Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

A Tidal Wave of Java Flaw Exploitation

Soulskill posted about 4 years ago | from the surf's-up dept.

Oracle 238

tsu doh nimh writes "Microsoft warned today that it is witnessing a huge spike in the exploitation of Java vulnerabilities on the Windows platform, and that attacks on Java security holes now far outpace the exploitation of Adobe PDF bugs. The Microsoft announcement cites research by blogger Brian Krebs, who has been warning for several months that Java vulnerabilities are showing up as the top moneymakers for those peddling commercial crimeware exploitation kits, such as Eleonore, Crimepack and SEO Sploit Pack." Several days ago, Oracle released a patch that fixed 29 Java security flaws.

cancel ×

238 comments

Sorry! There are no comments related to the filter you selected.

How? (4, Interesting)

MrEricSir (398214) | about 4 years ago | (#33937770)

The one question this article doesn't really clarify is pretty important: How are these exploits being loaded onto the user's computer?

Are we talking applets, Java web start, or some other mechanism?

Re:How? (5, Informative)

adisakp (705706) | about 4 years ago | (#33937842)

CVE Attacks Computers Description

CVE-2008-5353 3,560,669 1,196,480 A deserialization issue in vulnerable versions of JRE (Java Runtime Environment) allows remote code execution through Java-enabled browsers on multiple platforms, such as Microsoft Windows, Linux, and Apple Mac OS X.

CVE-2009-3867 2,638,311 1,119,191 Another remote code execution, multi-platform issue caused by improper parsing of long file:// URL arguments.

CVE-2010-0094 213,502 173,123 Another deserialization issue, very similar to CVE-2008-5353.

Re:How? (4, Informative)

adisakp (705706) | about 4 years ago | (#33937878)

The keywords in the above descriptions are "remote code execution through Java-enabled browsers on multiple platforms". The flaw is not Windows specific but could also be exploited on OSX and Linux.

Re:How? (3, Informative)

hydrofix (1253498) | about 4 years ago | (#33938248)

I feel that NoScript is doing a greater and greater work in protecting me each and every day.

Re:How? (0)

Anonymous Coward | about 4 years ago | (#33938278)

I agree, I am annoyed by always showing the donation page during it's very frequent updates which is why I've donated elsewhere so far but I'm thinking that guy gets some of my holiday donations this year.

Re:How? (1)

bhcompy (1877290) | about 4 years ago | (#33938870)

You can disable that easily within the NoScript configuration. As simple check box is all that is needed to be unchecked

Re:How? (0)

Anonymous Coward | about 4 years ago | (#33938368)

My "disable Java" option is even safer than your NoScript.

Isn't NoScript for Javascript anyway, which has no relation whatsoever to Java?

Re:How? (3, Informative)

init100 (915886) | about 4 years ago | (#33938732)

NoScript blocks all executable content on a web page, including Java applets, Javascript, Flash, etc, and lets you decide which ones to allow on a per-site basis.

Re:How? (0, Redundant)

bhcompy (1877290) | about 4 years ago | (#33938834)

NoScript blocks .jar

Re:How? (0)

Anonymous Coward | about 4 years ago | (#33938408)

you realize Java != Javascript

Re:How? (0, Redundant)

meloneg (101248) | about 4 years ago | (#33938592)

You do realize that NoScript blocks all embedded objects don't you?

Re:How? (1)

Maxo-Texas (864189) | about 4 years ago | (#33938634)

Absolutely. And then I decide what I'm going to allow.

Re:How? (2, Informative)

emkyooess (1551693) | about 4 years ago | (#33938666)

In response to all of these "Java!=Javascript" comments that are here. Yes, we do. NoScript does a lot more than just JavaScript. It sandboxes Java and Flash until we tell them to run, too. It limits XSS. A lot of things, really.

Re:How? (4, Informative)

Bill_the_Engineer (772575) | about 4 years ago | (#33938362)

CVE-2008-5353 was fixed with Apple's Java Patch #2 on June 15, 2009.

CVE-2009-3867 was fixed with Apples Java for OS X 10.6 Update #1 and Java on 10.5 Patch #6 on December 3, 2009

CVE-2010-0094 was fixed With Apple's Java for OS X 10.6 Update #2 and Java on OS X 10.5 Update #7 on May 18, 2010

The flaw may not be Windows specific, but OS X is not included in your list.

