+Warwagon MVC Posted September 29, 2012 MVC Share Posted September 29, 2012 Flaw Found In The Last 8 Years Of Java Have you disabled or removed Java yet?In what?s becoming a bit of a broken record of a story, researchers have found yet another flaw in Java which allows hackers to completely bypass security measures built in to the software. What?s worse, this new flaw affects the last 8 years? worth of Oracle?s Java software, versions 5 through 7, placing more than one billion users in danger of an attack. When these exploits were first pointed out, several security experts began to suggest disabling the software until a patch was shipped. Now, several of these experts are simply suggesting removing the software altogether. In an interview yesterday with Computer World?s Darlene Storm, Security Explorations? CEO Adam Gowdiak confirmed this new critical zero-day exploit. ?This is a completely new issue,? said Gowdiak. ?It has however bigger impact than any previous issue we found as part of our Java security research project as it affects Java 5, 6 and 7. Most of our previous findings were primarily affecting Java version 7.? Gowdiak and his team at Security Explorations also said they were able to take advantage of this exploit on a fully patched, 32-bit Windows 7 machine in Chrome, Firefox, Internet Explorer, Opera and Safari. It?s not just these 32-bit Windows 7 machines which are vulnerable, says Gowdiak, as any computer running Java 5, 6 or 7 is vulnerable to this exploit; Yes, even Macs. Gowdiak?s Security Explorations has developed quite the knack for finding these kinds of Java exploits. So far, Gowdiak and team have discovered a whopping 50 Java flaws. Though they haven?t yet seen this exploit being used out in the wild, they did point out that it took Oracle 4 months to roll out a fix for their most recent zero-day exploit vulnerability. Gowdiak and team alerted Java in April to the vulnerabilities in the software which left computers open to be controlled and manipulated by malware. In August, security researchers at FireEye found that these exploits were being used to install the PoionIvy Backdoor trojan before being integrated into the BlackHole exploit kit, making it widely available on the Internet. Gowdiak has said he?s alerted Oracle to this new flaw, as well as the ?source and binary codes of our Proof of Concept code demonstrating a complete Java security sandbox bypass in the environment of Java SE 5, 6, and 7.? redOrbit (http://s.tt/1oqTg) http://www.redorbit.com/news/technology/1112701598/java-flaws-keep-on-coming-092612/ +Matthew S. 1 Share Link to comment Share on other sites More sharing options...
Boo Berry Posted September 29, 2012 Share Posted September 29, 2012 Haven't had Java installed for years now, good riddance! f0rk_b0mb and theyarecomingforyou 2 Share Link to comment Share on other sites More sharing options...
TPreston Posted September 29, 2012 Share Posted September 29, 2012 The only reason i keep it around is because Cisco insists on using it for their tools, There's a word for that... Idiocy Link to comment Share on other sites More sharing options...
Obi-Wan Kenobi Posted September 29, 2012 Share Posted September 29, 2012 Haven't installed it on my laptop since my last format, and to be honest, haven't needed it for anything. :/ Link to comment Share on other sites More sharing options...
Brandon H Supervisor Posted September 29, 2012 Supervisor Share Posted September 29, 2012 the only reason i have it installed is for minecraft, i don't use it for anything else and i have the java aplet disabled in my web browsers Link to comment Share on other sites More sharing options...
Mulrian Posted September 29, 2012 Share Posted September 29, 2012 Not that easy to remove when you use it everyday at work... Link to comment Share on other sites More sharing options...
SharpGreen Posted September 29, 2012 Share Posted September 29, 2012 Yea I can't get rid of it as I do enjoy playing minecraft and writing Android apps. Link to comment Share on other sites More sharing options...
vcfan Posted September 29, 2012 Share Posted September 29, 2012 ****in java needs to die. worst thing to happen to computing. TPreston and remixedcat 2 Share Link to comment Share on other sites More sharing options...
DrJohnSmitherson Posted September 29, 2012 Share Posted September 29, 2012 My software is made with Java! PLEASE DONT HATE JAVA! Link to comment Share on other sites More sharing options...
Denis W. Veteran Posted September 29, 2012 Veteran Share Posted September 29, 2012 'tis too bad, the language itself isn't that bad. But when most of your daily tools at work are built on Eclipse you can't drop Java just yet :p Link to comment Share on other sites More sharing options...
.Neo Posted September 29, 2012 Share Posted September 29, 2012 Discovering just now Java is far from perfect definitely rocked my world. Davo and Glassed Silver 2 Share Link to comment Share on other sites More sharing options...
Dot Matrix Posted September 29, 2012 Share Posted September 29, 2012 My software is made with Java! PLEASE DONT HATE JAVA! It's kinda hard not to. It's slow, riddled with bugs and holes, and has nothing on newer tech. Java should have died a long time ago. remixedcat and Glassed Silver 2 Share Link to comment Share on other sites More sharing options...
