Java: A Gift to Exploit Pack Makers

Discussion in 'other security issues & news' started by MrBrian, Oct 13, 2010.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/:
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I can confirm the proliferation of Java exploits in the Exploit kits used on many malware sites.

    The BLADE-Defender database of malware URLS contains many that serve up exploits from a kit. Here is one:

    mbr.gif

    As with PDF and FLASH exploits, the Plug-ins are being targeted, not the browser, so all browsers would seem to be potentially vulnerable to being used to trigger Java exploits.

    ----
    rich
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Good advice, as nearly everybody i know, including me, have no use for it :thumbd:

    Most people wouldn't even know what it is, or if they do need it, or how to get rid of it, or what the dangers are :(

    You would think i BIG company like SUN would have got their act together on java insecurities by now, but nope :( Same goes for Adobe, but at least they are supposedly going to sandbox it in a future release. Having said that, isn't java "supposed" to sandboxed ? if it is it's not working very well :D
     
  4. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,046
    Location:
    USA
    Oracle's problem now. :ouch:
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  6. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    I haven't installed Java, and infact, I've been removing Java from machines for little over a year now.
     
  7. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    I tried to install Java Se 6 without browser plug-ins using command line options. Doesn't work for the following reason:
    Source: http://www.oracle.com/technetwork/java/javase/silent-136552.html
     
    Last edited: Oct 19, 2010
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Doesn't disabling the plug-in in the browser remove it from being exploited remotely?

    ----
    rich
     
  9. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    You're lucky. I have some sites that absolutely require Java :eek:

    Even Open Office requires Java if one wants to run even the most elementary Calc macro. I hope the Libre Office chaps will find a way to exclude any dependence on Java. (They do have some motivation ;) )
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Wouldn't disabling Java globally in the browser, and enabling per site, remove the remote code execution possibility from malicious sites?

    ----
    rich
     
  11. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    It does, but my point is that instead of being able to choose if I want to prevent these plug-ins from being installed it's now mandatory.
     
  12. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,046
    Location:
    USA
    Saw this today and just decided to give up and remove Java from all of my machines.The only thing I have seen try to use it in forever was an online security test that was using it to try to steal my internal IP address.
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I understand.

    thanks,

    rich
     
  14. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    I've been Java-free for nearly 2 years now but pretty recently, I had to install it since I needed to access my National Service site, no other choices. However, once done, I've disabled the plug-ins from the browser since I don't need them in my day-to-day browsing. And I've kept the installed version up-to-date. I can see why it's a necessity for others though so removing it entirely isn't entirely a choice for them - let's be fair guys;)
     
  15. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Also, Java automatically checks for updates. The user doesn't have to manually check and happen to forget about it.
     
  16. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    That is easily turned off. Those, without major memory problems, who monitor sites such as Wilders don't need to keep the Java updater on auto.
     
  17. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, I'm aware of that. I was only commenting about one part of the quote in the first post

    How will it fail to keep up with updates, if it automatically checks for updates?

    You also have Secunia PSI which will verify it (not only Java, of course).
     
Loading...
Thread Status:
Not open for further replies.