Critical Java zero-day bug is being

By +Frank B.
in Back Page News

 Share

Recommended Posts

Grand Master

+Frank B. Subscriber²

Posted
  • Subscriber²
Posted

Critical Java zero-day bug is being ?massively exploited in the wild? (Updated)

Your fully patched installation of Java isn't safe.

A previously unknown and currently unpatched security hole in the latest version of the Java software framework is under attack online, according to security researchers and bloggers.

Attack code that exploits vulnerability in Java's browser plugin has been added to the Blackhole, Cool, Nuclear Pack, and Redkit exploit kits, according to the Malware Don't Need Coffee blog, prompting its author to say that the bug is being "massively exploited in the wild." Miscreants use these products to turn compromised websites into platforms for silently installing keyloggers and other types of malicious software on the computers of unsuspecting visitors. KrebsOnSecurity reporter Brian Krebs said the curators of both Blackhole and Nuclear Pack have taken to the underweb to boast of the addition to their wares. It's not yet clear how many websites have been outfitted with the exploits.

According to researchers at Alienvault Labs, the exploits work against fully patched installations of Java. Attack files are highly obfuscated and are most likely succeeding by bypassing security checks built in to the program. KrebsOnSecurity said the malware authors say the exploits work against all versions of Java 7.

Update: Analysis from antivirus provider Kaspersky Lab indicates the exploits are already deployed on a variety of websites.

"There appears to be multiple ad networks redirecting to Blackhole sites, amplifying the mass exploitation problem," Kaspersky Lab expert Kurt Baumgartner wrote. "We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course, adult sites."

People who don't use Java much should once again consider unplugging Java from their browser, while those who don't use it at all may want to uninstall it altogether. The release notes for Java 7 Update 10?the most recent version?say users can disable the program from the browser by accessing the Java Control Panel. KrebsOnSecurity has instructions here for other ways to do this.

Source: Ars Technica

Link to comment
https://www.neowin.net/forum/topic/1130294-critical-java-zero-day-bug-is-being/
Share on other sites
Grand Master

neo1911

Posted
Posted

Whoa wait wait is this exploit accessible only over Java or also over Javascript? I'm a newb when it comes to these things but I have Java disabled in Firefox so I guess I'm fine^^

Java only.

JavaScript is different.

Grand Master

neufuse Veteran

Posted
  • Veteran
Posted

I got hit by this darn thing last night going to Houzz.com (a major house renovation site) and I have to have java due to work *grumbles* thanks work..... good thing I have an image of my system to restore from easily

went to the site screen went blank after a second then some pay up to the FBI because you are using copyright images crap that you can't get rid of without a ton of work

Proficient

Beyond Godlike

Posted
Posted

Honestly, i think malware writers have another 50 vulns figured out, and theyre just using 1 at a time and will always be ahead of the game, with java. Im so paranoid about it I only run my java apps in a VM lol(yes i know some malware can escape still).

Grand Master

TPreston

Posted
Posted

Glad I. banished the jabba runtime enviornment to a single vm with Cisco cp. Wouldn't install it on a production machine

No idea why developers and companies like Cisco use this trash.

  • Aergan and Dot Matrix
  • Like 2
Contributor

GarakObama

Posted
Posted

Not only because a lot of people use but also because it's something that too many people never update.

Everytime I get a relatives PC to fix it has usually been blown wide open because of a Java exploit. It seems like it's just too easy to get into peoples systems through Java regardless of whether it's a zero day bug or not.

Grand Master

Dot Matrix

Posted
Posted

Not only because a lot of people use but also because it's something that too many people never update.

Everytime I get a relatives PC to fix it has usually been blown wide open because of a Java exploit. It seems like it's just too easy to get into peoples systems through Java regardless of whether it's a zero day bug or not.

All the more reason to kill it with fire, burn the remains, and shun anyone who says otherwise.

Grand Master

TPreston

Posted
Posted

Not only because a lot of people use but also because it's something that too many people never update.

Everytime I get a relatives PC to fix it has usually been blown wide open because of a Java exploit. It seems like it's just too easy to get into peoples systems through Java regardless of whether it's a zero day bug or not.

This isn't always an option see cisco cp and sdm

Mentor

Karl L.

Posted
Posted

Since Java and flash are so widely exploited but still required in the browser for various reasons (such as SDM and YouTube), the "click to play" feature in Chrome and Firefox adds a nice extra layer of protection. When enabled, you can selectively enable specific plugins (or all plugins) for any web page or website. That way you can still use plugins without worrying about them being exploited by any random, potentially malicious website.

To enable click to play in Chrome, go to Wrench->Settings->Show advanced settings...->Content settings..., check the "Click to play" box under the "Plugins" heading, and restart your browser.

To enable click to play in Firefox, open a new tab, type "about:config" in the address box, type "click_to_play" in the "Search:" filter, change the setting value to true, and restart your browser.