Re:How? (5, Informative)

Bill_the_Engineer (772575) | about 4 years ago | (#33938440)

After further research. It appears that Oracle/Sun latest version of Java addressed these issues for the Windows and Linux platforms. This looks like a case of people not updating their Java JRE.

Re:How? (1)

Erikderzweite (1146485) | about 4 years ago | (#33938742)

Well, those of us who update their Linux installation should be safe then. Windows is trickier of course with no centralized updates in place.

Re:How? (2, Insightful)

Kvasio (127200) | about 4 years ago | (#33938888)

Perheps this is because each java update forces the bloody 'autoupdater service' (jusched).
Theoretically it allows user to turn it off.
When I turn it off, close java config and reopen - schedule is still active.
Cutting in registry is the proper sollution.

Re:How? (-1, Flamebait)

Anonymous Coward | about 4 years ago | (#33939140)

oh please clueless astroturfing MS fanbois: how can you mod +5 informative adisakp's clueless comment?

Even if I had Java applets enabled (which I don't) on my Linux desktop then all this would provide would be a remote non-admin/non-root exploit.

We all know that non-admin exploit on Windows means admin exploit because escalading privileges is trivial on any Windows version due to the *countless* local admin exploits.

Not so on Linux.

Re:How? (2, Informative)

adisakp (705706) | about 4 years ago | (#33939224)

oh please clueless astroturfing MS fanbois: how can you mod +5 informative adisakp's clueless comment?

Not so on Linux.

I'm hardly an MS fanboi but I'll reply to your obvious flamebait anyhow. Isn't it a bit harsh to call someone "really clueless" when all I did was point out that the vulnerability exists on all platforms. After all, the summary makes it sound like a Windows-only problem.

Yes it may be harder to escalate privileges but it's not impossible. Linux and OSX are inherently safer but they've been hacked in seconds to get root privileges in just about every pwn-contest held so far when 3rd party software with vulnerabilities are installed. Pretending this is a Windows-only issue isn't going to make OSX / Linux machines any safer.

So... (0)

Anonymous Coward | about 4 years ago | (#33938254)

Users of FF + NoScript are relatively safe?

Re:So... (-1)

Anonymous Coward | about 4 years ago | (#33938360)

Yes. But they get about the same feature-set at those who just plain uninstall java.

NoScript is fail. Might as well browse with lynx http://en.wikipedia.org/wiki/Lynx_(web_browser) [wikipedia.org]

Re:So... (1)

meloneg (101248) | about 4 years ago | (#33938612)

But Lynx lacks that little button with "Allow scripts..." pop-up menu.

Re:How? (5, Informative)

Florian Weimer (88405) | about 4 years ago | (#33937850)

Propagation generally happens via applets, loaded through IFRAMEs or Javascript-based redirects. Actual payloads are not yet OS-agnostic (even though the exploits themselves are).

Re:How? (2, Interesting)

JonySuede (1908576) | about 4 years ago | (#33937884)

according to CVE-2010-0094 : the vulnerability is in RMIConnectionImpl and since you can only initiate a connection to your host in an applet, I would guess that you would need to use java web start

Re:How? (3, Informative)

doishmere (1587181) | about 4 years ago | (#33938294)

A few days ago smbc comics [smbc-comics.com] was hit with a Java exploit in the form of a popup that installed a trojan on users machines. People affected were discussing it here [reddit.com] ; from this it looks like mostly Windows machines were infected, but at least one user claims Ubuntu was affected.

Re:How? (0)

Anonymous Coward | about 4 years ago | (#33938536)

Here's what happened on my machine over the weekend: a Java ad with malware caused a buffer overflow condition (which was caught by McAfee) in JRE v11. Then it snuck in a malware executable (which was caught by McAfee) . Which then signaled other malware that I was open for business. Not caught by McAfee. Hilarity ensued as "explorer.exe" decided to catalog my entire system looking for passwords and account info.

Malwarebytes detected this after the fact and cleaned it all, but after many hours of getting re-infected every time I re-connected to the internet, I found that it was a Java vulnerability. Simply uninstalling every JRE and updating to the latest version resolved everything.

Java applets require authorization (2, Interesting)

SplashMyBandit (1543257) | about 4 years ago | (#33938908)

If the infections were coming via Java Applets then it becomes pertinent to ask how did they get on the machine. Java appplets must be signed to write to the user's hard drive. This means the user was prompted to approve an untrusted certificate and they did so, or the malware organisation had a trusted certificate, in which case the trust authority should revoke the certificate. It is not like applets are without protection to the end user.

