Slashdot Mirror

← Back to Stories (view on slashdot.org)

First Java 0-Day In 2 Years Exploited By Pawn Storm Hackers

Posted by timothy on from the live-dangerously dept.

An anonymous reader writes with Help Net Security's report that a new zero-day vulnerability in Java is being exploited, quoting from which: The flaw was spotted by Trend Micro researchers, who are closely monitoring a targeted attack campaign mounted by the economic and political cyber-espionage operation Pawn Storm. The existence of the flaw was discovered by finding suspicious URLs that hosted the exploit. The exploit allows attackers to execute arbitrary code on target systems with default Java settings. Until a patch is made, disabling Java is the recommended course of action.

122 comments

  1. There hasn't been a zero day? by Anonymous Coward · · Score: 5, Funny

    There hasn't been a zero day for Java in two years?

    If that's true, that sounds like the real news here.

    1. Re:There hasn't been a zero day? by Anonymous Coward · · Score: -1

      That might be because nobody uses Java any more. This ain't 1998.

    2. Re:There hasn't been a zero day? by Joce640k · · Score: 1, Troll

      "Disabling Java is the recommended course of action" ..and has been for several years now, Zero-day exploits or otherwise.

      --
      No sig today...
    3. Re:There hasn't been a zero day? by cbhacking · · Score: 1

      Who the hell modded this Troll? Oracle fanboys (do those even exist?) getting modpoints?

      Java in the browser was a bad idea to begin with, and is damn near inexcusable today. If it absolutely must exist, it should do so on a whitelist system, rather than just allowing arbitrary websites to run arbitrary applets.

      Just because we don't *know* about Java applet 0-days (that's what makes them 0-days, after all) doesn't mean they don't exist. Proper use of NoScript (even if we assumed NoScript didn't block Java) might keep you safer than blocking Java, but blocking Java is an easy change that requires almost no user knowledge and will impact very few people.

      --
      There's no place I could be, since I've found Serenity...
    4. Re:There hasn't been a zero day? by Anonymous Coward · · Score: 0

      I work at Oracle. I disable Java and Flash (and 3rd party JavaScript) in my browser by default. Why would I want code running on my computer without my permission? This isn't about pro-Oracle or anti-Oracle.

  2. Here we go again. by sproketboy · · Score: 5, Insightful

    It's an exploit in the Java Plugin - not Java itself but whatever - let's get the Oracle hate going.

    1. Re:Here we go again. by Anonymous Coward · · Score: 0

      Really, if Oracle's not to blame, who then supplies the Java plugin? If I create my own plugin that would mean legal hell, since Java API's are copyrighted.
      It is currently impossible to install a Java plugin which is secure, free from spyware and free to redistribute. So why the love for Java or Oracle ..

    2. Re:Here we go again. by Anonymous Coward · · Score: 1

      Well, Oracle hating is well justified. Java on the other hand not.

    3. Re:Here we go again. by Big+Hairy+Ian · · Score: 4, Funny

      I was just going to suggest everyone just change their brand of coffee! Problem solved

      --

      Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

    4. Re:Here we go again. by Anonymous Coward · · Score: 0

      You and the people who modded you up are dumb. Oracle develops the plug-in, hence yes the hate toward oracle is justified. My guess is that you confused the plug-in with javascript and instead of admitting your mistake, are doubling down.

    5. Re:Here we go again. by Anonymous Coward · · Score: -1

      It's an exploit in the Java Plugin - not Java itself but whatever - let's get the Oracle hate going.

      Seriously dude? Who wrote the java plugin? Little magic code fairies?

      Look, java has been an abomination upon the security world since the beginning. Java is unsafe at any speed.

      Java's security track record makes adobe & microsoft look good.

      And I don't get why - java is a small program. It's entirely feasible to design it well, if oracle cared to do so.

    6. Re: Here we go again. by Anonymous Coward · · Score: 0

      The Oracle shills sure are up early this morning! Happy Monday, good sir!

    7. Re:Here we go again. by squiggleslash · · Score: 2, Insightful

      Well, yeah, Oracle hate is totally justified, so let's do it! (Besides, who wrote the plugin?)

      But yes, Java hate is OTT. It's a decent language/concept. Microsoft did it better with .NET/C#, but beyond the painful programming patterns Java's frameworks enforce on everyone, it's not a bad system.

      The plugin needs to go though.

      --
      You are not alone. This is not normal. None of this is normal.
    8. Re:Here we go again. by myowntrueself · · Score: 1

      It's an exploit in the Java Plugin - not Java itself but whatever - let's get the Oracle hate going.

      The Java plugin thats disabled by default in the latest Chrome and will soon be completely unusable in Chrome thereby forcing sysadmins to use a different browser to administer hardware that needs Java in order to manage it, like IPMI, KVM, SAN's etc etc. That Java plugin?

      --
      In the free world the media isn't government run; the government is media run.
    9. Re:Here we go again. by myowntrueself · · Score: 1

      Well, yeah, Oracle hate is totally justified, so let's do it! (Besides, who wrote the plugin?)

      But yes, Java hate is OTT. It's a decent language/concept. Microsoft did it better with .NET/C#, but beyond the painful programming patterns Java's frameworks enforce on everyone, it's not a bad system.

      The plugin needs to go though.

