Slashdot Mirror

← Back to Stories (view on slashdot.org)

First Java 0-Day In 2 Years Exploited By Pawn Storm Hackers

Posted by timothy on from the live-dangerously dept.

An anonymous reader writes with Help Net Security's report that a new zero-day vulnerability in Java is being exploited, quoting from which: The flaw was spotted by Trend Micro researchers, who are closely monitoring a targeted attack campaign mounted by the economic and political cyber-espionage operation Pawn Storm. The existence of the flaw was discovered by finding suspicious URLs that hosted the exploit. The exploit allows attackers to execute arbitrary code on target systems with default Java settings. Until a patch is made, disabling Java is the recommended course of action.

7 of 122 comments (clear)

  1. There hasn't been a zero day? by Anonymous Coward · · Score: 5, Funny

    There hasn't been a zero day for Java in two years?

    If that's true, that sounds like the real news here.

  2. Here we go again. by sproketboy · · Score: 5, Insightful

    It's an exploit in the Java Plugin - not Java itself but whatever - let's get the Oracle hate going.

    1. Re:Here we go again. by Big+Hairy+Ian · · Score: 4, Funny

      I was just going to suggest everyone just change their brand of coffee! Problem solved

      --

      Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

  3. Irrelevant by Anonymous Coward · · Score: 4, Insightful

    Who gives a fuck about the Java plugin? The point is that Java is not the shitty java plugin, it's a programming language and JVM. People conflating the two are ignorant of Java's significance in the software industry. Like it or hate it for its own sake, but it's not the fucking browser plugin!

  4. Re:Disable Java == Broken Websites by amalcolm · · Score: 4, Informative

    Java != JavaScript There havn't been many sites with Java Applets for a long while. This was the only use case for the plugun, and it's unrelated to 99.9% of the use of Java 'the langauge' and the JVM

    --
    Time for bed, said Zebedee - boing
  5. Re:Disable Java == Broken Websites by gstoddart · · Score: 4, Interesting

    I very much doubt a significant majority of websites use Java. Javascript, maybe.

    And you know what? If you hit a website which requires you run unsecure shit which allows arbitrary code execution? Maybe you should realize that's a good time to leave it disabled and find another site.

    If you're letting every site on the planet run Java, Javascript, and Flash ... well, congratulations, you're who they make zero day exploits for.

    I haven't seen a non-work related website requiring actual Java in years.

    I consider those "please enable cookies and disable all security" warnings as a sure sign of either a badly done website, or one which is so focused on marketing and analytics that I don't give a crap if I can't reach their site.

    It's your security, either you take ownership of it, or you throw your hands up and decide that the world will end if you don't allow some website to run Java. You can't have it both ways.

    --
    Lost at C:>. Found at C.
  6. Re:Disable Java == Broken Websites by _merlin · · Score: 3, Informative

    Most rack mount servers have an integrated management controller that lets you access the system over a network connection as though you had a local display/keyboard/mouse/storage. The client is usually a Java Web Start application, Java applet or similar. Hence you need Java to administer servers unless you can physically get to the rack and connect stuff to it.