Slashdot Mirror
First Java 0-Day In 2 Years Exploited By Pawn Storm Hackers
An anonymous reader writes with Help Net Security's report that a new zero-day vulnerability in Java is being exploited, quoting from which: The flaw was spotted by Trend Micro researchers, who are closely monitoring a targeted attack campaign mounted by the economic and political cyber-espionage operation Pawn Storm. The existence of the flaw was discovered by finding suspicious URLs that hosted the exploit. The exploit allows attackers to execute arbitrary code on target systems with default Java settings. Until a patch is made, disabling Java is the recommended course of action.
There hasn't been a zero day for Java in two years?
If that's true, that sounds like the real news here.
It's an exploit in the Java Plugin - not Java itself but whatever - let's get the Oracle hate going.
Who gives a fuck about the Java plugin? The point is that Java is not the shitty java plugin, it's a programming language and JVM. People conflating the two are ignorant of Java's significance in the software industry. Like it or hate it for its own sake, but it's not the fucking browser plugin!
Java != JavaScript There havn't been many sites with Java Applets for a long while. This was the only use case for the plugun, and it's unrelated to 99.9% of the use of Java 'the langauge' and the JVM
Time for bed, said Zebedee - boing
Java is the recommended course of action.
FTFY. No need to include a timeframe.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
I very much doubt a significant majority of websites use Java. Javascript, maybe.
And you know what? If you hit a website which requires you run unsecure shit which allows arbitrary code execution? Maybe you should realize that's a good time to leave it disabled and find another site.
If you're letting every site on the planet run Java, Javascript, and Flash ... well, congratulations, you're who they make zero day exploits for.
I haven't seen a non-work related website requiring actual Java in years.
I consider those "please enable cookies and disable all security" warnings as a sure sign of either a badly done website, or one which is so focused on marketing and analytics that I don't give a crap if I can't reach their site.
It's your security, either you take ownership of it, or you throw your hands up and decide that the world will end if you don't allow some website to run Java. You can't have it both ways.
Lost at C:>. Found at C.
The PROBLEM with disabling Java, is that a significant majority of sites use it heavily
Uh, really? Can you name one website that uses Java heavily?
systemd is Roko's Basilisk.
Even if you are one of the small percentage of the population who needs java installed, NOBODY should have it in their browser.
For those that aren't aware (i wasn't until i saw a post on a previous java post) minecraft now bundles java with it so you can uninstall java and just re-download the bundled minecraft installer from the website.
I haven't seen a non-work related website requiring actual Java in years.
nVidia driver scan.
KeepVid (download youtube videos)
Granted they aren't super common sites to visit, but people would enable Java applets there (if they can -- apparently chrome can't) to use them.
The only website that I know of that uses Java is my bank, and only for interactive graphs.
The PROBLEM with disabling Java, is that a significant majority of sites use it heavily
Uh, really? Can you name one website that uses Java heavily?
Here is one: Verify your Java Version
I noticed that despite a "significant majority of sites" using the Java plugin "heavily" in 2015, you couldn't even name ONE of them YOURSELF, even DESPITE your UNNECESSARY EMPHASIS on CERTAIN words.
You're either a shill or you're stupid, probably both. I haven't been to a site that required the Java plugin for anything since the early 2000s, maybe that's where you're getting your "statistics" FROM.
The exploit resides in a plugin for Java - and it goes without saying that if there is no Java there the buggy plugin would not exist, either
But the most important question is this - How soon can the world have the Net _without_ having to enable Java?
if it wasnt for Minecraft, no end user would be left with java.
And in the office world, all the scared of MS tards led us down the java path. Thanks guys!
Bitch please, learn the difference between java and javascript.
Fuck keepvid, use the download helper extension for firefox.
Good job on remembering to click that anonymous posting box this time, "Announcer."
So you've managed to go from "a significant majority" of websites requiring the Java plugin, just to render the sites properly, to...two examples. Two examples that you say yourself, "aren't super common sites to visit."
If you're going to keep talking out of your ass, at least lodge some air freshener up there with your bullshit, your "breath" is starting to make this thread a bit ripe.
The issue, as I see it, is that most Java websites ARE work-based, which would mean seriously affecting workflow if you need to disable Java.
Most of my clients have at least one intranet site, vendor site, or even client site (their client) that requires Java to use the site.
Disabling Java for these people means day-to-day business cannot be done.
"economic and political cyber-espionage operation"
Was this written by someone at CNN?
I find it terribly amusing that in their haste to get EMCAscript adopted, they gave it a common name which would prove a few years down the road to be almost derogatory.