      I hate Java as much as anyone. But I need Java every day; a lot of servers I manage around the world can only be accessed by Java based KVM consoles. Theres tons of hardware out there thats built with control interfaces that need Java.

      Its sad but its true.

      --
      In the free world the media isn't government run; the government is media run.
    10. Re:Here we go again. by Rob+Y. · · Score: 1

      So enable the plugin for your KVM console's URL only. If that's not possible, there should be a browser extension that makes it possible.

      --
      Posted from my Android phone. Oh, I can change this? There, that's better...
    11. Re:Here we go again. by putaro · · Score: 2

      No, it's not a small program because these exploits are usually not against the JVM but against the sandbox. The problem is that the basic idea of a sandbox that lets you do almost anything and has fine-grained controls over what APIs you can and cannot call is fundamentally flawed. The attack surface is huge and the security code threads through all kinds of libraries.

    12. Re:Here we go again. by Anonymous Coward · · Score: 0

      No, it's not a small program because these exploits are usually not against the JVM but against the sandbox.

      So tell me, who wrote the java sandbox? Little magic code fairies?

      The problem is that the basic idea of a sandbox that lets you do almost anything and has fine-grained controls over what APIs you can and cannot call is fundamentally flawed. The attack surface is huge and the security code threads through all kinds of libraries.

      Thanks for explaining why java is such a POS and should never be used by anyone for anything.

    13. Re:Here we go again. by Anonymous Coward · · Score: 0

      You must be a fucking moron to conclude that 'Java's security track record makes adobe & microsoft look good.". Java has easily been more secure than Microsoft, their shitty browser and their even shittier OS. Fuck, even Adobe is more secure than Microsoft.

    14. Re:Here we go again. by Anonymous Coward · · Score: 0

      So tell me, who wrote the java sandbox? Little magic code fairies?

      More talented people than those that wrote the shit stained sandbox of IE. Or Windows for that matter.

      Thanks for explaining why java is such a POS and should never be used by anyone for anything.

      Windows and IE are the biggest piles of shit to have ever graced a computer.

    15. Re:Here we go again. by Anonymous Coward · · Score: 0

      Rest assured, no one hates you "system admins" more than developers.

    16. Re:Here we go again. by myowntrueself · · Score: 1

      Rest assured, no one hates you "system admins" more than developers.

      Tell you what, go and 'develop' an alternative.

      --
      In the free world the media isn't government run; the government is media run.
    17. Re:Here we go again. by Anonymous Coward · · Score: 0

      More talented people than those that wrote the shit stained sandbox of IE. Or Windows for that matter.

      And yet, these java exploits continue to regularly occur.

      So, either these talented people you speak of aren't so talented, or the architecture model is such a complete POS that it can't be done securely.

    18. Re:Here we go again. by Anonymous Coward · · Score: 0

      You can't choose to not install the Java Plugin.

    19. Re:Here we go again. by putaro · · Score: 1

      The basically stupid idea is the ability to download and run Turing-complete code from unknown sources in supposed "safety". This has nothing to do with actual applications written in Java which is a reasonably secure language, certainly more secure than C or C++ (no buffer overflows, etc.).

      The broken sandbox is completely orthogonal to whether or not Java is a POS. It's a feature, a broken feature, but not one that you're required to use and a well-written application, in any language, does not attempt to run Turing-complete code from unknown sources.

  3. deres haxx0rz in ur javaz by Anonymous Coward · · Score: -1

    because calling a cyberspade is just that much more cyberedgy, cyberinteresting, cyberscary, and cyberattention cybergetting.

  4. Irrelevant by Anonymous Coward · · Score: 4, Insightful

    Who gives a fuck about the Java plugin? The point is that Java is not the shitty java plugin, it's a programming language and JVM. People conflating the two are ignorant of Java's significance in the software industry. Like it or hate it for its own sake, but it's not the fucking browser plugin!

    1. Re:Irrelevant by hummassa · · Score: 2

      Who gives a fuck about the Java plugin?

      Every single adult who has a bank account?

      (At least in my country, every single bank uses the java plugin in the internet banking site.)

      --
      It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
    2. Re:Irrelevant by Anonymous Coward · · Score: 0

      Not in Austria. Here it's plain HTML plus some lightweight JavaScript (which was optional until maybe two years ago). Also, don't forget that a lot of the readers here are from the US, where the state of the art in banking is still paper checks. Many of them won't even know what you are talking about...

    3. Re:Irrelevant by Anonymous Coward · · Score: 1, Insightful

      You live in a backward country. I'm sorry.

    4. Re:Irrelevant by squiggleslash · · Score: 1

      Thankfully that's not really the case outside of Brazil. I haven't had to use Java to access my bank or credit accounts ever, in the 15 or so years of using the web to access them here in the US.

      I have no idea why Brazil's banks would be different, but they seriously need to update. I can't think of a single legitimate reason to consider using Java as more secure than HTML+JavaScript - the obvious are all "security by obscurity".

      --
      You are not alone. This is not normal. None of this is normal.
    5. Re:Irrelevant by Anonymous Coward · · Score: 0

      Who gives a fuck about the Java plugin?

      Every single adult who has a bank account?

      (At least in my country, every single bank uses the java plugin in the internet banking site.)

      Your banks have a problem then. Here I have accounts with 3 major banks and 1 credit union, none use the Java plugin.

