NewsBot Posted January 14, 2013 Posted January 14, 2013 A previously unknown and currently unpatched security hole in the latest version of the Java software framework is under attack online, according to security researchers and bloggers. Attack code that exploits vulnerability in Java's browser plugin has been added to the Blackhole, Cool, Nuclear Pack, and Redkit exploit kits, according to the Malware Don't Need Coffee blog, prompting its author to say that the bug is being "massively exploited in the wild." Miscreants use these products to turn compromised websites into platforms for silently installing keyloggers and other types of malicious software on the computers of unsuspecting visitors. KrebsOnSecurity reporter Brian Krebs said the curators of both Blackhole and Nuclear Pack have taken to the underweb to boast of the addition to their wares. It's not yet clear how many websites have been outfitted with the exploits. According to researchers at Alienvault Labs, the exploits work against fully patched installations of Java. Attack files are highly obfuscated and are most likely succeeding by bypassing security checks built in to the program. KrebsOnSecurity said the malware authors say the exploits work against all versions of Java 7. Analysis from antivirus provider Kaspersky Lab indicates the exploits are already deployed on a variety of websites.View the full article Quote
Eldmannen Posted January 17, 2013 Posted January 17, 2013 Oracle have known about these security vulnerabilities for about half a year now and done nothing. Recently they released an update to finally fix those vulnerabilities. They only released the update after Apple and Mozilla blacklisted Java. But just some day later, someone is selling a new Java exploit. Quote
greenknight Posted January 18, 2013 Posted January 18, 2013 Oracle knew they weren't patching all the vulnerabilities with that update, but at least they raised the default security level to "high". Now the user is always prompted before unsigned applets are allowed to run. Might help a little... The Java plug-in is high risk, should be used with great caution or not at all. Even if they declare it fully patched and secure, don't trust it. Quote
James_A Posted January 29, 2013 Posted January 29, 2013 Not only is Java high-risk to use, it's risky to even install it. According to Ed Bott on ZDNet: Java is the new king of foistware, displacing Adobe and Skype from the top of the heap. And it earned that place with a combination of software update practices that are among the most user-hostile and cynical in the industry. In coordination with Ben Edelman, an expert on deceptive advertising, spyware and adware, I've been looking at how Oracle delivers Java to its customers and who it has chosen to partner with. The evidence against Oracle is overwhelming. Specifically: When you use Java’s automatic updater to install crucial security updates for Windows , third-party software is always included. The two additional packages delivered to users are the Ask Toolbar and McAfee Security Scanner. With every Java update, you must specifically opt out of the additional software installations. If you are busy or distracted or naïve enough to trust Java’s “recommendation,†you end up with unwanted software on your PC. IAC, which partners with Oracle to deliver the Ask toolbar, uses deceptive techniques to install its software. These techniques include social engineering that appears to be aimed at both novices and experienced computer users, behavior that may well be illegal in some jurisdictions. The Ask.com search page delivers inferior search results and uses misleading and possibly illegal techniques to deceive visitors into clicking paid ads instead of organic search results. Some of the sleazy practices include running the foistware installer in the background for 10 minutes, so that no entry appears in "Programs and Features" (a.k.a "Add or Remove Programs" in Windows XP) for 10 minutes after installing Java. Ben Edelman gives a full analysis in his article "IAC Toolbars and Traffic Arbitrage in 2013". . Quote
James_A Posted January 29, 2013 Posted January 29, 2013 And now the new Java update 11 is busted too... ... at least they raised the default security level to "high". Now the user is always prompted before unsigned applets are allowed to run. Might help a little... Not any more, because a new exploit announced this week completely bypasses the settings in the Java Control Panel. Malicious Java code can be made to run, without the user being prompted, even if the security setting has been set to the top level of Very High. Java is best completely UNinstalled on Windows. Keeping it on the system, but disabling its use in Internet Explorer is just too complicated to be practical, requiring not only a massive Registry edit to disable BOTH methods of allowing it to run, but actually removing specific files from the Java directory as well. . Quote
greenknight Posted January 30, 2013 Posted January 30, 2013 Java is best completely UNinstalled on Windows. Keeping it on the system, but disabling its use in Internet Explorer is just too complicated to be practical, requiring not only a massive Registry edit to disable BOTH methods of allowing it to run, but actually removing specific files from the Java directory as well. . However, in Firefox, Chrome, or Opera, disabling Java is simple. If you absolutely must keep Java around for some off-line app or something, I would suggest you don't use Internet Explorer at all, or any browser based on IE. To avoid the foistware (you really don't want the Ask toolbar, it can be hard to get rid of), you should disable the Java auto-updater. I use HijackThis! to remove it, it's called jusched.exe ; that makes sure it's disabled. Then, you have to be very careful when manually updating Java, make sure you uncheck all the options to install extra software. Uninstalling Java is the best plan, though. Quote