Re:Java applets require authorization (1)

Tanktalus (794810) | about 4 years ago | (#33939136)

If the infections were coming via Java Applets then it becomes pertinent to ask how did they get on the machine. Java appplets must be signed to write to the user's hard drive. This means the user was prompted to approve an untrusted certificate and they did so, or the malware organisation had a trusted certificate, in which case the trust authority should revoke the certificate. It is not like applets are without protection to the end user.

Unless, of course, said exploit allowed the bypassing of the certificate requirement.

Nervous (4, Funny)

Konster (252488) | about 4 years ago | (#33937774)

Seeing Oracle and Java all in the same sentence gives me a nervous tick...the same nervous tick that I developed when I read MS was in talks to acquire Adobe.

Re:Nervous (4, Funny)

MrEricSir (398214) | about 4 years ago | (#33938048)

Just wait until you hear the news that Larry Ellison is buying Linus Torvalds.

Re:Nervous (0)

Anonymous Coward | about 4 years ago | (#33938082)

Thank you for your contribution. You may return to algebra class now.

Re:Nervous (1)

Dystopian Rebel (714995) | about 4 years ago | (#33938464)

Seeing Oracle and Java all in the same sentence gives me a nervous tick

Well, seeing Oracle and "Eleonore, Crimepack and SEO Sploit Pack" in the same paragraph makes me nervous.

When Ellison's raiders see a money-making opportunity, they go for it.

Patches have been available for a long time (3, Insightful)

adisakp (705706) | about 4 years ago | (#33937796)

FTA: The Java spike in Q3 is primarily driven by attacks on three vulnerabilities, which all, by the way, have had patches available for them for some time now.

So unpatched machines are vulnerable. Perhaps people don't auto-update Java as often.

Re:Patches have been available for a long time (4, Insightful)

lgw (121541) | about 4 years ago | (#33937894)

I've run out of space in my head for all the different tools I need to seperately manage updates for.

Re:Patches have been available for a long time (5, Funny)

Anonymous Coward | about 4 years ago | (#33938092)

I've run out of space in my head for all the different tools I need to seperately manage updates for.

Sounds like you need a computer.

Re:Patches have been available for a long time (0)

Anonymous Coward | about 4 years ago | (#33939180)

I've run out of space in my head for all the different tools I need to seperately manage updates for.

Sounds like you need a computer.

The article on Crimepack which is linked in the summary, advises Secunia [secunia.com] to check which packages on your machine need to be updated.

Re:Patches have been available for a long time (0, Flamebait)

yyxx (1812612) | about 4 years ago | (#33938140)

There is a solution for that: use Ubuntu Linux.

JRE's no mere ranger. (0)

Anonymous Coward | about 4 years ago | (#33938238)

Java is Enterprise(tm).

You know, something that Ubuntu completely isn't. And it is not a thing to be updated willy nilly, by random developers. Here in the Enterprise(tm) world, we generally tend to, y'know, test shit thoroughly before launching/updating it.

/smarmy because I'm tired of people insisting the only valid solution for desktop Linux is also the only valid solution to running a server.

Re:JRE's no mere ranger. (1)

binarylarry (1338699) | about 4 years ago | (#33938398)

Ubuntu "just works" so I'd fucking hope to hell it's enterprise ready.

Re:JRE's no mere ranger. (1)

cb88 (1410145) | about 4 years ago | (#33938850)

Ubuntu is a hackfest off of svn branches of software with custom never upstreamed patches. Yeah .... its *stable* except half of anything you want to do is broken. Personally I'm an ArchLinux user where everything works perfectly at least once a week :-P

Re:Patches have been available for a long time (0)

Anonymous Coward | about 4 years ago | (#33938748)

Can't: driver issues.

Re:Patches have been available for a long time (1)

mspohr (589790) | about 4 years ago | (#33938574)

Linux and Mac use repositories which manage updates for the system and all applications. Automatic. No space in the head required.

Re:Patches have been available for a long time (1)

jmpeace (1911038) | about 4 years ago | (#33938852)

apt-get upgrade

Re:Patches have been available for a long time (5, Funny)

Ant P. (974313) | about 4 years ago | (#33938950)

I guess Windows isn't ready for the desktop.

Re:Patches have been available for a long time (3, Informative)

lgw (121541) | about 4 years ago | (#33939074)

All it needs is to allow me to manage a list of repositories that I trust (one centrally managed repository won't fly in the commercial world, but it doesn't have to be that way). It's a small addition - maybe next year will be the year of Windows on the desktop!

