Critical 0-Day Java Bug "Massively Exploited"

I never notice it before?? And the source I quoted above even states it was added. Oh well... "shrugs".

 

*Sigh* well I'm sure having trouble finding malware on all those sites you've listed even going as far as disabling the script blocker in Chrome, then clicking on all kinds of stupid ads hoping for something interesting but, alas, nothing materializes, other than the occasional "are sure you want to leave this page... pop-ups and the firewall sometimes alerting Chrome attempting to connect to remote port 8080 ( what was that about application firewalls being useless? ), which I allow temporarily but nothing interesting again.

I know Hungry asserts if it's expected it won't happen, but then we would all only have to "expect" malware to happen then that's all we'd need to do to avoid it

 

From zdnet: Security experts on Java: Fixing zero-day exploit could take 'two years'

http://www.zdnet.com/security-exper...t-could-take-two-years-7000009756/?s_cid=e539

 

The sites are not compromised, these are just sites where ads have attacked recently. Ebaumsworld I got 2 0hour samples from yesterday but I let the site rotate ads for more than 48 hours. If you want an exploit that simply kicks on on page render you need to find a site that is itself compromised.

PM me if you want the last 2 samples I pulled from ebaumsworld, they are both still quite fresh.

 

Hello Bruce,

I've never gotten to such a site during normal surfing in all of my years on the 'Net! I usually have to find a site that someone else has discovered.

Another thing, as we discussed recently, the hosted sites with the Exploit Kits (the sites the victims are redirected to from a compromised page) are going down very quickly, due to two factors, which may be of interest to others:

1) web hosts are removing the sites quickly when notified

2) "fast flux" enables the cybercriminals to quickly change the IP addresses.

So, it's rare to find a site listed on some of the malware domain lists that is still active! This makes it more difficult for security people to analyze the code on their sites. You have to be quick on the draw to follow their activities these days!


regards,

-rich

 

Tell me about it

 

I'm guessing sandboxie with restrictions on running/internet privileges will be pretty good against this right?

 

If that's true, we can safely assume that Java is definitely "powned".

 

New Java Exploit Fetches $5,000 Per Buyer

Article

 

I heard Java 11 is out now. Should I update it to the 11? If I do that, do you think everything will be safe when enabled? Also, if I browse on sandboxed mode, will I be protected from this?

 

I see the new version updates the security from medium to high.

 

Java 11 is still vulnerable to an exploit being sold and distributed to exploit kits.

Yes, you should still update.

 

As long as the exploits can't override both Chrome's and Java's prompts and force an execution, then I won't worry too much. If they can do that, then maybe I should uninstall it...

 

It's Time to Banish Java from Your Computer
Instead of worrying about the security threat posed by Java, simply get rid of it. Chances are you won’t miss it. Here are steps you can take to kill Java from your PC.

• Article

 

Malware Poses as an update for Java 0-day fix...

• Article

 

I don't have Java installed on my system, so that takes care of that risk. Now, if I did have Java installed, EXE Radar Pro using Lockdown mode would take care of that no problem....at least I seem to think so.

 

Indeed, Java is just bad news. Time to ditch it folks.

Java - Just Another Vulnerability Announcement.

 

HaHa, I like that

 

I am inclined to agree, 2 years is a long time to wait for a bullet proof version.

 

You will never see a bullet proof version; of Java or anything else.

It's like any other software, If you don't need it, why installed it in the first place?

If you need it keep it. Just patch it, when they come out with them. I am not about to ditch it. It is quite useful to me and that is all that counts.

 

http://www.techhive.com/article/2025797/oracles-java-patch-contains-new-holes-researchers-warn.html

What is going on at this corporation? Are they inept, lazy or do they like the attention? I'm not going to pretend coding and patching is some easy peasy task, but come on. Honestly for those of you that say you have to have it for banking or some other reason outside of your workplace forces it, find an alternative bank or another service.

 

A technical analysis of a new Java vulnerability (CVE-2013-0422)
http://blogs.technet.com/b/mmpc/arc...f-a-new-java-vulnerability-cve-2013-0422.aspx

 

I am having a bit of trouble finding the java program to check if auto update is on for soofly's computer. Is there an update button there or do we have to uninstall the old one and install the new one?

 

You can just install the new one, and it will uninstall the old one automatically.