    6. Re:Irrelevant by SScorpio · · Score: 1

      At least it's better than South Korea who's bank used to all run off ActiveX.

    7. Re:Irrelevant by jeffryan · · Score: 1

      Brazil? Not all. I have a Bradesco personal ("Pessoa Física") account, java is disabled on my browser and I use Internet Banking normally. As of now, Bradesco is the second largest private bank in Brazil. I think the problem is mostly with the state owned banks.

    8. Re:Irrelevant by CauseBy · · Score: 1

      Not in the USA. I haven't used a Java plugin for a long time, certainly not for banking. The only time I'm confronted with plugins at all is when I try to watch videos of... um... of cats, yeah definitely cats.

    9. Re: Irrelevant by Anonymous Coward · · Score: 0

      Not one bank in my country uses java in the browser

    10. Re:Irrelevant by KGIII · · Score: 1

      Are you confusing Java with JavaScript?

      --
      "So long and thanks for all the fish."
    11. Re:Irrelevant by Anonymous Coward · · Score: 0

      You don't know well. They *STILL* run off ActiveX. If you ever want to do banking with Korean banks, you are required to install a handful of ActiveX modules; an encryption module, anti-keylogger, anti-virus, firewall etc. You are required to install those even if your system already has antivirus/firewall softwares of your choice installed. And each bank installs their own selection of modules therefore if you use more than one bank in Korea... well you will get a dozen or more ActiveX modules installed rather than a handful... It is crazy.

    12. Re:Irrelevant by CauseBy · · Score: 1

      I don't think so. I use JavaScript on pretty much every webpage I visit. But I have plugins disabled (click-to-play) so I know when I'm dealing with content that requires a plugin. I can't think of the last time I clicked-to-play without it being a video. If I ever use Java at all it is showing me a moving picture.

    13. Re:Irrelevant by KGIII · · Score: 1

      I can't recall anything that took Java to show a moving picture, at least not in a very long time. That was why I was curious if you were confusing the two. JavaScript is sometimes used to load content in Flash it seems as I have come across videos that will not play without it. *shrugs*

      --
      "So long and thanks for all the fish."
  5. Disable Java == Broken Websites by Announcer · · Score: -1

    The PROBLEM with disabling Java, is that a significant majority of sites use it heavily... so if you disable it, you cannot even see the content on many of them. THAT is a trend that should be changed! If a user visits a site, and they have their Java turned off, the LEAST they could do is provide a basic HTML version of the site, but no... you get that accursed "Please activate Java to view this site" message.

    --
    Willie...
    1. Re:Disable Java == Broken Websites by amalcolm · · Score: 4, Informative

      Java != JavaScript There havn't been many sites with Java Applets for a long while. This was the only use case for the plugun, and it's unrelated to 99.9% of the use of Java 'the langauge' and the JVM

      --
      Time for bed, said Zebedee - boing
    2. Re:Disable Java == Broken Websites by gstoddart · · Score: 4, Interesting

      I very much doubt a significant majority of websites use Java. Javascript, maybe.

      And you know what? If you hit a website which requires you run unsecure shit which allows arbitrary code execution? Maybe you should realize that's a good time to leave it disabled and find another site.

      If you're letting every site on the planet run Java, Javascript, and Flash ... well, congratulations, you're who they make zero day exploits for.

      I haven't seen a non-work related website requiring actual Java in years.

      I consider those "please enable cookies and disable all security" warnings as a sure sign of either a badly done website, or one which is so focused on marketing and analytics that I don't give a crap if I can't reach their site.

      It's your security, either you take ownership of it, or you throw your hands up and decide that the world will end if you don't allow some website to run Java. You can't have it both ways.

      --
      Lost at C:>. Found at C.
    3. Re:Disable Java == Broken Websites by wonkey_monkey · · Score: 1

      The PROBLEM with disabling Java, is that a significant majority of sites use it heavily

      Uh, really? Can you name one website that uses Java heavily?

      --
      systemd is Roko's Basilisk.
    4. Re:Disable Java == Broken Websites by Anonymous Coward · · Score: 0

      I haven't seen a non-work related website requiring actual Java in years.

      nVidia driver scan.

      KeepVid (download youtube videos)

      Granted they aren't super common sites to visit, but people would enable Java applets there (if they can -- apparently chrome can't) to use them.

    5. Re:Disable Java == Broken Websites by Anonymous Coward · · Score: 0

      The only website that I know of that uses Java is my bank, and only for interactive graphs.

    6. Re:Disable Java == Broken Websites by Anonymous Coward · · Score: 2, Funny

      The PROBLEM with disabling Java, is that a significant majority of sites use it heavily

      Uh, really? Can you name one website that uses Java heavily?

      Here is one: Verify your Java Version

    7. Re:Disable Java == Broken Websites by Anonymous Coward · · Score: 0

      I noticed that despite a "significant majority of sites" using the Java plugin "heavily" in 2015, you couldn't even name ONE of them YOURSELF, even DESPITE your UNNECESSARY EMPHASIS on CERTAIN words.

      You're either a shill or you're stupid, probably both. I haven't been to a site that required the Java plugin for anything since the early 2000s, maybe that's where you're getting your "statistics" FROM.