Re:Patches have been available for a long time (4, Interesting)

MozeeToby (1163751) | about 4 years ago | (#33937898)

For reasons I have never been able to figure out, Java has significant issues auto updating on all my home Windows computers (XP, Vista, and 7). Sure enough, just last week I had to spend a night sanitizing one of the systems, for now I've uninstalled Java until I have the chance to figure out just what the problem is but honestly not having it hasn't been a problem so I'll probably just leave it off until I find something that actually requires it.

Re:Patches have been available for a long time (1)

wjousts (1529427) | about 4 years ago | (#33938170)

The only virus I ever got was on my wife's laptop and it appeared to come in through Java. She was sick of being constantly nagged to update Java anyway, so I removed Java completely. I had to nuke her account to completely clean it.

Re:Patches have been available for a long time (1, Interesting)

Anonymous Coward | about 4 years ago | (#33938214)

The best solution then is to leave it uninstalled permanently. I mean really what do you need it for on a home machine? It's not like there are any apps that need it.

Re:Patches have been available for a long time (2, Insightful)

Darkness404 (1287218) | about 4 years ago | (#33938220)

Exactly. Java has become a massive security hole with exploits left and right with fewer and fewer things that use it.

Plus, the patch wants you to install a massive amount of crapware in order to patch your system.

Re:Patches have been available for a long time (1)

abigor (540274) | about 4 years ago | (#33938590)

You can always tell the people that don't work in "the biz" when they make comments like the parent's.

Re:Patches have been available for a long time (4, Interesting)

vlm (69642) | about 4 years ago | (#33938768)

He seemed pretty accurate other than some exaggeration. If you want to see a "Massive amount of crapware" buy a PC from a big box store, not "java tried to install the yahoo toolbar boo hoo".

The funniest Java related thing I've seen, is amongst the non-computer cow orkers "Oh man, another java program, that thing is gonna be slow and take IT forever to install (actually they mean the JVM) and crash all the time". Computer people have known that for over a decade now, the funny part is hearing non computer people start to complain.

Re:Patches have been available for a long time (4, Interesting)

Florian Weimer (88405) | about 4 years ago | (#33937944)

Java updates contain unrelated bugfixes and functionality, breaking applications. They are far from being minimal updates. Back in the Sun days, this was addressed by enabling parallel installation of many JVM versions. It was even possible for web content to request a specific JVM version, which means that you actually had to update to a newer version and delete all the old versions. I'm not complete sure that this part has actually been addressed. It's certainly a problem for those who still need to use Java 1.4 or Java 5 (which are out of security support now, but are still widely mandated in the industry).

Re:Patches have been available for a long time (3, Insightful)

ADRA (37398) | about 4 years ago | (#33938194)

Java web start allows a developer to specify an exact version of the JVM to run. If that JVM doesn't exist, it could be downloaded from Oracle through the web start installation process. I'm not sure if you can specify flaw enabled versions of the JVM anymore, but at least there are dialogs and choices to make before the JVM gets installed anyways, so a naked web site can't just inject a bad JVM into your system based on an exploit web start file. The same goes for applets these days, as applets and web start start merging into some sort of common entity.

That said, there are a lot of 3rd party vendors that have installed JVM's over things, and set environment variables that break other things over the years (Oracle DB client I'm looking at you!) that can cause all sorts of compatibility problems.

Re:Patches have been available for a long time (2, Insightful)

tuffy (10202) | about 4 years ago | (#33938304)

"Write Once, Run on a Very Specific Virtual Machine Version Which We'll Download For You Automatically" doesn't sound quite so appealing.

Re:Patches have been available for a long time (4, Informative)

ADRA (37398) | about 4 years ago | (#33938648)

There are maybe 3 major versions of Java still in somewhat standard use: 1.4, 1.5, and 1.6. Unless the application in question has some very specific quirks, users should always be able to use the latest and greatest version of 1.6 to run them. The allowance for using older versions of the platform is a feature, not a hindrance.

It means that if I want to use "BadSoftwareCompany"'s piece of java software, I'm not confined with downloading and breaking my host's latest version of the java if their code only works with 1.4 or 1.5. If I didn't have the feature, I just couldn't use the software without a huge head-ache. To assume that every version of every software will work forever is delusional, but at least there are facilities to support the older tech.

