Critical Java zero-day bug is being

By +Frank B.
in Back Page News

 Share

Recommended Posts

Grand Master

+Frank B. Subscriber²

Posted
  • Subscriber²
Posted

Critical Java zero-day bug is being ?massively exploited in the wild? (Updated)

Your fully patched installation of Java isn't safe.

A previously unknown and currently unpatched security hole in the latest version of the Java software framework is under attack online, according to security researchers and bloggers.

Attack code that exploits vulnerability in Java's browser plugin has been added to the Blackhole, Cool, Nuclear Pack, and Redkit exploit kits, according to the Malware Don't Need Coffee blog, prompting its author to say that the bug is being "massively exploited in the wild." Miscreants use these products to turn compromised websites into platforms for silently installing keyloggers and other types of malicious software on the computers of unsuspecting visitors. KrebsOnSecurity reporter Brian Krebs said the curators of both Blackhole and Nuclear Pack have taken to the underweb to boast of the addition to their wares. It's not yet clear how many websites have been outfitted with the exploits.

According to researchers at Alienvault Labs, the exploits work against fully patched installations of Java. Attack files are highly obfuscated and are most likely succeeding by bypassing security checks built in to the program. KrebsOnSecurity said the malware authors say the exploits work against all versions of Java 7.

Update: Analysis from antivirus provider Kaspersky Lab indicates the exploits are already deployed on a variety of websites.

"There appears to be multiple ad networks redirecting to Blackhole sites, amplifying the mass exploitation problem," Kaspersky Lab expert Kurt Baumgartner wrote. "We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course, adult sites."

People who don't use Java much should once again consider unplugging Java from their browser, while those who don't use it at all may want to uninstall it altogether. The release notes for Java 7 Update 10?the most recent version?say users can disable the program from the browser by accessing the Java Control Panel. KrebsOnSecurity has instructions here for other ways to do this.

Source: Ars Technica

Link to comment
https://www.neowin.net/forum/topic/1130294-critical-java-zero-day-bug-is-being/
Share on other sites
Grand Master

neo1911

Posted
Posted

Whoa wait wait is this exploit accessible only over Java or also over Javascript? I'm a newb when it comes to these things but I have Java disabled in Firefox so I guess I'm fine^^

Java only.

JavaScript is different.

Grand Master

neufuse Veteran

Posted
  • Veteran
Posted

I got hit by this darn thing last night going to Houzz.com (a major house renovation site) and I have to have java due to work *grumbles* thanks work..... good thing I have an image of my system to restore from easily

went to the site screen went blank after a second then some pay up to the FBI because you are using copyright images crap that you can't get rid of without a ton of work

Proficient

Beyond Godlike

Posted
Posted

Honestly, i think malware writers have another 50 vulns figured out, and theyre just using 1 at a time and will always be ahead of the game, with java. Im so paranoid about it I only run my java apps in a VM lol(yes i know some malware can escape still).

Grand Master

TPreston

Posted
Posted

Glad I. banished the jabba runtime enviornment to a single vm with Cisco cp. Wouldn't install it on a production machine

No idea why developers and companies like Cisco use this trash.

  • Aergan and Dot Matrix
  • Like 2
Contributor

GarakObama

Posted
Posted

Not only because a lot of people use but also because it's something that too many people never update.

Everytime I get a relatives PC to fix it has usually been blown wide open because of a Java exploit. It seems like it's just too easy to get into peoples systems through Java regardless of whether it's a zero day bug or not.

Grand Master

Dot Matrix

Posted
Posted

Not only because a lot of people use but also because it's something that too many people never update.

Everytime I get a relatives PC to fix it has usually been blown wide open because of a Java exploit. It seems like it's just too easy to get into peoples systems through Java regardless of whether it's a zero day bug or not.

All the more reason to kill it with fire, burn the remains, and shun anyone who says otherwise.

Grand Master

TPreston

Posted
Posted

Not only because a lot of people use but also because it's something that too many people never update.