    8. Re:Disable Java == Broken Websites by Anonymous Coward · · Score: 0

      Bitch please, learn the difference between java and javascript.

    9. Re: Disable Java == Broken Websites by Anonymous Coward · · Score: 0

      Fuck keepvid, use the download helper extension for firefox.

    10. Re:Disable Java == Broken Websites by Anonymous Coward · · Score: -1, Flamebait

      I can name several. LinkedIn, Ebay, Google+... none of those sites would work with Java disabled. Facebook also uses Java quite heavily - it would probably mostly still work with Java disabled, but certain functionality (instant messaging, for example) wouldn't be available.

      Of course, I do realise that you were referring to Java applets, not server-side Java. Your meaning was clear too; I'm just taking pot-shots at the article which is horribly (and recklessly) misleading. It's the Java Web Plugin that was exploited here and should be disabled or removed, not Java or any component thereof.

    11. Re:Disable Java == Broken Websites by Anonymous Coward · · Score: 0

      Good job on remembering to click that anonymous posting box this time, "Announcer."

      So you've managed to go from "a significant majority" of websites requiring the Java plugin, just to render the sites properly, to...two examples. Two examples that you say yourself, "aren't super common sites to visit."

      If you're going to keep talking out of your ass, at least lodge some air freshener up there with your bullshit, your "breath" is starting to make this thread a bit ripe.

    12. Re: Disable Java == Broken Websites by Anonymous Coward · · Score: 0

      The issue, as I see it, is that most Java websites ARE work-based, which would mean seriously affecting workflow if you need to disable Java.

      Most of my clients have at least one intranet site, vendor site, or even client site (their client) that requires Java to use the site.

      Disabling Java for these people means day-to-day business cannot be done.

    13. Re:Disable Java == Broken Websites by Anonymous Coward · · Score: 0

      I find it terribly amusing that in their haste to get EMCAscript adopted, they gave it a common name which would prove a few years down the road to be almost derogatory.

    14. Re:Disable Java == Broken Websites by Anonymous Coward · · Score: 1

      No you're wrong. They use JavaScript, not Java. Totally different things with similar names. I haven't had the Java plugin installed in any of my browsers for years and have never encountered one website that didn't work.

    15. Re:Disable Java == Broken Websites by Anonymous Coward · · Score: 0

      Sounds like you're confusing Java and JavaScript. I don't have the Java plugin *installed*, yet LinkedIn, eBay and Google+ all work just fine for me.

    16. Re:Disable Java == Broken Websites by nitehawk214 · · Score: 1

      What sites depend on java on the client side? Name me one major site. Hell, even Oracle's site has no Java on it.

      (aside from banking websties of a certain unstated country that some other person is complaining about, those banking sites are wrong)

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
    17. Re:Disable Java == Broken Websites by Anonymous Coward · · Score: 0

      I haven't had Java installed in my browser in over a year and haven't found a single website I use commonly, or more than 2-3 that I have "passed by" (think links from slashdot articles) that required Java.

      The last one was a link to Woz's 6502 silicon visualizer, which makes sense why that would be in Java and not use JavaScript or Flash or something. Hardly a required website thou, just a neat toy.

      The prior one was also squarely in the toy category, as it ran older Apple II software in a Java emulator in the browser. But the disk images could be downloaded and thus run in a native emulator on my PC (or even a Java emulator if I wanted to run one locally)

      But back to your claims, I know not of any websites that deliver CONTENT via Java.
      Flash certainly, but not Java.

      I'm guessing either your computer setup is significantly badly broken, or you have little to no experience with web browsing and websites in general, or both.

      I find it ironic you found it possible to post to slashdot while at the same time claiming slashdot requires Java (it doesn't and never did) and claiming that somehow prevented you from doing what you clearly and obviously have done.

    18. Re:Disable Java == Broken Websites by dissy · · Score: 1

      Uh, really? Can you name one website that uses Java heavily?

      Here is one: Verify your Java Version [java.com]

      Doesn't look too heavy of use to me.

      With no Java in my browser, I can read all the text on that page, see all the menu links and even click them to go to the target pages, and see only a single Java applet (well, after clicking their agree button)

      Even better, when I do try to detect my Java version I see text output on the page that is both
      A) there and readable, and
      B) factually correct!

      It says it can't determine my Java version, which is fairly accurate as I have no Java for it to detect the version of.
      It doesn't show a blank page, or an error that Java isn't installed, or have most of the page missing like the original poster claimed would happen.

      I have to admit, and I hate saying it about a company like Oracle, but that page is both very light on Java usage and probably one of the best implementations of graceful fail back and browser plugin handling in general that I've seen.

    19. Re:Disable Java == Broken Websites by Anonymous Coward · · Score: 0

      www.pingtest.com for example. W/o Java you can't test packet loss.

    20. Re:Disable Java == Broken Websites by Zontar+The+Mindless · · Score: 1

      Nvidia: Unlike (apparently) some people, I know what card, platform, and OS I'm using, and so get along just fine without the driver scanner, thanks.

      KeepVid: Um, there's a Firefox extension for that, you know.

      --
      Il n'y a pas de Planet B.
    21. Re:Disable Java == Broken Websites by fnj · · Score: 1

      The PROBLEM with disabling JavaSCRIPT, is that a significant majority of sites use it heavily.

