Java’s latest security problems: New flaw identified, old one attacked

Discussion in 'other security issues & news' started by ronjor, Feb 25, 2013.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
    http://arstechnica.com/security/201...roblems-new-flaw-identified-old-one-attacked/
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    at this rate they should uncover and fix them all soon ;)
     
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
    Doesn't look good. :ouch:
     
  4. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    Java has security problems? I don't believe it. ;)
     
  5. Cimmerian

    Cimmerian Registered Member

    Joined:
    Nov 29, 2010
    Posts:
    410
    Location:
    New Jersey
    It'll be taken care of in a Flash...oh wait, that will be for another thread..:D
     
  6. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  7. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Correct me if I'm wrong, but once again it needs your permission. Why do all these sites advise you to disable or uninstall Java when you need to run the malware yourself to compromise the system?
     
  8. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  9. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
    I'm certainly not defending Java. Because it used in so many applications, it is important for computer users to know there may be possible security problems.
    http://en.wikipedia.org/wiki/Java_(programming_language)
     
    Last edited: Feb 25, 2013
  10. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
  11. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    The screenshot showing the launching of Windows calculator is on Windows XP.
     
  13. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    Two More Java Zero Days Found by Polish Research Team:
    http://threatpost.com/en_us/blogs/two-more-java-zero-days-found-polish-research-team-022513
     
  14. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
  15. BrandiCandi

    BrandiCandi Guest

    They don't need your permission, as someone else pointed out. In fact if you have multiple versions of Java installed but you only use 7, there are exploits that can call the older ones.

    The reasons everyone is calling for users to disable Java:
    1. because there are numerous Java exploits actively being used right now and millions of people running Java == lots of owned boxes.
    2. because Oracle failed to properly and timely respond to serious security issues for far too long. Previously they took months to address vulnerabilities, and sometimes never addressed them at all. They did pull their collective heads out of their butts recently and have been releasing tons of out-of-band updates, but they have not addressed the fundamental underlying problem (see #4).
    3. Java is an extremely popular target for malware authors because it runs on all platforms.
    4. The Java language is hopelessly broken. There are flaws within the language that will continue to be exploited until very basic changes are made to the way it functions. (source = http://www.security-explorations.com/materials/se-2012-01-report.pdf)
     
  16. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    I'll be a lot more impressed with this 0 day if it can be demonstrated to work on a properly configured Windows 7 machine, especially one utilizing an anti-executable, launching a non-whitelisted file. Heck, even on an XP machine using an anti-executable or SRP.
     
  17. BrandiCandi

    BrandiCandi Guest

    It can be mitigated with other controls, sure. But the vast majority of users are not using those controls, therefore the best advice is to remove Java.

    And at this point, I would say that the onus is on you: YOU need to demonstrate that the various Java exploits known to be in the wild currently DON'T work on a properly configured machine.
     
  18. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    I was about to say... I'd like to see it on a properly configured XP machine too. What happens in that screenshot never happens on my box.

    Of course... to me a properly configured machine is one without Java in the first place.
     
  19. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    Probably dead in its tracks with other controls, but of course I'd need to see it happen first.

    Well, I'm not so sure I agree, but fwiw I've tried hard through legal means ;)
     
  20. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Oracle should just send their latest version to them for testing before releasing it as an update... would avoid much hassle, misery, and embarrassment.


    ----
    rich
     
  21. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I suppose we all have our own ideas as to what constitutes a properly configured machine!

    Regarding Java, properly configured for me would be white listing the plug-in per site , so that upon encountering a redirection exploit, the code on the redirected web site would not run:

    [​IMG]

    Properly configured for me would be a firewall to catch those exploits that use the application to connect out to the internet for the malware -- just in case:

    [​IMG]

    Properly configured would include something to block the payload -- just in case:

    java_block.jpg

    All above on WinXP SP3, properly configured (as I see it, anyway).


    ----
    rich
     
  22. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Another Java zero-day exploit in the wild actively attacking targets
    Article | Also: http://www.zdnet.com/oracle-investigating-after-two-more-java-7-zero-day-flaws-found-7000011965/
     
  23. BrandiCandi

    BrandiCandi Guest

    It's just not going to stop. Hence the advice is to ditch Java and pressure any vendors requiring it to use something else.
     
  24. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
  25. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
Loading...
Thread Status:
Not open for further replies.