Critical Java zero-day bug is being

By +Frank B.
in Back Page News

 Share

Recommended Posts

Grand Master

+Frank B. Subscriber²

Posted
  • Subscriber²
Posted

Critical Java zero-day bug is being ?massively exploited in the wild? (Updated)

Your fully patched installation of Java isn't safe.

A previously unknown and currently unpatched security hole in the latest version of the Java software framework is under attack online, according to security researchers and bloggers.

Attack code that exploits vulnerability in Java's browser plugin has been added to the Blackhole, Cool, Nuclear Pack, and Redkit exploit kits, according to the Malware Don't Need Coffee blog, prompting its author to say that the bug is being "massively exploited in the wild." Miscreants use these products to turn compromised websites into platforms for silently installing keyloggers and other types of malicious software on the computers of unsuspecting visitors. KrebsOnSecurity reporter Brian Krebs said the curators of both Blackhole and Nuclear Pack have taken to the underweb to boast of the addition to their wares. It's not yet clear how many websites have been outfitted with the exploits.

According to researchers at Alienvault Labs, the exploits work against fully patched installations of Java. Attack files are highly obfuscated and are most likely succeeding by bypassing security checks built in to the program. KrebsOnSecurity said the malware authors say the exploits work against all versions of Java 7.

Update: Analysis from antivirus provider Kaspersky Lab indicates the exploits are already deployed on a variety of websites.

"There appears to be multiple ad networks redirecting to Blackhole sites, amplifying the mass exploitation problem," Kaspersky Lab expert Kurt Baumgartner wrote. "We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course, adult sites."

People who don't use Java much should once again consider unplugging Java from their browser, while those who don't use it at all may want to uninstall it altogether. The release notes for Java 7 Update 10?the most recent version?say users can disable the program from the browser by accessing the Java Control Panel. KrebsOnSecurity has instructions here for other ways to do this.

Source: Ars Technica

Link to comment
https://www.neowin.net/forum/topic/1130294-critical-java-zero-day-bug-is-being/
Share on other sites
Grand Master

neo1911

Posted
Posted

Whoa wait wait is this exploit accessible only over Java or also over Javascript? I'm a newb when it comes to these things but I have Java disabled in Firefox so I guess I'm fine^^

Java only.

JavaScript is different.

Grand Master

neufuse Veteran

Posted
  • Veteran
Posted

I got hit by this darn thing last night going to Houzz.com (a major house renovation site) and I have to have java due to work *grumbles* thanks work..... good thing I have an image of my system to restore from easily

went to the site screen went blank after a second then some pay up to the FBI because you are using copyright images crap that you can't get rid of without a ton of work

Proficient

Beyond Godlike

Posted
Posted

Honestly, i think malware writers have another 50 vulns figured out, and theyre just using 1 at a time and will always be ahead of the game, with java. Im so paranoid about it I only run my java apps in a VM lol(yes i know some malware can escape still).

Grand Master

TPreston

Posted
Posted

Glad I. banished the jabba runtime enviornment to a single vm with Cisco cp. Wouldn't install it on a production machine

No idea why developers and companies like Cisco use this trash.

  • Dot Matrix and Aergan
  • Like 2
Contributor

GarakObama

Posted
Posted

Not only because a lot of people use but also because it's something that too many people never update.

Everytime I get a relatives PC to fix it has usually been blown wide open because of a Java exploit. It seems like it's just too easy to get into peoples systems through Java regardless of whether it's a zero day bug or not.

Grand Master

Dot Matrix

Posted
Posted

Not only because a lot of people use but also because it's something that too many people never update.

Everytime I get a relatives PC to fix it has usually been blown wide open because of a Java exploit. It seems like it's just too easy to get into peoples systems through Java regardless of whether it's a zero day bug or not.

All the more reason to kill it with fire, burn the remains, and shun anyone who says otherwise.

Grand Master

TPreston

Posted
Posted

Not only because a lot of people use but also because it's something that too many people never update.

Everytime I get a relatives PC to fix it has usually been blown wide open because of a Java exploit. It seems like it's just too easy to get into peoples systems through Java regardless of whether it's a zero day bug or not.

This isn't always an option see cisco cp and sdm

Mentor

Karl L.

Posted
Posted

Since Java and flash are so widely exploited but still required in the browser for various reasons (such as SDM and YouTube), the "click to play" feature in Chrome and Firefox adds a nice extra layer of protection. When enabled, you can selectively enable specific plugins (or all plugins) for any web page or website. That way you can still use plugins without worrying about them being exploited by any random, potentially malicious website.

To enable click to play in Chrome, go to Wrench->Settings->Show advanced settings...->Content settings..., check the "Click to play" box under the "Plugins" heading, and restart your browser.

To enable click to play in Firefox, open a new tab, type "about:config" in the address box, type "click_to_play" in the "Search:" filter, change the setting value to true, and restart your browser.

Grand Master

+Warwagon MVC

Posted
  • MVC
Posted

I got hit by this darn thing last night going to Houzz.com (a major house renovation site) and I have to have java due to work *grumbles* thanks work..... good thing I have an image of my system to restore from easily

went to the site screen went blank after a second then some pay up to the FBI because you are using copyright images crap that you can't get rid of without a ton of work

Sandboxie FTW.