No you're wrong. They use JavaScript, not Java. Totally different things with similar names. I haven't had the Java plugin installed in any of my browsers for years and have never encountered one website that didn't work.
Sounds like you're confusing Java and JavaScript. I don't have the Java plugin *installed*, yet LinkedIn, eBay and Google+ all work just fine for me.
What sites depend on java on the client side? Name me one major site. Hell, even Oracle's site has no Java on it.
(aside from banking websties of a certain unstated country that some other person is complaining about, those banking sites are wrong)
I'm a good cook. I'm a fantastic eater. - Steven Brust
I haven't had Java installed in my browser in over a year and haven't found a single website I use commonly, or more than 2-3 that I have "passed by" (think links from slashdot articles) that required Java.
The last one was a link to Woz's 6502 silicon visualizer, which makes sense why that would be in Java and not use JavaScript or Flash or something. Hardly a required website thou, just a neat toy.
The prior one was also squarely in the toy category, as it ran older Apple II software in a Java emulator in the browser. But the disk images could be downloaded and thus run in a native emulator on my PC (or even a Java emulator if I wanted to run one locally)
But back to your claims, I know not of any websites that deliver CONTENT via Java.
Flash certainly, but not Java.
I'm guessing either your computer setup is significantly badly broken, or you have little to no experience with web browsing and websites in general, or both.
I find it ironic you found it possible to post to slashdot while at the same time claiming slashdot requires Java (it doesn't and never did) and claiming that somehow prevented you from doing what you clearly and obviously have done.
Uh, really? Can you name one website that uses Java heavily?
Here is one: Verify your Java Version [java.com]
Doesn't look too heavy of use to me.
With no Java in my browser, I can read all the text on that page, see all the menu links and even click them to go to the target pages, and see only a single Java applet (well, after clicking their agree button)
Even better, when I do try to detect my Java version I see text output on the page that is both
A) there and readable, and
B) factually correct!
It says it can't determine my Java version, which is fairly accurate as I have no Java for it to detect the version of.
It doesn't show a blank page, or an error that Java isn't installed, or have most of the page missing like the original poster claimed would happen.
I have to admit, and I hate saying it about a company like Oracle, but that page is both very light on Java usage and probably one of the best implementations of graceful fail back and browser plugin handling in general that I've seen.
www.pingtest.com for example. W/o Java you can't test packet loss.
Nvidia: Unlike (apparently) some people, I know what card, platform, and OS I'm using, and so get along just fine without the driver scanner, thanks.
KeepVid: Um, there's a Firefox extension for that, you know.
Il n'y a pas de Planet B.
The PROBLEM with disabling JavaSCRIPT, is that a significant majority of sites use it heavily.
FTFY. Of course you know that JavaSCRIPT has nothing whatever to do with Java, right?
"Until a patch is made, disabling Java is the recommended course of action."
Nope, it's _ALWAYS_ the recommended course of action
"W/o Java you can't test packet loss."
As if your OS's built-in ping command wouldn't fucking do that for you, retard?
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Java != JavaScript
There havn't been many sites with Java Applets for a long while. This was the only use case for the plugun, and it's unrelated to 99.9% of the use of Java 'the langauge' and the JVM
You don't do much system administration on physical hardware, do you.
In the free world the media isn't government run; the government is media run.
Not sure what you mean by this. Can you elaborate?
Time for bed, said Zebedee - boing
FTFY
Always disabling Java is the recommended course of action.
Java and Flash on the web are technologies that have come and gone. Now that HTML5 video is prevalent, I'm much more likely to get pwn3d by a zero day than I am to find anything in either Java or Flash that I'd actually miss.
As a network engineer, I hate to say it, but ICMP packet loss testing is as good as dead these days. I have not found a provider in the last 5 years that doesn't have some form of ICMP restriction baked into various levels of infrastructure.
Seeing ICMP packet loss these generally days does not correlate with link loss; it usually just displays that you're hitting a route that rate-limits ICMP traffic.
That's the problem. Java consists of a ton of moving parts which get lumped into one concept:
1: The Java language.
2: The Java bytecode.
3: The JVM/JRE.
4: The JDK.
5: The Web plugins.
The Java language is decent. It is arguably the modern day BASIC, where it is fairly easy to get a "hello world" program, and has decent functionality as a general purpose language.
The Java bytecode is also robust. It would be nice if it were more like .NET's IL, where one can use any language of choice, and the compiled output winds up being bytecode, separating the language from the compiled code... but it is what it is.