Grand Master

+Warwagon MVC

Posted
  • MVC
Posted

I got hit by this darn thing last night going to Houzz.com (a major house renovation site) and I have to have java due to work *grumbles* thanks work..... good thing I have an image of my system to restore from easily

went to the site screen went blank after a second then some pay up to the FBI because you are using copyright images crap that you can't get rid of without a ton of work

Sandboxie FTW.

I've been preaching the dangers of java for over a year.

December 16th 2011

Java! Uninstall It, Update it, or bend over and grab the ketchup!

http://www.neowin.ne...ab-the-ketchup/

A few months ago I went to a persons house to help them with something after my competitor removed malware from their machine. Not sure why they called me, after he worked on it (Probably because he doesn't do house calls and doesn't do any remote assistance). Anyway, as I was going through the machine I noticed that he not only left java on the machine after cleaning up the malware but left an out of date version. Effectively he left the door wide open that the malware came into to begin with. It would NOT surprise me, if he didn't know the dangers of java.

Grand Master

Brandon H Supervisor

Posted
  • Supervisor
Posted

i guess this one has ended up being the final straw, I'm now seeing everywhere even major companies saying don't use java unless you absolutely have too. even Apple has blocked java 7 in OSX apparently

Grand Master

Brandon H Supervisor

Posted
  • Supervisor
Posted

Unfortunately, there's allot of people that *must* use Java (for financial apps, for example), so uninstalling isn't really a solution. At all.

Oracle should put more assets to make Java more secure.

that's why I use this http://portableapps.com/apps/utilities/java_portable and http://portableapps.com/apps/utilities/java_portable_launcher
This topic is now closed to further replies.
 Share
Go to topic listing

  • Posts

    • Grand Theft Auto VI pricing revealed alongside Ultimate Edition and pre-loading details

      By TCA · Posted

      Be sure to toss in a couple tacos to sweeten the deal, no one else sells better bridges!
    • Grand Theft Auto VI pricing revealed alongside Ultimate Edition and pre-loading details

      By TCA · Posted

      Online didn't launch until October of 2013. So no one could play it. Even then there were issues.
    • Grand Theft Auto VI pricing revealed alongside Ultimate Edition and pre-loading details

      By TCA · Posted

      NAVARONE if you remember
    • Google Finance is now out of beta with improved portfolio tracking and a new Android app

      By Karthik Mudaliar · Posted

      Google Finance is now out of beta with improved portfolio tracking and a new Android app by Karthik Mudaliar Google is taking its redesigned Google Finance experience out of beta and adding several new features, including portfolio tracking, scheduled market briefings, and a dedicated Android app. The company says the updates are beginning to roll out globally this week, while an iOS app is planned for later in 2026. The most notable addition is the new portfolio feature. Instead of entering every investment manually, users can upload a screenshot, CSV file, or PDF containing their holdings. They can also tell Google Finance what they own using natural language, such as the number of shares held in a particular company or fund. Google Finance will then place those investments into a dashboard showing performance, asset allocation, concentration risk, and the holdings responsible for the biggest gains or losses. Existing portfolios created with the older version of Google Finance should appear automatically. The built-in AI research panel can use the portfolio as context when answering questions. For example, users can ask which sectors are underrepresented or how their fixed-income allocation could affect long-term growth. Google says portfolio data will remain private and that uploaded files and images will not be retained. Users will also be able to edit or delete their portfolio information after it has been imported. Google Finance is also getting scheduled tasks. These let users request recurring reports such as a daily summary of overnight cryptocurrency movements or a weekly update about newly announced initial public offerings. There is also a new Google Finance app for Android. It includes watchlists, interactive charts, real-time market data, a live news feed, and the same AI research panel available on the web. Google has been gradually expanding the AI-powered Finance redesign since it first entered testing. In April, the experience was expanded to more than 100 countries, bringing its research tools, advanced charts, and market news to a much larger audience. That was followed by a wider European rollout in May, which added features including live earnings calls, transcripts, and AI-generated summaries. The ability to import an entire portfolio from a screenshot or document should make Google Finance considerably easier to set up. However, Android users will have to wait for feature parity with the web version, and Google has yet to say exactly when the iOS app will arrive.
    • Microsoft confirms Windows 11 26H2, urges IT admins to prepare for release

      By nekrosoft13 · Posted

      I now have a option to switch to 26h1 on my x86 system right in windows updates.

  • Recent Achievements

    • First Post
      kinowa earned a badge
      First Post
    • Rookie
      krychek57 went up a rank
      Rookie
    • Grand Master
      Jaybonaut went up a rank
      Grand Master
    • One Year In
      Philsl earned a badge
      One Year In
    • Dedicated
      Scoobystu earned a badge
      Dedicated

  • Popular Contributors

    1. 1
      +primortal
      410
    2. 2
      +Edouard
      168
    3. 3
      PsYcHoKiLLa
      132
    4. 4
      Xenon
      73
    5. 5
      Michael Scrip
      73
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!