Java: A Gift to Exploit Pack Makers

From http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/:

 

I can confirm the proliferation of Java exploits in the Exploit kits used on many malware sites.

The BLADE-Defender database of malware URLS contains many that serve up exploits from a kit. Here is one:

​

As with PDF and FLASH exploits, the Plug-ins are being targeted, not the browser, so all browsers would seem to be potentially vulnerable to being used to trigger Java exploits.

----
rich

 

Good advice, as nearly everybody i know, including me, have no use for it

Most people wouldn't even know what it is, or if they do need it, or how to get rid of it, or what the dangers are

You would think i BIG company like SUN would have got their act together on java insecurities by now, but nope Same goes for Adobe, but at least they are supposedly going to sandbox it in a future release. Having said that, isn't java "supposed" to sandboxed ? if it is it's not working very well

 

Oracle's problem now.

 

Microsoft reports 'unprecedented wave' of Java malware exploits

 

I haven't installed Java, and infact, I've been removing Java from machines for little over a year now.

 

I tried to install Java Se 6 without browser plug-ins using command line options. Doesn't work for the following reason:

Source: http://www.oracle.com/technetwork/java/javase/silent-136552.html

 

Doesn't disabling the plug-in in the browser remove it from being exploited remotely?

----
rich

 

You're lucky. I have some sites that absolutely require Java

Even Open Office requires Java if one wants to run even the most elementary Calc macro. I hope the Libre Office chaps will find a way to exclude any dependence on Java. (They do have some motivation )

 

Wouldn't disabling Java globally in the browser, and enabling per site, remove the remote code execution possibility from malicious sites?

----
rich

 

It does, but my point is that instead of being able to choose if I want to prevent these plug-ins from being installed it's now mandatory.

 

Saw this today and just decided to give up and remove Java from all of my machines.The only thing I have seen try to use it in forever was an online security test that was using it to try to steal my internal IP address.

 

I understand.

thanks,

rich

 

I've been Java-free for nearly 2 years now but pretty recently, I had to install it since I needed to access my National Service site, no other choices. However, once done, I've disabled the plug-ins from the browser since I don't need them in my day-to-day browsing. And I've kept the installed version up-to-date. I can see why it's a necessity for others though so removing it entirely isn't entirely a choice for them - let's be fair guys

 

Also, Java automatically checks for updates. The user doesn't have to manually check and happen to forget about it.

 

That is easily turned off. Those, without major memory problems, who monitor sites such as Wilders don't need to keep the Java updater on auto.

 

Yes, I'm aware of that. I was only commenting about one part of the quote in the first post

How will it fail to keep up with updates, if it automatically checks for updates?

You also have Secunia PSI which will verify it (not only Java, of course).