Administrator Tarun Posted January 30, 2013 Administrator Posted January 30, 2013 I never run with Java installed here, either. Though I will say, it's sad that you need it for Minecraft. Quote
Eldmannen Posted January 30, 2013 Posted January 30, 2013 I never run with Java installed here, either. Though I will say, it's sad that you need it for Minecraft. It would be pretty cool if they could automatically port it to C# / .NET. The guys at Ximian developed a tool that automatically converted Android from Java to C# / .NET, pretty cool. Source to source translation. Quote
Eldmannen Posted January 30, 2013 Posted January 30, 2013 New versions of Firefox will use click-to-play on all versions of Java. So Java will not be automatically ran in the browser, it will explicitly require the user's consent. Quote
greenknight Posted February 1, 2013 Posted February 1, 2013 New versions of Firefox will use click-to-play on all versions of Java. So Java will not be automatically ran in the browser, it will explicitly require the user's consent. Ah, yes; that will definitely reduce your exposure to exploits, since the browser won't be running every random Java applet it encounters. From reports I've read, it appears that these exploit kits insert malicious applets into websites - those would be blocked. Not sure if pre-existing Java content is safe or not, however. I've long used the NoScript extension, which provides configurable click-to-play functionality for plugins already; and there's another extension that does nothing but provide click-to-play. Now every Firefox user will get this functionality without needing any extension. Mozilla should be applauded. Quote
James_A Posted February 3, 2013 Posted February 3, 2013 Oracle have released a Java update, update 13, ahead of schedule which is listed as having 50 (fifty) security fixes. I counted 39 Security fixes in the JRE alone in Oracle's list. If you absolutely must have Java, then update to Java 7 update 13 as soon as possible. Make sure you are not installing deceptive stuff like the Ask toolbar as well, by UNchecking the option during the Java install. . Quote
Administrator Tarun Posted February 3, 2013 Administrator Posted February 3, 2013 Best way to update your Java to be more secure... Control Panel Programs and Features Select Java Uninstall Done Now you never have to worry about any more Java exploits, which are sadly so common now. Quote
James_A Posted February 5, 2013 Posted February 5, 2013 I like your Special instructions for those who prefer PowerPoint bullet points with everything. . Quote
Administrator Tarun Posted February 5, 2013 Administrator Posted February 5, 2013 Seen on reddit: Quote
James_A Posted February 26, 2013 Posted February 26, 2013 Well, they had better update that notice. Two new Java exploits were announced yesterday (25th-February). In the meantime, Twitter, Apple, Microsoft and Facebook have all been attacked, using Java exploits, after the iPhone developer forums were compromised. . Quote
Administrator Tarun Posted February 26, 2013 Administrator Posted February 26, 2013 Sure is nice not having Java installed. Quote
greenknight Posted February 27, 2013 Posted February 27, 2013 Two new Java exploits were announced yesterday (25th-February). . These new holes affect Update 15, which is what they're up to now...Oracle keeps patching, but the exploits just keep popping up. Quote
James_A Posted February 27, 2013 Posted February 27, 2013 Oracle uses odd-numbered updates for security fixes, which is why the last three updates have been 11, 13 & 15. When update 15 was released on Feb 19th, Oracle scheduled the next update for April 16th. They might have to rechedule that. . Quote
James_A Posted March 1, 2013 Posted March 1, 2013 It's YAJ0* time! Yes, it's Yet Another Java 0-day exploit -- this one is out in the wild and being exploited against Java 7 update 15 and Java 6 update 41. Time to update the "It has been [ ] days since the last new Java exploit" notice. Time to remove Java from all your computers, too. * the YAJ0 acronym was coined by FireEye to report this new exploit on their blog . Quote
greenknight Posted March 2, 2013 Posted March 2, 2013 James, you beat me to it! Anyway, here's a link to the FireEye report: http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html Quote
Eldmannen Posted March 5, 2013 Posted March 5, 2013 To their credit Oracle is actually patching the security vulnerabilities now. Their previous modus operandi was to just ignore the security vulnerabilities for another six months until their next bi-annual Java update release. Quote
James_A Posted March 7, 2013 Posted March 7, 2013 Well, the situation is now so bad that there is now a live website which tracks how long it has been since the last Java exploit: http://java-0day.com/ . Quote
James_A Posted March 8, 2013 Posted March 8, 2013 Another new exploit to Java yesterday, at the Pwn2Own contest in Vancouver, so it's back to 1 per day still being discovered/announced. Quote
greenknight Posted March 8, 2013 Posted March 8, 2013 Another new exploit to Java yesterday, at the Pwn2Own contest in Vancouver, so it's back to 1 per day still being discovered/announced. Which means that Update 17 is also vulnerable (you were correct that they might have to move up their scheduled next update, but that was an easy call to make). Quote
James_A Posted March 8, 2013 Posted March 8, 2013 Apparently I spoke too soon. Because Java was PWNED not just once but three times, yesterday. All three exploits were in the afternoon, the first at 1:30pm, the second at 2:30pm and the third at 5:31pm And Java has been successfully PWNED again (for the 4th time) today, at 2pm. Oracle must be feeling pretty bruised by now, as they've already fixed over 60 vulnerabilities so far this year and the above 4 aren't the only new ones still outstanding. . Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.