Jump to content



Photo
java critical bug security

  • Please log in to reply
35 replies to this topic

#1 +Frank B.

Frank B.

    Member N° 1,302

  • 23,316 posts
  • Joined: 18-September 01
  • Location: Frankfurt, DE
  • OS: OS X 10.10
  • Phone: Sony Xperia Z2

Posted 11 January 2013 - 09:06

Critical Java zero-day bug is being “massively exploited in the wild” (Updated)
Your fully patched installation of Java isn't safe.


A previously unknown and currently unpatched security hole in the latest version of the Java software framework is under attack online, according to security researchers and bloggers.

Attack code that exploits vulnerability in Java's browser plugin has been added to the Blackhole, Cool, Nuclear Pack, and Redkit exploit kits, according to the Malware Don't Need Coffee blog, prompting its author to say that the bug is being "massively exploited in the wild." Miscreants use these products to turn compromised websites into platforms for silently installing keyloggers and other types of malicious software on the computers of unsuspecting visitors. KrebsOnSecurity reporter Brian Krebs said the curators of both Blackhole and Nuclear Pack have taken to the underweb to boast of the addition to their wares. It's not yet clear how many websites have been outfitted with the exploits.

According to researchers at Alienvault Labs, the exploits work against fully patched installations of Java. Attack files are highly obfuscated and are most likely succeeding by bypassing security checks built in to the program. KrebsOnSecurity said the malware authors say the exploits work against all versions of Java 7.

Update: Analysis from antivirus provider Kaspersky Lab indicates the exploits are already deployed on a variety of websites.

"There appears to be multiple ad networks redirecting to Blackhole sites, amplifying the mass exploitation problem," Kaspersky Lab expert Kurt Baumgartner wrote. "We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course, adult sites."

People who don't use Java much should once again consider unplugging Java from their browser, while those who don't use it at all may want to uninstall it altogether. The release notes for Java 7 Update 10—the most recent version—say users can disable the program from the browser by accessing the Java Control Panel. KrebsOnSecurity has instructions here for other ways to do this.


Source: Ars Technica


#2 HoochieMamma

HoochieMamma

    Professional Hoochie™

  • 8,801 posts
  • Joined: 31-August 03
  • Location: Melbourne, AU
  • OS: Windows 7
  • Phone: Nexus 5

Posted 11 January 2013 - 09:31

Good ole NoScript and disabling Java Plugin in my browser (Y)

#3 +Matthew S.

Matthew S.

    What the what

  • 2,950 posts
  • Joined: 15-December 05
  • Location: Georgetown, ON
  • OS: Windows 8.1 / Mac OS X 10.9.x iOS 7
  • Phone: iPhone 4S

Posted 11 January 2013 - 09:36

Figures it's Java...

#4 HawkMan

HawkMan

    Neowinian Senior

  • 21,426 posts
  • Joined: 31-August 04
  • Location: Norway
  • Phone: Noka Lumia 1020

Posted 11 January 2013 - 10:19

No sign of this "massively exploited" here in Norway where everyone has to have java. shrug.

#5 SkyDX

SkyDX

    Anime Computer Enthusiast^^

  • 1,766 posts
  • Joined: 22-March 09
  • Location: Europe^^

Posted 11 January 2013 - 13:01

Whoa wait wait is this exploit accessible only over Java or also over Javascript? I'm a newb when it comes to these things but I have Java disabled in Firefox so I guess I'm fine^^

#6 Dot Matrix

Dot Matrix

    Neowinian Senior

  • 10,427 posts
  • Joined: 14-November 11
  • Location: Upstate New York
  • OS: Windows 8.1
  • Phone: Nokia Lumia 920

Posted 11 January 2013 - 13:04

Friends don't let friends install Java.

#7 +d5aqoëp

d5aqoëp

    Banned

  • 2,980 posts
  • Joined: 07-October 07

Posted 11 January 2013 - 13:09

Whoa wait wait is this exploit accessible only over Java or also over Javascript? I'm a newb when it comes to these things but I have Java disabled in Firefox so I guess I'm fine^^


Java only.

JavaScript is different.

#8 thealexweb

thealexweb

    Neowinian Senior

  • 7,313 posts
  • Joined: 23-September 07
  • Location: United Kingdom

Posted 11 January 2013 - 13:11

Friends don't let friends install Java.


Everyone I know it seems has discovered Minecraft so Java is back again XD

#9 Max Norris

Max Norris

    Neowinian Senior

  • 4,438 posts
  • Joined: 20-February 11
  • OS: Windows, BSD & Arch, Occasionally OSX
  • Phone: HTC One (Home) Lumia 1020 (Work)

Posted 11 January 2013 - 13:12

Nothing wrong with Java... just don't let it anywhere near a browser is all. Wouldn't want my browser having access to a C compiler either.

#10 vetneufuse

neufuse

    Neowinian Senior

  • 16,764 posts
  • Joined: 16-February 04

Posted 11 January 2013 - 13:14

I got hit by this darn thing last night going to Houzz.com (a major house renovation site) and I have to have java due to work *grumbles* thanks work..... good thing I have an image of my system to restore from easily

went to the site screen went blank after a second then some pay up to the FBI because you are using copyright images crap that you can't get rid of without a ton of work

#11 Beyond Godlike

Beyond Godlike

    Neowinian

  • 1,096 posts
  • Joined: 21-December 10
  • Location: Winterpeg

Posted 11 January 2013 - 13:31

Honestly, i think malware writers have another 50 vulns figured out, and theyre just using 1 at a time and will always be ahead of the game, with java. Im so paranoid about it I only run my java apps in a VM lol(yes i know some malware can escape still).

#12 DrakeN2k

DrakeN2k

    Neowinian

  • 1,129 posts
  • Joined: 04-December 10

Posted 11 January 2013 - 13:44

Why is java always a security hole.

#13 HawkMan

HawkMan

    Neowinian Senior

  • 21,426 posts
  • Joined: 31-August 04
  • Location: Norway
  • Phone: Noka Lumia 1020

Posted 11 January 2013 - 16:31

Why is java always a security hole.


Because millions use it. and it's a popular thing to whine abotu java security, instead of al the browser security holes and such.

#14 TPreston

TPreston

    Neowinian Senior

  • 2,554 posts
  • Joined: 18-July 12
  • Location: Ireland
  • OS: Windows 8.1 Enterprise & Server 2012R2/08R2 Datacenter
  • Phone: Nokia Lumia 1520

Posted 11 January 2013 - 16:43

Glad I. banished the jabba runtime enviornment to a single vm with Cisco cp. Wouldn't install it on a production machine
No idea why developers and companies like Cisco use this trash.

#15 ahhell

ahhell

    Neowinian Senior

  • 8,896 posts
  • Joined: 30-June 03
  • Location: Winnipeg - coldest place on Earth - yeah

Posted 11 January 2013 - 17:08

Why is java always a security hole.

Because it's ass.