Everytime I get a relatives PC to fix it has usually been blown wide open because of a Java exploit. It seems like it's just too easy to get into peoples systems through Java regardless of whether it's a zero day bug or not.

This isn't always an option see cisco cp and sdm

Mentor

Karl L.

Posted
Posted

Since Java and flash are so widely exploited but still required in the browser for various reasons (such as SDM and YouTube), the "click to play" feature in Chrome and Firefox adds a nice extra layer of protection. When enabled, you can selectively enable specific plugins (or all plugins) for any web page or website. That way you can still use plugins without worrying about them being exploited by any random, potentially malicious website.

To enable click to play in Chrome, go to Wrench->Settings->Show advanced settings...->Content settings..., check the "Click to play" box under the "Plugins" heading, and restart your browser.

To enable click to play in Firefox, open a new tab, type "about:config" in the address box, type "click_to_play" in the "Search:" filter, change the setting value to true, and restart your browser.

Grand Master

+Warwagon MVC

Posted
  • MVC
Posted

I got hit by this darn thing last night going to Houzz.com (a major house renovation site) and I have to have java due to work *grumbles* thanks work..... good thing I have an image of my system to restore from easily

went to the site screen went blank after a second then some pay up to the FBI because you are using copyright images crap that you can't get rid of without a ton of work

Sandboxie FTW.

I've been preaching the dangers of java for over a year.

December 16th 2011

Java! Uninstall It, Update it, or bend over and grab the ketchup!

http://www.neowin.ne...ab-the-ketchup/

A few months ago I went to a persons house to help them with something after my competitor removed malware from their machine. Not sure why they called me, after he worked on it (Probably because he doesn't do house calls and doesn't do any remote assistance). Anyway, as I was going through the machine I noticed that he not only left java on the machine after cleaning up the malware but left an out of date version. Effectively he left the door wide open that the malware came into to begin with. It would NOT surprise me, if he didn't know the dangers of java.

Grand Master

Brandon H Supervisor

Posted
  • Supervisor
Posted

i guess this one has ended up being the final straw, I'm now seeing everywhere even major companies saying don't use java unless you absolutely have too. even Apple has blocked java 7 in OSX apparently

Grand Master

Brandon H Supervisor

Posted
  • Supervisor
Posted

Unfortunately, there's allot of people that *must* use Java (for financial apps, for example), so uninstalling isn't really a solution. At all.

Oracle should put more assets to make Java more secure.

that's why I use this http://portableapps.com/apps/utilities/java_portable and http://portableapps.com/apps/utilities/java_portable_launcher
This topic is now closed to further replies.
 Share
Go to topic listing

  • Posts

    • Grand Theft Auto VI pricing revealed alongside Ultimate Edition and pre-loading details

      By Nick H. · Posted

      I must admit, this is probably the only game at the moment where I can see that $80 price point being ok. The issue will be when other developers think they can get away with it with half of the work.
    • Google Wallet expands TSA PreCheck Touchless ID access to more travellers

      By Fiza Ali · Posted

      Google Wallet expands TSA PreCheck Touchless ID access to more travellers by Fiza Ali Google has announced that Google Wallet is becoming the first digital wallet to integrate with TSA PreCheck Touchless ID. It is a programme that lets eligible travellers move through participating airport security checkpoints using facial recognition instead of showing a physical ID or boarding pass. While the TSA PreCheck Touchless ID programme has been available for some time, using it hasn't always been straightforward. The programme currently operates at 65 airports across the US, but participation has largely depended on flying with a limited number of airlines. Travellers also had to upload passport information separately through participating carriers. Now, the tech giant's new integration is designed to remove some of those extra steps. With the update rolling out in the coming weeks, travellers with TSA PreCheck membership will be able to enrol in Touchless ID through Google Wallet and use the service with any of the 100 airlines participating in the programme. Rather than repeatedly submitting identification details, users can store a digital ID in Google Wallet and use it to streamline future trips. Setting up the feature is relatively straightforward as well. The process starts with users creating a digital ID in Google Wallet using their passport information. After checking in for a flight and saving a boarding pass to the app, eligible travellers will see a "Get started" option that directs them to the TSA enrolment process. Once users choose to share their ID pass and boarding pass information with the TSA for a specific trip, the agency will verify the enrolment. If approved, a TSA PreCheck Touchless ID indicator will appear on the boarding pass stored in Google Wallet, signalling that the traveller can use designated express Touchless ID lanes at participating airports. As privacy and security are likely to be key considerations for many travellers, Google says users must explicitly opt in before any information is shared with the TSA, and authentication is required through a device PIN, pattern, or biometric verification. The company also notes that digital IDs stored in Google Wallet remain encrypted and are kept on the user's device. For frequent flyers who already use TSA PreCheck, the new integration could remove a few more steps from the airport security process, making travel slightly faster and a little less cumbersome.
    • Windows 11 is now five years old