      FTFY. Of course you know that JavaSCRIPT has nothing whatever to do with Java, right?

    22. Re:Disable Java == Broken Websites by Khyber · · Score: 0

      "W/o Java you can't test packet loss."

      As if your OS's built-in ping command wouldn't fucking do that for you, retard?

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    23. Re:Disable Java == Broken Websites by myowntrueself · · Score: 2

      Java != JavaScript

      There havn't been many sites with Java Applets for a long while. This was the only use case for the plugun, and it's unrelated to 99.9% of the use of Java 'the langauge' and the JVM

      You don't do much system administration on physical hardware, do you.

      --
      In the free world the media isn't government run; the government is media run.
    24. Re:Disable Java == Broken Websites by amalcolm · · Score: 1

      Not sure what you mean by this. Can you elaborate?

      --
      Time for bed, said Zebedee - boing
    25. Re:Disable Java == Broken Websites by Anonymous Coward · · Score: 1

      As a network engineer, I hate to say it, but ICMP packet loss testing is as good as dead these days. I have not found a provider in the last 5 years that doesn't have some form of ICMP restriction baked into various levels of infrastructure.

      Seeing ICMP packet loss these generally days does not correlate with link loss; it usually just displays that you're hitting a route that rate-limits ICMP traffic.

    26. Re:Disable Java == Broken Websites by mlts · · Score: 1

      That's the problem. Java consists of a ton of moving parts which get lumped into one concept:

      1: The Java language.
      2: The Java bytecode.
      3: The JVM/JRE.
      4: The JDK.
      5: The Web plugins.

      The Java language is decent. It is arguably the modern day BASIC, where it is fairly easy to get a "hello world" program, and has decent functionality as a general purpose language.

      The Java bytecode is also robust. It would be nice if it were more like .NET's IL, where one can use any language of choice, and the compiled output winds up being bytecode, separating the language from the compiled code... but it is what it is.

      The JVM/JRE is a headache-maker. I've seen AIX systems with 10-15 different Java executables, all in various sundry directories. Similar with Windows, with some programs using their own JVM, and multiple JVMs present systemwide. Only real answer is to have a VM dedicated for handling interacting with a Java website (usually an older appliance) that has the right JVM in it.

      The JDK is not really an issue, but it is lumped in with Java.

      Finally the Web plugins. As is stated on /. and other places, the most common vector for intrusion are compromised browsers or browser plug-ins. This will continue to bite us until stronger isolation is put in place, similar to IE's low security mode, but with true filesystem isolation and separation of browser instances, so a compromised window/tab can't infect another.

      Main solution with dealing with Java is virtualization or containers. Serverside, it is extremely useful, but for applets, its time is long gone.

    27. Re:Disable Java == Broken Websites by _merlin · · Score: 3, Informative

      Most rack mount servers have an integrated management controller that lets you access the system over a network connection as though you had a local display/keyboard/mouse/storage. The client is usually a Java Web Start application, Java applet or similar. Hence you need Java to administer servers unless you can physically get to the rack and connect stuff to it.

    28. Re:Disable Java == Broken Websites by Anonymous Coward · · Score: 1

      Oracle employee here. We have VERY strict corporate standards regarding accessibility, governed in part by the Americans with Disabilities Act. And a team specifically tasked with dropping in on other teams, unannounced, to review their work to make sure it meets these guidelines.

    29. Re:Disable Java == Broken Websites by Anonymous Coward · · Score: 0

      That was an example of no-java-disabled functionality on a commonly used website, derp. Learn to read Khyber.

    30. Re:Disable Java == Broken Websites by BadgerRush · · Score: 1

      In certain niches Java Applets are still very common, online banking being one very important example. So for many people the options are simply: a) enable Java plugin; or b) have no access to your money.

    31. Re:Disable Java == Broken Websites by Khyber · · Score: 1

      >using a website to test shit that has the same functionality built into the OS.

      Learn to use your brain. No reason to use a website to test packet loss when the functionality is built into the OS. Hell, I even have speed test software on my system. No need for Java, or Javashit.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    32. Re:Disable Java == Broken Websites by Anonymous Coward · · Score: 0

      JavaScript was originally called LiveScript, but was renamed (around 20 years ago) for marketing purposes. The ECMAScript name came later.

    33. Re:Disable Java == Broken Websites by The+Raven · · Score: 1

      I'm sure millions of college students, when sent to an educational site that uses Java, will heed your advice. Java is still widely used in academia as well as the corporate world. It may be frustrating, but a lot of people are required to have Java running to get the shit that they are required to do done. Does it suck? Yes. Can you just disable and ignore vulnerabilities like this? No.

      --
      "I will trust Google to 'do no evil' until the founders no longer run it." Hello Alphabet.
    34. Re: Disable Java == Broken Websites by Anonymous Coward · · Score: 0

      Printers, server administration, webmin file management, and any crap vendor software that is run all require java... most require it via the browser (jnlp).

    35. Re: Disable Java == Broken Websites by Anonymous Coward · · Score: 0

      Speedtest-cli --server on openbsd works perfect.

    36. Re:Disable Java == Broken Websites by dissy · · Score: 1

      As much as I tend to poke fun at your corporate overlords policies, a big congrats and thumbs up are in order to both the review team and whomever made that part of the java.com website!