The JVM/JRE is a headache-maker. I've seen AIX systems with 10-15 different Java executables, all in various sundry directories. Similar with Windows, with some programs using their own JVM, and multiple JVMs present systemwide. Only real answer is to have a VM dedicated for handling interacting with a Java website (usually an older appliance) that has the right JVM in it.
The JDK is not really an issue, but it is lumped in with Java.
Finally the Web plugins. As is stated on /. and other places, the most common vector for intrusion are compromised browsers or browser plug-ins. This will continue to bite us until stronger isolation is put in place, similar to IE's low security mode, but with true filesystem isolation and separation of browser instances, so a compromised window/tab can't infect another.
Main solution with dealing with Java is virtualization or containers. Serverside, it is extremely useful, but for applets, its time is long gone.
Most rack mount servers have an integrated management controller that lets you access the system over a network connection as though you had a local display/keyboard/mouse/storage. The client is usually a Java Web Start application, Java applet or similar. Hence you need Java to administer servers unless you can physically get to the rack and connect stuff to it.
Oracle employee here. We have VERY strict corporate standards regarding accessibility, governed in part by the Americans with Disabilities Act. And a team specifically tasked with dropping in on other teams, unannounced, to review their work to make sure it meets these guidelines.
That was an example of no-java-disabled functionality on a commonly used website, derp. Learn to read Khyber.
In certain niches Java Applets are still very common, online banking being one very important example. So for many people the options are simply: a) enable Java plugin; or b) have no access to your money.
>using a website to test shit that has the same functionality built into the OS.
Learn to use your brain. No reason to use a website to test packet loss when the functionality is built into the OS. Hell, I even have speed test software on my system. No need for Java, or Javashit.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
JavaScript was originally called LiveScript, but was renamed (around 20 years ago) for marketing purposes. The ECMAScript name came later.
But even that might be more than you need. My FireFox always asks if I want to allow Flash or Java to run on any new site.. Another dialog comes up to display the code signing details. This seems pretty safe.
That said, the code signing and sandboxing situation for Java IS a holy mess.
I'm sure millions of college students, when sent to an educational site that uses Java, will heed your advice. Java is still widely used in academia as well as the corporate world. It may be frustrating, but a lot of people are required to have Java running to get the shit that they are required to do done. Does it suck? Yes. Can you just disable and ignore vulnerabilities like this? No.
"I will trust Google to 'do no evil' until the founders no longer run it." Hello Alphabet.
Printers, server administration, webmin file management, and any crap vendor software that is run all require java... most require it via the browser (jnlp).
Speedtest-cli --server on openbsd works perfect.
As much as I tend to poke fun at your corporate overlords policies, a big congrats and thumbs up are in order to both the review team and whomever made that part of the java.com website!
I can't find the setting to disable Java on my Android devices. Anyone know?
Does this 'zero-day vulnerability in Java' work on anything else than Microsoft Windows ?
"The existence of the flaw was discovered by finding suspicious URLs that hosted the exploit"
Is it possible to design a browser that can't be compromised by navigating to a 'suspicious URLs'?
c) enable java and let everyone else have access to your money (apparently?)
Both are 20 years old this year. I think LiveScript changed to JavaScript in 1997 though. I too have no idea why they went and made the name so close as Java was already out and applets were already in use when LiveScript changed their name to JavaScript. The oft cited "fact" that Java was made for coffee makers is not true either. (It was for cable television. It was too complex for interactive television at the time.)
"So long and thanks for all the fish."
They do not just keep your money if you have no access to the web interface. "no access to your money." No, you still have access. You just do not have it with your computer if you do not use their Java applet in some cases. You can still visit them or, sometimes, use an app on a phone or even just use your little plastic card to get access to your money.
"So long and thanks for all the fish."
Speaking of talking out of one's ass... I do not recall a time when the majority of sites required Java to render their pages properly. In fact, Java has pretty much nothing to do with page rendering. Perhaps you do not know what you are talking about...
"So long and thanks for all the fish."
Firefox and other browsers (and Flash) had 0-day security exploids like forever, but nobody recomends to just stop using the Internet. Also, you can chose to run the Java Applet in a sandbox. There are tons of very useful Japa Apples still there, why should I deactivate Java and stop using them now? How is that 0-day exploid going to affect me in any way? It isn't and it won't, especially because Java Apps ask for permission to be run.
https://sites.google.com/site/...
http://www.mueller-public.de - My site http://www.anr-institute.com/ - Advanced Natural Research Institute
Webstart is not a plugin, webstart is a "native" program with its own sandbox. You can disable the applet plugin just fine and still run jplp by just having those handled by javaws.
So disabling the applet will not break the equipment you are talking about, it will break stuff like iLO.
