Java’s latest security problems: New flaw identified, old one attacked

at this rate they should uncover and fix them all soon

 

Java has security problems? I don't believe it.

 

It'll be taken care of in a Flash...oh wait, that will be for another thread..

 

Also spotted:
New Java 7 security flaws emerge as old one lands in crime kits
http://www.cso.com.au/article/454780/new_java_7_security_flaws_emerge_old_one_lands_crime_kits/

Researcher unearths two new Java zero-day bugs
http://www.csoonline.com/article/729398/researcher-unearths-two-new-java-zero-day-bugs

 

Correct me if I'm wrong, but once again it needs your permission. Why do all these sites advise you to disable or uninstall Java when you need to run the malware yourself to compromise the system?

 

Java doesn't require your permission to be exploited.

http://www.welivesecurity.com/2013/01/11/more-on-that-java-vulnerability/

 

So they bypasses click to play and UAC as well?

 

From an older thread: Java tops 2012 list for most dangerous software flaws -

https://www.wilderssecurity.com/showthread.php?t=341127

Also see: Criticism's of Java

 

The screenshot showing the launching of Windows calculator is on Windows XP.

 

Two More Java Zero Days Found by Polish Research Team:

http://threatpost.com/en_us/blogs/two-more-java-zero-days-found-polish-research-team-022513

 

Zero-Day Flaws in Java Re-Emerge; No Exploitation in the Wild Yet:

http://www.hotforsecurity.com/blog/...rge-no-exploitation-in-the-wild-yet-5488.html

 

They don't need your permission, as someone else pointed out. In fact if you have multiple versions of Java installed but you only use 7, there are exploits that can call the older ones.

The reasons everyone is calling for users to disable Java:
1. because there are numerous Java exploits actively being used right now and millions of people running Java == lots of owned boxes.
2. because Oracle failed to properly and timely respond to serious security issues for far too long. Previously they took months to address vulnerabilities, and sometimes never addressed them at all. They did pull their collective heads out of their butts recently and have been releasing tons of out-of-band updates, but they have not addressed the fundamental underlying problem (see #4).
3. Java is an extremely popular target for malware authors because it runs on all platforms.
4. The Java language is hopelessly broken. There are flaws within the language that will continue to be exploited until very basic changes are made to the way it functions. (source = http://www.security-explorations.com/materials/se-2012-01-report.pdf)

 

I'll be a lot more impressed with this 0 day if it can be demonstrated to work on a properly configured Windows 7 machine, especially one utilizing an anti-executable, launching a non-whitelisted file. Heck, even on an XP machine using an anti-executable or SRP.

 

It can be mitigated with other controls, sure. But the vast majority of users are not using those controls, therefore the best advice is to remove Java.

And at this point, I would say that the onus is on you: YOU need to demonstrate that the various Java exploits known to be in the wild currently DON'T work on a properly configured machine.

 

I was about to say... I'd like to see it on a properly configured XP machine too. What happens in that screenshot never happens on my box.

Of course... to me a properly configured machine is one without Java in the first place.

 

Probably dead in its tracks with other controls, but of course I'd need to see it happen first.

Well, I'm not so sure I agree, but fwiw I've tried hard through legal means

 

Oracle should just send their latest version to them for testing before releasing it as an update... would avoid much hassle, misery, and embarrassment.


----
rich

 

I suppose we all have our own ideas as to what constitutes a properly configured machine!

Regarding Java, properly configured for me would be white listing the plug-in per site , so that upon encountering a redirection exploit, the code on the redirected web site would not run:



Properly configured for me would be a firewall to catch those exploits that use the application to connect out to the internet for the malware -- just in case:



Properly configured would include something to block the payload -- just in case:



All above on WinXP SP3, properly configured (as I see it, anyway).


----
rich

 

Another Java zero-day exploit in the wild actively attacking targets

Article | Also: http://www.zdnet.com/oracle-investigating-after-two-more-java-7-zero-day-flaws-found-7000011965/

 

It's just not going to stop. Hence the advice is to ditch Java and pressure any vendors requiring it to use something else.

 

Emergency Java Security Patch – Update Now!:

http://www.hotforsecurity.com/blog/emergency-java-security-patch-update-now-5591.html