    37. Re:Disable Java == Broken Websites by rogoshen1 · · Score: 2

      c) enable java and let everyone else have access to your money (apparently?)

    38. Re:Disable Java == Broken Websites by KGIII · · Score: 1

      Both are 20 years old this year. I think LiveScript changed to JavaScript in 1997 though. I too have no idea why they went and made the name so close as Java was already out and applets were already in use when LiveScript changed their name to JavaScript. The oft cited "fact" that Java was made for coffee makers is not true either. (It was for cable television. It was too complex for interactive television at the time.)

      --
      "So long and thanks for all the fish."
    39. Re:Disable Java == Broken Websites by KGIII · · Score: 1

      They do not just keep your money if you have no access to the web interface. "no access to your money." No, you still have access. You just do not have it with your computer if you do not use their Java applet in some cases. You can still visit them or, sometimes, use an app on a phone or even just use your little plastic card to get access to your money.

      --
      "So long and thanks for all the fish."
    40. Re:Disable Java == Broken Websites by KGIII · · Score: 1

      Speaking of talking out of one's ass... I do not recall a time when the majority of sites required Java to render their pages properly. In fact, Java has pretty much nothing to do with page rendering. Perhaps you do not know what you are talking about...

      --
      "So long and thanks for all the fish."
    41. Re:Disable Java == Broken Websites by Anonymous Coward · · Score: 1

      Webstart is not a plugin, webstart is a "native" program with its own sandbox. You can disable the applet plugin just fine and still run jplp by just having those handled by javaws.
      So disabling the applet will not break the equipment you are talking about, it will break stuff like iLO.

    42. Re:Disable Java == Broken Websites by cbhacking · · Score: 1

      Sorry, I'd play you some music but I put my tiny violin somewhere and now I can't find it without a magnifying glass. Found a megaphone, though:

      FUCKING STOP FINANCIALLY REWARDING COMPANIES THAT REQUIRE JAVA APPLETS!

      When was the last time you refreshed your hardware, any of it? If it was in the last five years (and I'm being generous there, Java applets were known to be idiotic before that, too) and you purchased anything that requires a Java applet, then you are part of the problem and I have *no* sympathy for you. Make a migration timeline, get bids from vendors, include a specific requirement prohibiting dependencies on things like the Java plugin, and try actually making the world a better place. I don't expect that you can drop it all tomorrow, but you can damn well start on a plan to drop it today...

      --
      There's no place I could be, since I've found Serenity...
    43. Re:Disable Java == Broken Websites by cbhacking · · Score: 1

      You can petition the professor (and loop in whoever is responsible for IT security, and work your way up the university bureaucracy as needed, pointing out that Java browser plugins are insecure and the university is putting student data and university network infrastructure at risk by requiring them to be enabled. Far better cause than most of the things I saw student petitions about, and a lot of those were addressed anyhow.

      For the record, I completed my Bachelors in Computer Engineering in 2010, in the US. I never once needed a Java web plugin. I don't know how "widely used" it was back then, much less today, but it certainly wasn't required.

      Admittedly, universities are... lets say "not the most security-conscious" of environments. But I still say there's no excuse for ongoing use of Java (and it does put student and university machines at risk). It's really not actually required in the academic world, and there *are* alternatives.

      --
      There's no place I could be, since I've found Serenity...
    44. Re:Disable Java == Broken Websites by cbhacking · · Score: 1

      Great post.

      For the record, though, IE's sandbox is pretty bad. It allows read (though not write) access a lot of stuff. It also turns off by default when visiting a page on the local network. This sounds sane until you realize that:
      A) A sandbox is only useful for containing a browser compromise.
      B) A compromised browser can probably run arbitrary code.
      C) You can run a web server from inside the sandbox.
      D) Localhost counts as a local network page.
      E) If you've got a browser compromise, you can definitely direct the compromised browser to web server hosting another copy of the exploit.

      So yeah, most of the time the IE sandbox is going to be a speedbump at best. Chrome's sandbox (on Windows, at least) uses similar mechanisms, but runs at even lower privileges and additionally has a bunch of other restrictions; it's so unprivileged that it can't even launch another executable under its own privilege level. On the other hand, Firefox still just runs as your user account without even a speedbump to accessing anything you can access if it should get compromised.

      --
      There's no place I could be, since I've found Serenity...
    45. Re:Disable Java == Broken Websites by _merlin · · Score: 1

      Dell iDRAC doesn't depend on the Java browser plugin, it uses a Java Web Start application. But assuming you mean you want to get rid of the Java requirement altogether, rather than just the browser plugin, how do you suggest doing that? How would you make an OS-agnostic remote keyboard/mouse/video/storage client? The storage part is very important, we need to be able to mount virtual media to install operating systems and perform firmware upgrades. Java is the shittiest solution to the problem, apart from all the other solutions anyone's tried.

    46. Re:Disable Java == Broken Websites by qubezz · · Score: 1

      >> For the record, I completed my Bachelors in Computer Engineering in 2010, in the US. I never once needed a Java web plugin. I don't know how "widely used" it was back then, much less today, but it certainly wasn't required.

      You're lucky, in the late 90's it was impossible to get a CS degree without at some point installing Java in your brain. Still not as bad as the C++ course where the lab portion was some crashtastic IDE on Mac OS 9.