Sorry, I'd play you some music but I put my tiny violin somewhere and now I can't find it without a magnifying glass. Found a megaphone, though:
FUCKING STOP FINANCIALLY REWARDING COMPANIES THAT REQUIRE JAVA APPLETS!
When was the last time you refreshed your hardware, any of it? If it was in the last five years (and I'm being generous there, Java applets were known to be idiotic before that, too) and you purchased anything that requires a Java applet, then you are part of the problem and I have *no* sympathy for you. Make a migration timeline, get bids from vendors, include a specific requirement prohibiting dependencies on things like the Java plugin, and try actually making the world a better place. I don't expect that you can drop it all tomorrow, but you can damn well start on a plan to drop it today...
There's no place I could be, since I've found Serenity...
You can petition the professor (and loop in whoever is responsible for IT security, and work your way up the university bureaucracy as needed, pointing out that Java browser plugins are insecure and the university is putting student data and university network infrastructure at risk by requiring them to be enabled. Far better cause than most of the things I saw student petitions about, and a lot of those were addressed anyhow.
For the record, I completed my Bachelors in Computer Engineering in 2010, in the US. I never once needed a Java web plugin. I don't know how "widely used" it was back then, much less today, but it certainly wasn't required.
Admittedly, universities are... lets say "not the most security-conscious" of environments. But I still say there's no excuse for ongoing use of Java (and it does put student and university machines at risk). It's really not actually required in the academic world, and there *are* alternatives.
There's no place I could be, since I've found Serenity...
Great post.
For the record, though, IE's sandbox is pretty bad. It allows read (though not write) access a lot of stuff. It also turns off by default when visiting a page on the local network. This sounds sane until you realize that:
A) A sandbox is only useful for containing a browser compromise.
B) A compromised browser can probably run arbitrary code.
C) You can run a web server from inside the sandbox.
D) Localhost counts as a local network page.
E) If you've got a browser compromise, you can definitely direct the compromised browser to web server hosting another copy of the exploit.
So yeah, most of the time the IE sandbox is going to be a speedbump at best. Chrome's sandbox (on Windows, at least) uses similar mechanisms, but runs at even lower privileges and additionally has a bunch of other restrictions; it's so unprivileged that it can't even launch another executable under its own privilege level. On the other hand, Firefox still just runs as your user account without even a speedbump to accessing anything you can access if it should get compromised.
There's no place I could be, since I've found Serenity...
Dell iDRAC doesn't depend on the Java browser plugin, it uses a Java Web Start application. But assuming you mean you want to get rid of the Java requirement altogether, rather than just the browser plugin, how do you suggest doing that? How would you make an OS-agnostic remote keyboard/mouse/video/storage client? The storage part is very important, we need to be able to mount virtual media to install operating systems and perform firmware upgrades. Java is the shittiest solution to the problem, apart from all the other solutions anyone's tried.
>> For the record, I completed my Bachelors in Computer Engineering in 2010, in the US. I never once needed a Java web plugin. I don't know how "widely used" it was back then, much less today, but it certainly wasn't required.
You're lucky, in the late 90's it was impossible to get a CS degree without at some point installing Java in your brain. Still not as bad as the C++ course where the lab portion was some crashtastic IDE on Mac OS 9.
From TFA: "downgrading Java to one of the older versions is not a good idea because they are vulnerable to other attacks"
well, which attacks, and are they not patched?
Atari rules... ermm... ruled.
My bank, some retail sites, facebook, web-based e-mail, and some other sites just don't work properly unless Java(WHATEVER) is enabled.
OK, so I got the Java* terminology mixed up... with so many variants, it's an easy mistake, so cut me some slack. Why do so many people have to be so bloody vicious? Good grief.
If Java* is left disabled, my bank's WEBsite doesn't work. Facebook doesn't work. Youtube doesn't work. Some online retail sites don't work. The streaming audio from my workplace doesn't work. (We lease a server, it's not our code.) My Web-based e-mail doesn't work... a significant number of sites that I use often, don't work.
So I will still stand by what I originally said, but with some rather brutal public corrections applied.
Willie...
Tell that to my bank.
Willie...
OK, fine. From now on, I will just say Java*
Willie...
All of the management pages for:
- EMC Storage
- Brocade FC switches
- Dell and HP managed ethernet switches
- Dell and HP DRAC/iLO remote management components
- Dell and Avocent IP KVMs
And I'm sure there are more. The best part is, none of the above works correctly with anything newer than Java 6! I have a VM running Windows 7, a working version of Firefox ESR, and Java 6. And I still have to constantly tell the VM that I don't want to update anything, and to just enable the darn plugins.