Slashdot Mirror

← Back to Stories (view on slashdot.org)

First Java 0-Day In 2 Years Exploited By Pawn Storm Hackers

Posted by timothy on from the live-dangerously dept.

An anonymous reader writes with Help Net Security's report that a new zero-day vulnerability in Java is being exploited, quoting from which: The flaw was spotted by Trend Micro researchers, who are closely monitoring a targeted attack campaign mounted by the economic and political cyber-espionage operation Pawn Storm. The existence of the flaw was discovered by finding suspicious URLs that hosted the exploit. The exploit allows attackers to execute arbitrary code on target systems with default Java settings. Until a patch is made, disabling Java is the recommended course of action.

13 of 122 comments (clear)

  1. There hasn't been a zero day? by Anonymous Coward · · Score: 5, Funny

    There hasn't been a zero day for Java in two years?

    If that's true, that sounds like the real news here.

  2. Here we go again. by sproketboy · · Score: 5, Insightful

    It's an exploit in the Java Plugin - not Java itself but whatever - let's get the Oracle hate going.

    1. Re:Here we go again. by Big+Hairy+Ian · · Score: 4, Funny

      I was just going to suggest everyone just change their brand of coffee! Problem solved

      --

      Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

    2. Re:Here we go again. by squiggleslash · · Score: 2, Insightful

      Well, yeah, Oracle hate is totally justified, so let's do it! (Besides, who wrote the plugin?)

      But yes, Java hate is OTT. It's a decent language/concept. Microsoft did it better with .NET/C#, but beyond the painful programming patterns Java's frameworks enforce on everyone, it's not a bad system.

      The plugin needs to go though.

      --
      You are not alone. This is not normal. None of this is normal.
    3. Re:Here we go again. by putaro · · Score: 2

      No, it's not a small program because these exploits are usually not against the JVM but against the sandbox. The problem is that the basic idea of a sandbox that lets you do almost anything and has fine-grained controls over what APIs you can and cannot call is fundamentally flawed. The attack surface is huge and the security code threads through all kinds of libraries.

  3. Irrelevant by Anonymous Coward · · Score: 4, Insightful

    Who gives a fuck about the Java plugin? The point is that Java is not the shitty java plugin, it's a programming language and JVM. People conflating the two are ignorant of Java's significance in the software industry. Like it or hate it for its own sake, but it's not the fucking browser plugin!

    1. Re:Irrelevant by hummassa · · Score: 2

      Who gives a fuck about the Java plugin?

      Every single adult who has a bank account?

      (At least in my country, every single bank uses the java plugin in the internet banking site.)

      --
      It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
  4. Re:Disable Java == Broken Websites by amalcolm · · Score: 4, Informative

    Java != JavaScript There havn't been many sites with Java Applets for a long while. This was the only use case for the plugun, and it's unrelated to 99.9% of the use of Java 'the langauge' and the JVM

    --
    Time for bed, said Zebedee - boing
  5. Re:Disable Java == Broken Websites by gstoddart · · Score: 4, Interesting

    I very much doubt a significant majority of websites use Java. Javascript, maybe.

    And you know what? If you hit a website which requires you run unsecure shit which allows arbitrary code execution? Maybe you should realize that's a good time to leave it disabled and find another site.

    If you're letting every site on the planet run Java, Javascript, and Flash ... well, congratulations, you're who they make zero day exploits for.

    I haven't seen a non-work related website requiring actual Java in years.

    I consider those "please enable cookies and disable all security" warnings as a sure sign of either a badly done website, or one which is so focused on marketing and analytics that I don't give a crap if I can't reach their site.

    It's your security, either you take ownership of it, or you throw your hands up and decide that the world will end if you don't allow some website to run Java. You can't have it both ways.

    --
    Lost at C:>. Found at C.
  6. Re:Disable Java == Broken Websites by Anonymous Coward · · Score: 2, Funny

    The PROBLEM with disabling Java, is that a significant majority of sites use it heavily

    Uh, really? Can you name one website that uses Java heavily?

    Here is one: Verify your Java Version

  7. Re:Disable Java == Broken Websites by myowntrueself · · Score: 2

    Java != JavaScript

    There havn't been many sites with Java Applets for a long while. This was the only use case for the plugun, and it's unrelated to 99.9% of the use of Java 'the langauge' and the JVM

    You don't do much system administration on physical hardware, do you.

    --
    In the free world the media isn't government run; the government is media run.
  8. Re:Disable Java == Broken Websites by _merlin · · Score: 3, Informative

    Most rack mount servers have an integrated management controller that lets you access the system over a network connection as though you had a local display/keyboard/mouse/storage. The client is usually a Java Web Start application, Java applet or similar. Hence you need Java to administer servers unless you can physically get to the rack and connect stuff to it.

  9. Re:Disable Java == Broken Websites by rogoshen1 · · Score: 2

    c) enable java and let everyone else have access to your money (apparently?)