    47. Re:Disable Java == Broken Websites by Anonymous Coward · · Score: 0

      My bank, some retail sites, facebook, web-based e-mail, and some other sites just don't work properly unless Java(WHATEVER) is enabled.

    48. Re:Disable Java == Broken Websites by Announcer · · Score: 1

      Tell that to my bank.

      --
      Willie...
    49. Re:Disable Java == Broken Websites by SkimTony · · Score: 1

      All of the management pages for:
        - EMC Storage
        - Brocade FC switches
        - Dell and HP managed ethernet switches
        - Dell and HP DRAC/iLO remote management components
        - Dell and Avocent IP KVMs
      And I'm sure there are more. The best part is, none of the above works correctly with anything newer than Java 6! I have a VM running Windows 7, a working version of Firefox ESR, and Java 6. And I still have to constantly tell the VM that I don't want to update anything, and to just enable the darn plugins.

  6. Until? by AmiMoJo · · Score: 1

    Java is the recommended course of action.

    FTFY. No need to include a timeframe.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  7. Java? What's that? Oh you mean minecraft! by Anonymous Coward · · Score: 0

    Even if you are one of the small percentage of the population who needs java installed, NOBODY should have it in their browser.

    For those that aren't aware (i wasn't until i saw a post on a previous java post) minecraft now bundles java with it so you can uninstall java and just re-download the bundled minecraft installer from the website.

  8. The root is still Java by Anonymous Coward · · Score: 0

    The exploit resides in a plugin for Java - and it goes without saying that if there is no Java there the buggy plugin would not exist, either

    But the most important question is this - How soon can the world have the Net _without_ having to enable Java?

    1. Re:The root is still Java by Anonymous Coward · · Score: 0

      ... people still enable Java? I'm not even sure if a Java browswer plugin is available at all for my system, and I can't think of a time I've noticed its absence.

    2. Re:The root is still Java by TheRaven64 · · Score: 1

      When the last Java plugin zero-day came out, I went to disable Java and then remembered that I'd done it the last time. I have not once noticed during browsing that a site has failed to work because it needs Java.

      --
      I am TheRaven on Soylent News
    3. Re:The root is still Java by myowntrueself · · Score: 1

      The exploit resides in a plugin for Java - and it goes without saying that if there is no Java there the buggy plugin would not exist, either

      But the most important question is this - How soon can the world have the Net _without_ having to enable Java?

      You might be surprised at how much hardware has control interfaces that require Java. The people who manage the servers that the websites you visit often need Java and the browser options for this are shrinking all the time.

      If Java were to disappear from the Internet then data centers would be fucked. They'd have to get new hardware whose control interfaces didn't need Java. This would be expensive. Who is gonna pay?

      --
      In the free world the media isn't government run; the government is media run.
    4. Re:The root is still Java by mlts · · Score: 1

      This is what VMs are for. There are appliances (older Sun disk arrays for example) that not just require Java, but only work with one version of the JVM, and will just throw exceptions and crash if one uses the latest version.

      So, to interface with the legacy controllers, a browser and that correct Java runtime go into a VM and when it is done being used, it gets shut down and rolled back.

    5. Re:The root is still Java by K.+S.+Kyosuke · · Score: 1

      So...you need your (J)VM in a VM? Yo dawg...

      --
      Ezekiel 23:20
    6. Re:The root is still Java by KGIII · · Score: 1

      I can not recall the last time I saw an applet, servlet. or JaveServer Page... My banks, all of them, have never used Java ever, ever, ever... I do tend to use smaller banks and, mostly, credit unions so that may have something to do with it. They have used JavaScript but most of that devolves to pain HTML if there is no JavaScript enabled.

      What is odd, and an aside, is the number of low UIDs that seemingly are conflating Java and JavaScript. I would, and do, think that they have seen this conversation enough to know the difference even if they are not programmers or web developers. It seems that this is not something that is ever going to end until one of the two goes away. Java is 20 years old this year and JavaScript showed up in Netscape 2.0 also in 1995. It seems unlikely that either of them will be going anywhere in the immediate future.

      --
      "So long and thanks for all the fish."
    7. Re:The root is still Java by Anonymous Coward · · Score: 0

      Do they control hardwares with Java plugin? You must be confused with Java the language/VM and Java plug-in for browsers.

    8. Re:The root is still Java by myowntrueself · · Score: 1

      Do they control hardwares with Java plugin? You must be confused with Java the language/VM and Java plug-in for browsers.

      The hardware has web-based control panels which use Java in the browser requiring a plug-in.

      --
      In the free world the media isn't government run; the government is media run.
  9. great! by 0xdeaddead · · Score: 0

    if it wasnt for Minecraft, no end user would be left with java.

    And in the office world, all the scared of MS tards led us down the java path. Thanks guys!

    1. Re:great! by Anonymous Coward · · Score: 0

      Cisco Configuration Professional will only run on a Java 6 (maybe 7, with a lot of hacks and tweaks) install. The latest version from Cisco. What the hell are they smoking I don't know, but it's a reason I have a seperate VM just to configure the router.

    2. Re: great! by hunterkll · · Score: 1

      Works fine on java 8 here. Just has to be run as administrator.

