major design decision.
He needs got by ThatsNotPudding · 2013-01-10 06:14 · Score: 2

Folks like Paunch need to get got if for no other reason than to remove a justification for governents around the world (China and the US getting closer to the same page everyday) to regulate the Internet and render online anonymity a crime (all in the name of Snowflake Security, of course).
Re:cluelessness of slashdot by cbhacking · 2013-01-10 06:48 · Score: 3, Insightful

For fun? Minecraft.
For work? Burp suite (there are other HTTP proxies, but none that do as well what I need them to do).
There's also things like Eclipse and NetBeans (developers are people too... even if they are Java developers), of course... Java begets Java, to a certain degree, and there's already so much Java out there that it's pretty much impossible to stop creating more of it anytime in the reasonable future.

--
There's no place I could be, since I've found Serenity...
Re:Oh Java... by lgw · 2013-01-10 07:23 · Score: 2

Your bank requires Java, not Javascript? Are you in the US? I've never seen that before, though I hear web-based banking varies considerably between countries.

--
Socialism: a lie told by totalitarians and believed by fools.
Re:Oh Java... by sourcerror · 2013-01-10 09:41 · Score: 3, Interesting

All the Java problems were with applets. Considering how many security problems were with Flash too, maybe the problem is with the browser APIs.
Re:Oh Java... by dna_(c)(tm)(r) · 2013-01-10 10:09 · Score: 2, Informative

Because some people deployed the applications using Applets and WebStart so just getting rid of it becomes a bit of an issue.
Nobody uses applets for anything anymore - except the baddies - disable the java browser plugin and be done with it. Webstart is not the problem.
Re:Oh Java... by Mathematiker · 2013-01-11 00:17 · Score: 2

What does "online java application" mean? The app opens a network connection and communicates with some other host?
Such an app would not become more safe if it were written in, say, C++ or C# or most other languages.
The danger about java is in the browser plugin, because it downloads and runs untrusted byte code. This is about as unsafe as using an ordinary browser with java script enabled - which also downloads and runs untrusted code.