I've been preaching the dangers of java for over a year.

December 16th 2011

Java! Uninstall It, Update it, or bend over and grab the ketchup!

http://www.neowin.ne...ab-the-ketchup/

A few months ago I went to a persons house to help them with something after my competitor removed malware from their machine. Not sure why they called me, after he worked on it (Probably because he doesn't do house calls and doesn't do any remote assistance). Anyway, as I was going through the machine I noticed that he not only left java on the machine after cleaning up the malware but left an out of date version. Effectively he left the door wide open that the malware came into to begin with. It would NOT surprise me, if he didn't know the dangers of java.

Grand Master

Brandon H Supervisor

Posted
  • Supervisor
Posted

i guess this one has ended up being the final straw, I'm now seeing everywhere even major companies saying don't use java unless you absolutely have too. even Apple has blocked java 7 in OSX apparently

Grand Master

Brandon H Supervisor

Posted
  • Supervisor
Posted

Unfortunately, there's allot of people that *must* use Java (for financial apps, for example), so uninstalling isn't really a solution. At all.

Oracle should put more assets to make Java more secure.

that's why I use this http://portableapps.com/apps/utilities/java_portable and http://portableapps.com/apps/utilities/java_portable_launcher
This topic is now closed to further replies.
 Share
Go to topic listing

  • Posts

    • Win11Debloat 06.24.2026

      By Jaybonaut · Posted

      There are so many of these apps now that do this, what do people recommend?
    • Xbox Insiders get Xbox 360 achievements and Gamertag character upgrades

      By +Eternal Tempest · Posted

      This looks like a nice enhancement.
    • A coalition of publishers sued OpenAI and Microsoft over scraping content without consent

      By sagum · Posted

      Just the price of doing business. The scamble to pull as much from the web as possible is happening, and it's happening before a case like this changes how or what is legal do to with AI in terms of data harvesting. But even then as we've seen with the likes of Google who ignore cookie requests and just accept the fact they'll get fined, it's built into their business price model now. AI is here, its not going away. Their reward if any from the court case would be best suited to trying to incorprate AI or licence their end points as authentic human verified content. The problem is, as we've seen these same news papers are using AI themselves.
    • IBM reveals sub-1nm chip technology, production expected in another 5 years

      By Yogurth · Posted

      Which finger's fingernail are we talking about? I can see how not having this info can lead to massive differences in interpretation.
    • This Chinese company is reportedly developing a feature Apple and Samsung can only dream of

      By Hamid Ganji · Posted

      This Chinese company is reportedly developing a feature Apple and Samsung can only dream of by Hamid Ganji While companies like Apple and Samsung have been relatively conservative with their devices’ battery capacities in recent years, Chinese manufacturers have taken the competition to the next level by introducing significantly larger batteries. However, the latest report from China suggests that a local company may already be developing a smartphone with a whopping 14,000mAh battery. Chinese leaker Digital Chat Station claimed on Weibo that a smartphone maker is developing a device with a 14,000mAh battery. If true, it would be the largest battery ever used in a smartphone and could, in theory, provide up to a week of battery life on a single charge. The leaker did not reveal the name of the company behind the device, but there are some clues. This week, HONOR unveiled the X80 Pro Max in China with an 11,000mAh battery and 90W wired charging support. The company also launched the Honor Win in January, which packs a 10,000mAh battery. HONOR, a former subsidiary of Huawei, has a proven track record of developing smartphones with unusually large batteries. However, other Chinese brands, including Xiaomi, have also launched devices such as the Xiaomi 17 Pro Max with 7,500mAh batteries. Though Chinese users on Weibo also believe the company behind the new battery is HONOR. Interestingly, Digital Chat Station said the device with the 14,000mAh battery weighs around 220 grams, making it lighter than the Apple iPhone 17 Pro Max (233 grams) and slightly heavier than the Samsung Galaxy S26 Ultra (214 grams). The iPhone 17 Pro Max currently packs a 5,088mAh battery in eSIM-only versions, while the Galaxy S26 Ultra features a 5,000mAh battery. Neither device is expected to see a dramatic increase in battery capacity in its next-generation successor. So when it comes to battery comparison, Chinese brands are unbeaten. HONOR smartphones are currently available in the EU, but the Chinese brand has no official presence in the United States due to restrictions imposed by the U.S. government.

  • Recent Achievements

    • First Post
      kinowa earned a badge
      First Post
    • Rookie
      krychek57 went up a rank
      Rookie
    • Grand Master
      Jaybonaut went up a rank
      Grand Master
    • One Year In
      Philsl earned a badge
      One Year In
    • Dedicated
      Scoobystu earned a badge
      Dedicated

  • Popular Contributors

    1. 1
      +primortal
      461
    2. 2
      +Edouard
      172
    3. 3
      PsYcHoKiLLa
      136
    4. 4
      Michael Scrip
      78
    5. 5
      Xenon
      77
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!