    3. Re: great! by Anonymous Coward · · Score: 0

      I just realized they have a new version out for CCP, I'm going to install it immediately. Thanks for making me realize I was a moron for not checking earlier, considering it's been released nearly 3 months ago.

    4. Re:great! by Anonymous Coward · · Score: 0

      Can you blame them? After all, MS puts Java on your computer (Minecraft) whereas non-MS office software (Apache OpenOffice, for example) does not.

      (the paragraph above, while accurate, is not intended to be taken orally or seriously)

      The important thing to remember is that this exploit is for the Java plugin, not Java itself. You don't need to remove or disable Java if you happen to have something that relies upon it - just disable the awful browser plugin.

    5. Re:great! by Anonymous Coward · · Score: 0

      Nobody with half a brain runs Minecraft from a web browser anyhow. The launcher sets up the Java environment properly with the right (aka massive) amount of memory allocation.

    6. Re:great! by 0xdeaddead · · Score: 1

      don't forget ACS! And I have some stupid Avocent OOB thing that of course requires JAVA.

      Network people who are scared of windows and force this java crapfest are so damned 1997 annoying. Then there are the Oracle heads. Just wish this crap would finally die.

  10. Fear and loathing by Anonymous Coward · · Score: 0

    "economic and political cyber-espionage operation"

    Was this written by someone at CNN?

    1. Re:Fear and loathing by Zontar+The+Mindless · · Score: 1

      I'm sure they felt good about themselves after they wrote it.

      --
      Il n'y a pas de Planet B.
  11. Try always... by TFlan91 · · Score: 0

    "Until a patch is made, disabling Java is the recommended course of action."

    Nope, it's _ALWAYS_ the recommended course of action

  12. Lets just disable java by cant_get_a_good_nick · · Score: 1, Insightful

    FTFY

    Always disabling Java is the recommended course of action.

    Java and Flash on the web are technologies that have come and gone. Now that HTML5 video is prevalent, I'm much more likely to get pwn3d by a zero day than I am to find anything in either Java or Flash that I'd actually miss.

    1. Re:Lets just disable java by Anonymous Coward · · Score: 0

      After reading your post I've ordered my main engineer to disable Java on our 30 servers. Our financial application no longer runs (written in Java) and we're losing about 10,000$ per hour. Clients are calling us every minute to complain, but I feel like it was the right decision. Your post only discussed Java and Flash on the web, and I'd like to know why we should "always" disable Java, even on servers.

  13. Most browsers already block java by default by bhlowe · · Score: 1
    The warning should be "Disabling Java in your preferred browser is the recommended course of action".

    But even that might be more than you need. My FireFox always asks if I want to allow Flash or Java to run on any new site.. Another dialog comes up to display the code signing details. This seems pretty safe.

    That said, the code signing and sandboxing situation for Java IS a holy mess.

  14. How do I disable Java? by Anonymous Coward · · Score: 0

    I can't find the setting to disable Java on my Android devices. Anyone know?

  15. Microsoft Windows zero-day vulnerability in Java . by Anonymous Coward · · Score: 0

    Does this 'zero-day vulnerability in Java' work on anything else than Microsoft Windows ?

  16. Suspicious URLs .. by nickweller · · Score: 1

    "The existence of the flaw was discovered by finding suspicious URLs that hosted the exploit"

    Is it possible to design a browser that can't be compromised by navigating to a 'suspicious URLs'?

    1. Re:Suspicious URLs .. by cbhacking · · Score: 1

      In theory, a server should never be able to compromise a browser (no matter what URL the server is hosted at *eye roll*), so yes, it's possible. Is it *practical*? Probably not. Modern browsers are complex beasts, with tons of attack surface and a constant push towards better performance.

      --
      There's no place I could be, since I've found Serenity...
  17. Why the Big Deal? by devent · · Score: 1

    Firefox and other browsers (and Flash) had 0-day security exploids like forever, but nobody recomends to just stop using the Internet. Also, you can chose to run the Java Applet in a sandbox. There are tons of very useful Japa Apples still there, why should I deactivate Java and stop using them now? How is that 0-day exploid going to affect me in any way? It isn't and it won't, especially because Java Apps ask for permission to be run.

    https://sites.google.com/site/...

    --
    http://www.mueller-public.de - My site http://www.anr-institute.com/ - Advanced Natural Research Institute
  18. downgrading to older bad, because vulnerable ? by Gunstick · · Score: 1

    From TFA: "downgrading Java to one of the older versions is not a good idea because they are vulnerable to other attacks"

    well, which attacks, and are they not patched?

    --
    Atari rules... ermm... ruled.
  19. Re:Disable Java* == many broken sites by Announcer · · Score: 1

    OK, so I got the Java* terminology mixed up... with so many variants, it's an easy mistake, so cut me some slack. Why do so many people have to be so bloody vicious? Good grief.

    If Java* is left disabled, my bank's WEBsite doesn't work. Facebook doesn't work. Youtube doesn't work. Some online retail sites don't work. The streaming audio from my workplace doesn't work. (We lease a server, it's not our code.) My Web-based e-mail doesn't work... a significant number of sites that I use often, don't work.

    So I will still stand by what I originally said, but with some rather brutal public corrections applied.

    --
    Willie...
  20. Re:Disable Java* == man broken sites by Announcer · · Score: 1

    OK, fine. From now on, I will just say Java*

    --
    Willie...