      By excalpius · Posted

      Even though MS had to sunset the Windows Subsystem for Android, you can apparently use BlueStacks to run Android in Windows now. I haven't tested this yet, so if anyone has any feedback, I'd love to hear it.
    • Microsoft adds new AI study and teaching tools for free to Microsoft 365 Education

      By excalpius · Posted

      Or, if you want to teach your kids how to hallucinate and lie like AI slop, introduce them to a Crazy MAGA Grandpa on LSD.
    • Ventoy 1.1.14

      By Copernic · Posted

      Ventoy 1.1.14 by Razvan Serea Ventoy is an open source tool to create bootable USB drive for ISO/WIM/IMG/VHD(x)/EFI files. With Ventoy, you don't need to format the disk over and over, you just need to copy the ISO/WIM/IMG/VHD(x)EFI files to the USB drive and boot them directly. You can copy many files at a time and ventoy will give you a boot menu to select them. Both Legacy BIOS and UEFI are supported in the same way. Most type of OS supported (Windows/WinPE/Linux/Unix/Vmware/Xen...) Ventoy features: 100% open source Simple to use Fast (limited only by the speed of copying iso file) Directly boot from ISO/WIM/IMG/VHD(x)/EFI file, no extraction needed Legacy + UEFI supported in the same way UEFI Secure Boot supported (since 1.0.07+) Persistence supported (since 1.0.11+) MBR and GPT partition style supported (1.0.15+) WIM files boot supported (Legacy + UEFI) (1.0.12+) IMG files boot supported (Legacy + UEFI) (1.0.19+) Auto installation supported (1.0.09+) File injection supported (1.0.16+) ISO files larger than 4GB supported Native boot menu style for Legacy & UEFI Most type of OS supported(Windows/WinPE/Linux/Unix/Vmware/Xen...), 550+ iso files tested Not only boot but also complete installation process ISO files can be listed in List mode/TreeView mode Linux vDisk boot supported (vdi/vhd/raw) "Ventoy Compatible" concept Plugin Framework Menu Alias/Menu Style/Customized Menu supported USB drive write-protected support USB normal use unaffected Data nondestructive during version upgrade No need to update Ventoy when a new distro is released Ventoy 1.1.14 changelog: Update secure boot shim file to solve the UEFI CA 2023 issue. The new release use a new CA, so you need to enroll the new key for the first boot time. VentoyPlugson update synchronously. Global control plugin add a VTOY_SECURE_BOOT_POLICY option. Notes Download: Ventoy 1.1.14 | 15.9 MB (Open Source) Download: Ventoy Live CD | 187.0 MB Link: Ventoy Home Page | Project Page @GitHub | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware

  • Recent Achievements

    • Dedicated
      Scoobystu earned a badge
      Dedicated
    • First Post
      Tom Schmidt earned a badge
      First Post
    • One Month Later
      D0nn13 earned a badge
      One Month Later
    • Rookie
      +ChiefOfNeo went up a rank
      Rookie
    • One Year In
      Tom Schmidt earned a badge
      One Year In

  • Popular Contributors

    1. 1
      +primortal
      457
    2. 2
      +Edouard
      177
    3. 3
      PsYcHoKiLLa
      123
    4. 4
      Michael Scrip
      83
    5. 5
      Xenon
      76
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!