CSIS study lists the major programs and vulnerabilities targeted by web exploit kits

Such a pain... Java patches once in a blue moon and otherwise does nothing to be more secure...

And built-in Windows security isn't enough to secure it.

I'm hoping the new file system allows for better permissions.

 

I've removed Java completely just now. I have serious doubts I'll need it anymore, but we'll see. I just moved to Flash 11 too (32 bit Firefox).

 

At hxxp://contagiodump.blogspot.com/2010/06/overview-of-exploit-packs-update.html there is a spreadsheet that shows a list of approximately 100 vulnerabilities, and which exploit kits attempt to exploit each vulnerability.

 

Brave man!! Let's just hope you won't come across a website, that you may end up liking, using it.

 

If the statistics in that report are anything to go by, it seems a lot don't keep their software updated. Why is it so hard for some people to do this?

 

It's not just some websites that use Java though; if I'm not mistaken, don't applications like LibreOffice use Java? If you remove Java and want to use programs like LO, you can't. Or can you?

 

Yes, some applications do require Java. I knew that OpenOffice requires it, for something (Not sure what exactly), and it makes sense that LibreOffice also needs it, considering it's a fork. If uninstalling Java will break it, I got no idea, because I use Office.

There are other applications that also need it, like download managers that handle rapidshare and alike services.

In the end, it all comes down to one question: Am I using or accessing anything that requires Java?

Then, you can work from there.

I also don't think one needs to be drastic to the point on uninstalling it, if one has it installed. If you don't access any website needing Java, but do have an application that requires it, then for sure it's an application "you" wanted in the first place, so just disable Java's plugin in the browser. No plugin, no exploit, right?

And, nowadays, depending on the browser, you can enable plugins per-site. So, just enable it for the website that needs it.

 

LibreOffice I believe uses it only for macros. I think they have been working towards not needing Java at all, but I don't know how long that will be. I've got a family member wanting to learn how to use Office and its clones though, and I'm not paying the high cost of Office. So, I guess Java will be back on my system soon..just when I had uninstalled the damn thing

Opera already doesn't load plugins until needed, btw.

 

I've uninstalled Java too. I still use MS Works to this day as I didn't want to pay the high cost of MS Office either. MS Works suits my needs for day-to-day wordprocessing, spreadsheets and databases.

 

Got a student friend? I got like, 80% off Office 2010 Professional Plus, installed the 64bit version.

 

LibreOffice/OpenOffice is meant to run without Java since it's only supposedly needed for 'Base' desktop database, but you'd have to try it yourself. Some have complained that it still asks for Java to be present.

I've not had Java for a long time, and really haven't missed it. I never used it except with Open Office a long time ago. If I needed it, I'd just put it in a Sandbox with a unique browser.

 

It's interesting that you view uninstalling Java as a drastic measure It shows how I think most people view it - concerned that removing it would break something important.

It becomes clear pretty quickly if something needs Java once it's uninstalled - in which case reinstalling it is very simple. Other than Minecraft of Libreoffice, there's not much I can think of personally that doesn't have a better, non-Java alternative or isn't in itself unnecessary. You could argue I suppose that Minecraft is unnecessary, but try telling that to the people who spend all their free time playing it!

You're correct though that disabling the plugin in the browser works too - although Hungry Man disagrees

 

I don't consider removing Java a drastic measure. If the user has it installed, without actually needing it, then it's doing nothing and it should be uninstalled. Why waste space, right?

But, if the user has Java installed because it's needed by an application/website that the user must use (I don't mean games. ), then why going to point of uninstalling Java? It makes no sense.

I previously mentioned that the user must answer this question - Am I using or accessing anything that requires Java?.

Depending on the answer, uninstall or keep Java.

As an example, both the IRS application and website require Java. Now, Java is something that is needed, because... well... they made it that way.

I won't go paranoid over it and uninstall Java. I have different browser profiles, and only one of them is allowed to run Java, and this profile is only allowed to connect to the IRS servers.

If I only needed Java for the IRS application, well I would disable Java from all browser profiles.

I just don't think one should rush and uninstall it. The same applies to Flash. I remember a security researcher advising people to uninstall Flash Player... In your dreams good sir! I happen to enjoy watching some Youtube videos!!

 

I sure do!

 

I don't completely understand how Java is exploited. I have it disabled in IE8 which I use for testing:



And it's confirmed as being disabled, using a Java tester page:




However, one of the Java exploits in the Blackhole Exploit kit does attempt to run the code and download an executable:




I recall some years ago where someone explained that the exploit code searches for installed java components, such as the Development Toolkit and its associated DLLs. Note this from the CSIS list:

CVE-2009-1671 Java buffer overflows in the Deployment Toolkit ActiveX control in deploytk.dll

That one is for IE's Java, but similar exploits may target other systems.

It seems that protective measures other than just disabling Java per site are necessary to have complete confidence in feeling safe.

regards,

-rich

 

I wonder if it would work if you disabled Java as discussed at http://www.java.com/en/download/help/enable_browser.xml or http://antivirus.about.com/od/securitytips/ht/How-To-Disable-Java-In-Internet-Explorer.htm.

 

I did that, but a current java exploit from an Exploit Kit on today's Malware List does attempt to run.




It appears that the exploits will use the java executable, even though JAVA is disabled in the browser.

Regards,

-rich

 

Maybe you got hit by this. See http://www.kb.cert.org/vuls/id/886582 also.

 

Nice articles.

This makes sense; note the program in my firewall alert, javaws.exe. This old exploit works because I don't keep IE and its plugins patched, so I can test.

This confirms what I thought, but wasn't sure: the exploit would work on Opera (assuming not patched) because Opera uses the NPAPI plugins. I don't have JAVA installed for Opera, so I can't check.

As far as identifying specifically the exploit, this is very difficult for most people (like myself) since the attackers use the Exploit Kits. This means that unlike in years past where it was easy to see the exploit code because it was embedded in the web page itself, now, you can't get much from the web page code because everything takes place at the attacker's server. Once connected to the server, the site analyzes the victim's browser, OS, and then serves up exploits accordingly from their Kit.

Only by getting access to the kits, as the researchers have done, can the various exploits be specifically determined, as CSIS has done with their list.

regards,

-rich

 

I found in my notes that disabling the JAVA plugin prevents JAVA applets from running.

Thus it follows that this disabling wouldn't necessarily prevent access to the installed components via remote code, to exploit vulnerabilities in those components.

regards,

-rich

 

Thank you for reminding us that we also need to deal with the Java Deployment Toolkit. I have the plugin disabled in Firefox.

 

You are welcome, MrBrian, and thanks for the articles, causing a nice revisit to these exploits.

regards,

-rich

 

"Only in Canada you say.... pity"


I thought the same thing

 

I thought that IE and Firefox disabled anything that was Java related? In normal mode, Chromium-based browsers (Chromium and Chrome, at least) disable both plugins (Java and JDT).

Only when we switch to Developer mode we get to enable or disable them individually.

The Cnet article you pointed to, mentions this:

I'm assuming they're only talking about Java and not the JDT plugin?

 

For the latter question, yes.

I'm not sure of the meaning of your first question. In Firefox there are two separate Java plugins. Mozilla did disable vulnerable versions of the Java Deployment Toolkit.