Discussion in 'malware problems & news' started by siljaline, Aug 27, 2012.
Warning on critical Java hole:
Glad I have no java on windows or Os X and I removed Adobe Reader from both OS.
I find no compelling reason to run Java either.
Is that your blog.?
That Blog would belong to an old friend from the security community: Corrine
Linux users can sandbox Java easily.
Java may run in the Chrome sandbox as well. It's unclear but the process is a chrome process with the java*.so as a parameter, the same way Flash is.
I like it, its a nice blog IMO.
From the article:
Some organizations don't find it convenient to disable JAVA. Fortunately, such organizations which give their System Administrator the leeway to lock down systems so that non-whitelisted executables can not run/install, are protected by a variety of solutions available against exploits that deliver a binary executable payload.
From the article:
Can anybody confirm if v6 is also affected?
Attackers Pounce on Zero-Day Java Exploit
"Does not appear" isn't a very confident answer. I would want to see actual test results, or at least other confirmations, before concluding that v.6 is immune.
Once in an Exploit Kit, you can be sure that it will circulate widely very soon!
Cited: here, there is not a lot a confidence in these findings, either.
Oh well, I run Java for the few sites I need it for with utmost confidence for the same reasons Rmus cites.
Right on ! Just so everyone is one the same page, I have nothing to contend with that Rmus has lined out. What needs clarification is what builds of Oracles's Sun Java are currently affected. More as I know more or as anyone with solid information could add to this thread.
Thank you for the information, siljaline. It is, however, unfortunate that Java requires constant "assistance" from security measures that, although are easily implemented, are not necessarily well known or mainstream for most typical home pc users.
Java 0day found in the wild
Secunia Advisory 50133
Merged Threads to Continue Same Topic.
I Wonder if EMET is of use in this one. Can anyone of the experts comment ?
Just in case I have disabled Java in my Browsers, and indeed it's just surprising how (not) that many websites are using Java.
EMET will almost certainly not do anything to stop this. For whatever reason in Java 7.0 something that should have been protected was made unprotected allowing for unprivileged code to essentially set its own privilege. EMET doesn't really play into this.
Rather than seeing some security experts suggesting to remove/disable Java from every system (and, for certain, many have it because it's needed), maybe they should just explain users, in general, how to allow it to specific websites?
If you allow it to specific websites, then what do you have to worry about? The boogy man?
Yes, it's worrying that Oracle doesn't do crap to minimize the risk of security vulnerabilities, but the same it's not the same as saying anyone using Java is doomed.
This thread discusses software that is currently Zero-day, m00nbl00d.
The intention is not how anyone can get in pecking order to suggest ways of being exploited while your system is vulnerable assuming you run Oracle Java.
We wait for a patch from Oracle.
Reuters article about the exploit says to immediately disable Java:
There's a link at the bottom of the article to Rapid7 site to see if Java is exploitable on your computer:
Java on my Sandboxied Chrome wasn't recognized as exploitable there, even though
Java - Version: 10.5.1.255
NPRuntime Script Plug-in Library for Java(TM) Deploy
Name: Java Deployment Toolkit 184.108.40.206
is listed in my Chrome plugins.
Out of interest, rather than panic, would Sandboxie with Drop Rights 'on' stop the exploit should I happen to land on a compromised page?
The article link shows me that my Java (IE9) is indeed exploitable...
Yeah... the boogy man... What's news? Tell me, when was the last time a zero day against Java didn't exist? Precisely.
Everytime I hear something about a new zero day, etc., I always see a few people advising people to remove Java. Guess what? Maybe many of the people running Java actually need it? So, the solution is not to remove it, but actually to allow the plugin to be accessable by whitelisted domains.
So, if I whitelist Java plugin to the IRS website domain only, then what the heck would I care about some zero-day? How would it (the zero-day) hurt anyone, if these people knew they can isolate the plugin?
Maybe if people security firms (who also have blogs), security experts, etc., mentioned these little details, there would be no reason to over hyper these Java/Flash zero-days.
I have done that to many systems. So what if there's a new zero-day tomorrow and the day after? Because, guess what? There will be many more zero-days against Java... and people will still need to use it then. So, maybe instead of saying to disable/remove... maybe just whitelist the access to the one or two websites that actually need it.
That's all I'm saying.
But, I also mentioned that I'd like to see Oracle more proactive about these bugs.
Whitelisting Java to specific websites would stop it, too. Sandboxie would, at least, contain the exploit to the sandboxed area, thus not letting it affect the real file system.
Internet Explorer 9 has ActiveX filtering. I think that if it's enabled, then it should allow you to whitelist Java plugin in a per-site basis. Maybe someone using IE9 can say a word about it.
Separate names with a comma.