java Critical Java zero-day bug is being

[+Frank B. Subscriber²]

Critical Java zero-day bug is being ?massively exploited in the wild? (Updated)

Your fully patched installation of Java isn't safe.

A previously unknown and currently unpatched security hole in the latest version of the Java software framework is under attack online, according to security researchers and bloggers.

Attack code that exploits vulnerability in Java's browser plugin has been added to the Blackhole, Cool, Nuclear Pack, and Redkit exploit kits, according to the Malware Don't Need Coffee blog, prompting its author to say that the bug is being "massively exploited in the wild." Miscreants use these products to turn compromised websites into platforms for silently installing keyloggers and other types of malicious software on the computers of unsuspecting visitors. KrebsOnSecurity reporter Brian Krebs said the curators of both Blackhole and Nuclear Pack have taken to the underweb to boast of the addition to their wares. It's not yet clear how many websites have been outfitted with the exploits.

According to researchers at Alienvault Labs, the exploits work against fully patched installations of Java. Attack files are highly obfuscated and are most likely succeeding by bypassing security checks built in to the program. KrebsOnSecurity said the malware authors say the exploits work against all versions of Java 7.

Update: Analysis from antivirus provider Kaspersky Lab indicates the exploits are already deployed on a variety of websites.

"There appears to be multiple ad networks redirecting to Blackhole sites, amplifying the mass exploitation problem," Kaspersky Lab expert Kurt Baumgartner wrote. "We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course, adult sites."

People who don't use Java much should once again consider unplugging Java from their browser, while those who don't use it at all may want to uninstall it altogether. The release notes for Java 7 Update 10?the most recent version?say users can disable the program from the browser by accessing the Java Control Panel. KrebsOnSecurity has instructions here for other ways to do this.

Source: Ars Technica

[HoochieMamma]

Good ole NoScript and disabling Java Plugin in my browser (Y)

[Matthew S.]

Figures it's Java...

[HawkMan]

No sign of this "massively exploited" here in Norway where everyone has to have java. shrug.

[SkyDX]

Whoa wait wait is this exploit accessible only over Java or also over Javascript? I'm a newb when it comes to these things but I have Java disabled in Firefox so I guess I'm fine^^

[Dot Matrix]

Friends don't let friends install Java.

[neo1911]

Whoa wait wait is this exploit accessible only over Java or also over Javascript? I'm a newb when it comes to these things but I have Java disabled in Firefox so I guess I'm fine^^

Java only.

JavaScript is different.

[thealexweb]

Friends don't let friends install Java.

Everyone I know it seems has discovered Minecraft so Java is back again XD

[Max Norris]

Nothing wrong with Java... just don't let it anywhere near a browser is all. Wouldn't want my browser having access to a C compiler either.

[neufuse Veteran]

I got hit by this darn thing last night going to Houzz.com (a major house renovation site) and I have to have java due to work *grumbles* thanks work..... good thing I have an image of my system to restore from easily

went to the site screen went blank after a second then some pay up to the FBI because you are using copyright images crap that you can't get rid of without a ton of work

[Beyond Godlike]

Honestly, i think malware writers have another 50 vulns figured out, and theyre just using 1 at a time and will always be ahead of the game, with java. Im so paranoid about it I only run my java apps in a VM lol(yes i know some malware can escape still).

[DrakeN2k]

Why is java always a security hole.

[HawkMan]

Why is java always a security hole.

Because millions use it. and it's a popular thing to whine abotu java security, instead of al the browser security holes and such.

[TPreston]

Glad I. banished the jabba runtime enviornment to a single vm with Cisco cp. Wouldn't install it on a production machine

No idea why developers and companies like Cisco use this trash.

[ahhell]

Why is java always a security hole.

Because it's ass.

[djdanster]

Does this affect the JDK?

[GarakObama]

Not only because a lot of people use but also because it's something that too many people never update.

Everytime I get a relatives PC to fix it has usually been blown wide open because of a Java exploit. It seems like it's just too easy to get into peoples systems through Java regardless of whether it's a zero day bug or not.

[Dot Matrix]

Not only because a lot of people use but also because it's something that too many people never update.

Everytime I get a relatives PC to fix it has usually been blown wide open because of a Java exploit. It seems like it's just too easy to get into peoples systems through Java regardless of whether it's a zero day bug or not.

All the more reason to kill it with fire, burn the remains, and shun anyone who says otherwise.

[Brandon H Supervisor]

i only use java for minecraft anymore so i've gotten to the point where I only use the portable version of Java that's available on portableapps.com

[TPreston]

Not only because a lot of people use but also because it's something that too many people never update.

Everytime I get a relatives PC to fix it has usually been blown wide open because of a Java exploit. It seems like it's just too easy to get into peoples systems through Java regardless of whether it's a zero day bug or not.

This isn't always an option see cisco cp and sdm

[Karl L.]

Since Java and flash are so widely exploited but still required in the browser for various reasons (such as SDM and YouTube), the "click to play" feature in Chrome and Firefox adds a nice extra layer of protection. When enabled, you can selectively enable specific plugins (or all plugins) for any web page or website. That way you can still use plugins without worrying about them being exploited by any random, potentially malicious website.

To enable click to play in Chrome, go to Wrench->Settings->Show advanced settings...->Content settings..., check the "Click to play" box under the "Plugins" heading, and restart your browser.

To enable click to play in Firefox, open a new tab, type "about:config" in the address box, type "click_to_play" in the "Search:" filter, change the setting value to true, and restart your browser.

[+Warwagon MVC]

I got hit by this darn thing last night going to Houzz.com (a major house renovation site) and I have to have java due to work *grumbles* thanks work..... good thing I have an image of my system to restore from easily

went to the site screen went blank after a second then some pay up to the FBI because you are using copyright images crap that you can't get rid of without a ton of work

Sandboxie FTW.

I've been preaching the dangers of java for over a year.

December 16th 2011

Java! Uninstall It, Update it, or bend over and grab the ketchup!

http://www.neowin.ne...ab-the-ketchup/

A few months ago I went to a persons house to help them with something after my competitor removed malware from their machine. Not sure why they called me, after he worked on it (Probably because he doesn't do house calls and doesn't do any remote assistance). Anyway, as I was going through the machine I noticed that he not only left java on the machine after cleaning up the malware but left an out of date version. Effectively he left the door wide open that the malware came into to begin with. It would NOT surprise me, if he didn't know the dangers of java.

[Brandon H Supervisor]

i guess this one has ended up being the final straw, I'm now seeing everywhere even major companies saying don't use java unless you absolutely have too. even Apple has blocked java 7 in OSX apparently

[Praetor]

Unfortunately, there's allot of people that *must* use Java (for financial apps, for example), so uninstalling isn't really a solution. At all.

Oracle should put more assets to make Java more secure.

[Brandon H Supervisor]

Unfortunately, there's allot of people that *must* use Java (for financial apps, for example), so uninstalling isn't really a solution. At all.

Oracle should put more assets to make Java more secure.

that's why I use this http://portableapps.com/apps/utilities/java_portable and http://portableapps.com/apps/utilities/java_portable_launcher