Slashdot Mirror

← Back to Stories (view on slashdot.org)

Java Zero-Day Vulnerability Rolled Into Exploit Packs

Posted by Unknown on from the just-can't-win dept.

tsu doh nimh writes "The miscreants who maintain Blackhole and Nuclear Pack — competing crimeware products that are made to be stitched into hacked sites and use browser flaws to foist malware — say they've added a brand new exploit that attacks a previously unknown and currently unpatched security hole in Java. The curator of Blackhole, a miscreant who uses the nickname 'Paunch,' announced yesterday on several Underweb forums that the Java zero-day was a 'New Year's Gift,' to customers who use his exploit kit. The exploit has since been verified to work on all Java 7 versions by AlienVault Labs. The news comes days after it was revealed that Paunch was reserving his best exploits for a more closely-held exploit pack called Cool Exploit Kit, a license for which costs $10,000 per month."

13 of 193 comments (clear)

  1. Re:Oh Java... by medv4380 · · Score: 4, Insightful

    It would be very difficult to cull Java in an Enterprise environment that was build on it even if you wanted to. Convincing your Boss that you have to redevelop the entire system just to do it would also be a difficult task.

  2. Re:Oh Java... by gstoddart · · Score: 5, Informative

    At this point does any tech savvy user still have the Java Runtime Environment installed?

    Sure, but I have No Script installed to keep it from running except when I need it to.

    Sadly, I find myself needing Java for a lot of work related stuff. I even have a couple of machines that still have Flash on them because it's occasionally called for.

    In the real world, you can't always get away from using it since there's always some company required thing you need to access -- but that doesn't mean I'm prepared to let it run by default on just any web site.

    Hell, a lot of the tools I need to run daily for work are in Java.

    --
    Lost at C:>. Found at C.
  3. How has the exploit maker gone unfound? by Wokan · · Score: 4, Insightful

    Seriously? This person is licensing an exploit kit for $10,000 per month and nobody has bothered following the money to shut him down? I have a hard time believing anyone could make $10K/mo doing this anyway. Wouldn't the first order of business by the exploit buyers be to make it work without the payments? What's the author going to do? Sue them for non-payment?

    1. Re:How has the exploit maker gone unfound? by Nerdfest · · Score: 5, Interesting

      There's a person finding exploits for $10,000 per month and Oracle, Microsoft and Adobe don't subscribe to it? That's just silly.

  4. Re:Oh Java... by Mathematiker · · Score: 5, Insightful

    You know the difference between a browser plugin and the JRE?

    Do you really think that having eclipse or matlab installed on your computer (both contain a JRE) makes it magically vulnerable?

  5. Re:Oh Java... by Nerdfest · · Score: 4, Insightful

    Why would you not develop systemns in it, or rewrite existing ones? Just stop using the ridiculous browser plug-in. It's the new ActiveX.

  6. Re:Oh Java... by Anonymous Coward · · Score: 4, Informative

    If you use IE you can disable Java for all sites except the "enterprise ones". Even on IE6 - assuming an Enterprise environment typical of the sort you are talking about ;).

  7. Re:Just remove Java and get it over with by DigiShaman · · Score: 4, Informative

    Ya, and when the next JRE update prompts the user to install from the system tray, the browser plugin gets re-enabled (re-installed really).

    --
    Life is not for the lazy.
  8. Re:Oh Java... by Bill_the_Engineer · · Score: 5, Insightful

    At this point does any tech savvy user still have the Java Runtime Environment installed?

    At this point does any tech savvy user don't know the difference between the Java Runtime Environment and the Java Browser Plugin? Just disable/remove the plugin.

    --
    These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
  9. Why does Slashdot glorify hackers? by GodfatherofSoul · · Score: 5, Insightful

    These are the idiots who make life so difficult for legit network guys. That summary reads like George Washington just raided another British outpost. Whether for curiosity or profit, remember who the bad guys are!

    --
    I swear to God...I swear to God! That is NOT how you treat your human!
    1. Re:Why does Slashdot glorify hackers? by girlintraining · · Score: 4, Interesting

      I suppose because on some level, we identify with the hacker. Our way of life is under constant assault by well-financed interests. The collective geek culture rejects the notion that ideas can be owned. Knowledge is power, and because of that, it should be shared freely and widely. Our culture rejects the limitations of online freedom that everyone wants -- whether it's bloggers in Iran being disappeared for providing updates on what their government is up to, to China's appetite for supressing western influences, to our own government's desire for internet kill switches and pervasive monitoring. All of this gets in the way of free and unfettered access to information, something geeks believe is a cultural heritage and the right to access granted to all human beings. Geeks... are idealists and creatives.

      And when we see our creations turned against us, used to corrupt the ideals that gave birth to them, there is a certain artistic desire to destroy it because its beauty has been tarnished. It's something that you can find historical and literary examples of dating back to pre-greek times. So on some level, we identify with the so-called "bad guys", because they're hurting the people who are hurting us.

      Sure, morally, ethically, we can recognize that its wrong and destructive. We know that it only emboldens the destroyers and usurpers of our lifestyle to pass even more restrictive edicts and arrest more people, but psychologically it doesn't matter. We ourselves are powerless so when we see others in the same boat doing powerful things against powerful people, it's very enticing to support them no matter their motivations.

      --
      #fuckbeta #iamslashdot #dicemustdie
  10. Re:Oh Java... by robmv · · Score: 5, Informative

    and the latest Java 7 update added features to disable Java applets and JNLP from browsers, that way if you need Java for an application like Eclipse, but don't need Java on the browser, you can secure yourself

  11. Re:Just remove Java and get it over with by DickBreath · · Score: 4, Funny

    Support: Have you tried pushing the 10 key?
    Customer: The 10 key? Do you mean F10?
    Support: No. The 10 key is a black rocker on the back of the computer with a 1 and a 0. Pushing that will make your computer secure.

    --

    I'll see your senator, and I'll raise you two judges.