Glassed Silver Posted September 29, 2012 Share Posted September 29, 2012 My software is made with Java! PLEASE DONT HATE JAVA! I feel for your userbase. (no offense) I need it, too. Minecraft, Adobe and a handful of other applications (less used though). Glassed Silver:mac Link to comment Share on other sites More sharing options...
Aethec Posted September 29, 2012 Share Posted September 29, 2012 My software is made with Java! PLEASE DONT HATE JAVA! Use a better language :p Glassed Silver 1 Share Link to comment Share on other sites More sharing options...
thealexweb Posted September 29, 2012 Share Posted September 29, 2012 I would uninstall Java, but Mine craft is worth having it installed :) Glassed Silver 1 Share Link to comment Share on other sites More sharing options...
Max Norris Posted September 29, 2012 Share Posted September 29, 2012 Eh it's not all bad, use it off and on in server applications, portability is a major plus. Just don't let the thing within 500 yards of your browser and use the same common sense you would with regular applications. Ambroos 1 Share Link to comment Share on other sites More sharing options...
HawkMan Posted September 29, 2012 Share Posted September 29, 2012 the only reason i have it installed is for minecraft, i don't use it for anything else and i have the java aplet disabled in my web browsers Java SSV disabled doesn't prevent java from working in browsers. It just makes your browsers and java faster... Either way the whole security thingis a joke anyways. Linux,MacOS ,windows, they all have holes that have existed for years and years and even decades. They have existed for so long because no one found them. When someone finds the whole it gets patched and its secure. Java is no worse than anything else. Everything have zero day exploits. Java is a popular target though because it is everywhere, and not just on windows either, and is used for bankID/eID Glassed Silver 1 Share Link to comment Share on other sites More sharing options...
Farchord Posted September 29, 2012 Share Posted September 29, 2012 yeah I use it with hardware KVM switches which still require JVM.... TPreston 1 Share Link to comment Share on other sites More sharing options...
paxa Posted September 29, 2012 Share Posted September 29, 2012 me...personally i've removed it from my pc. it generates more problems than solutions. Link to comment Share on other sites More sharing options...
Brandon H Supervisor Posted September 29, 2012 Supervisor Share Posted September 29, 2012 Java SSV disabled doesn't prevent java from working in browsers. It just makes your browsers and java faster... i have java disabled from within firefox, and i know it doesn't guarantee that i'm protected completely but it does lower the risk Link to comment Share on other sites More sharing options...
testman Posted September 29, 2012 Share Posted September 29, 2012 Removed it from all my Windows devices. However, had to install it again on XP because PS3 Media Server requires it, annoyingly. Link to comment Share on other sites More sharing options...
HawkMan Posted September 29, 2012 Share Posted September 29, 2012 i have it disabled from within firefox, and i know it doesn't guarantee that i'm protected completely but it does lower the risk What about the zero day flaws in Firefox that have been there since day one, or in any of the plugins and addons you run on it, or your mail client, or your OS or any other app you run. Java is no worse than anything else, it's just been targeted more lately and given more media exposure. Which means the holes are fixed faster. Meanwhile those zero day holes in Firefox may only be know to or or a handful of malicious hackers, they're not spreading malware wildly and are thus not detected and are far more dangerous than known java holes that any decent Security suite would block anyway(that means none of the free ones) Link to comment Share on other sites More sharing options...
Hum Posted September 29, 2012 Share Posted September 29, 2012 Can we sue Oracle/Sun for Java ? :laugh: Link to comment Share on other sites More sharing options...
Asrokhel Posted September 29, 2012 Share Posted September 29, 2012 How is this topic any different from: https://www.neowin.net/news/critical-java-exploit-found-puts-1-billion-computers-at-risk Link to comment Share on other sites More sharing options...
Aethec Posted September 29, 2012 Share Posted September 29, 2012 What about the zero day flaws in Firefox that have been there since day one, or in any of the plugins and addons you run on it, or your mail client, or your OS or any other app you run. Java is no worse than anything else, it's just been targeted more lately and given more media exposure. Which means the holes are fixed faster. Meanwhile those zero day holes in Firefox may only be know to or or a handful of malicious hackers, they're not spreading malware wildly and are thus not detected and are far more dangerous than known java holes that any decent Security suite would block anyway(that means none of the free ones) .NET is in the same category as Java (VMs that execute code and provide standard libraries), yet it's not nearly as flawed and handles updates much better - not just because they're delivered through WU, but also because it doesn't use the stupid versioning system Java has. Yes, Java is worse than other software in this regard. Brandon H, Matthew_Thepc and TPreston 3 Share Link to comment Share on other sites More sharing options...
Recommended Posts