Re:Patches have been available for a long time (1)

cb88 (1410145) | about 4 years ago | (#33938902)

Maybe you missed his point ... there are quite a few free and non free C compilers which fairly high compliance to standards. Can the same be said for java. Non Sun/Oracle derived java implementations pretty much don't exist... and the derivations that do exist are just redesigns of the VM which serve to introduce incompatibilities/bugs

Re:Patches have been available for a long time (0)

Anonymous Coward | about 4 years ago | (#33939172)

MSJVM, bitches

Re:Patches have been available for a long time (1)

coredog64 (1001648) | about 4 years ago | (#33938244)

If you still need 1.4 or 1.5, you can get support but it's going to cost you. I've got an install of JDK 6u11 in parallel with newer versions because of a Swing change that broke some Sun/NetBeans tooling. IIRC, 6u17 was another game changer.

Re:Patches have been available for a long time (1)

tlhIngan (30335) | about 4 years ago | (#33938804)

It's certainly a problem for those who still need to use Java 1.4 or Java 5 (which are out of security support now, but are still widely mandated in the industry).

Including, surprisingly, Android.

OpenJDK 1.6 works with Android, but if you want to use the official one they recommend, you have to use 1.5 (Java 5) because of some oddball parser issues in official Oracle JDK 1.6.

So one's choices are ot use the unsupported OpenJDK 1.6 with Android, or the unsupported (but Android-supported) JDK 1.5. Bleh.

I hope Android 3.0 fixes this. This is an issue on Ubuntu 10.04 and onwards, as JDK 1.5 is no longer in the repository and you have to do some hacks to get 9.x JDK 1.5 in...

http://source.android.com/source/download.html [android.com]

Re:Patches have been available for a long time (0)

Anonymous Coward | about 4 years ago | (#33938324)

it isn't an update.. it installed another copy of java with no option to uninstall old (exploitable) jre/jdk installations.

Nerd rage (1, Interesting)

Anonymous Coward | about 4 years ago | (#33937814)

People are angry at Oracle for screwing Sun so they are writing exploits for revenge.

Re:Nerd rage (4, Insightful)

interkin3tic (1469267) | about 4 years ago | (#33937948)

Honestly? Or is it more likely one individual organization of malware authors suddenly realized that Oracle was being lazy about updating?

Re:Nerd rage (0)

Anonymous Coward | about 4 years ago | (#33939142)

Or is it more likely one individual organization of malware authors suddenly realized that Oracle was being lazy about updating?

Microsoft? Seriously... who has the most to benefit from Java becoming "untrusted."

Re:Nerd rage (1)

dirtyhippie (259852) | about 4 years ago | (#33938212)

I doubt it, but there is definitely a strong time correlation between the increase of java attacks and oracle's sun acquisition. My guess would be that because Oracle doesn't know how to monetize java (without suing others), attention is shifting away from java and the code is getting a thin film of dust over it.

JVM on Windows? (0, Troll)

big dumb dog (876383) | about 4 years ago | (#33937868)

Anyone who would deploy a JVMs on windows instead of Linux is probably writing crap code in the first place.

Re:JVM on Windows? (1)

jgagnon (1663075) | about 4 years ago | (#33938046)

Yeah, because nobody ever runs Java applets on Windows...

Re:JVM on Windows? (4, Funny)

MrEricSir (398214) | about 4 years ago | (#33938104)

Yeah, they should have used ActiveX, right?

Re:JVM on Windows? (1, Insightful)

Anonymous Coward | about 4 years ago | (#33938180)

You are missing the point. If you are distributing a JVM to run your application, chances are you are only running your code, and you are doing so outside a sandbox.

Untrusted Java code is typically run either as a web browser applet, or as a Java web start application. Typical scenerio: User visits bad web page (or sees a bad ad) with a Java applet. It loads, exploits a vulnerability in the Java sandbox, and executes its code. Applets are in the browsers code domain, so it is possible that the web browser may catch that. Java web start is a bit tricker to get the user to start up, but it executes in its own domain.

Many of the vulnerabilities seem to be tied to deserialization, which is not surprising, given that Java deserializes objects using reflection and magic to set fields and bypass execution of the constructor. The approach makes it easier to write serializable objects, but makes it harder to check everything.

Re:JVM on Windows? (1)

big dumb dog (876383) | about 4 years ago | (#33938542)

Anyone who would deploy a JVMs on windows instead of Linux is probably writing crap code in the first place.

I can't believe someone Trolled me...

Stuck on old versions (0)

Anonymous Coward | about 4 years ago | (#33937922)

Meanwhile, I continue to be forced to use Java 1.5 at work because a product supplied by Oracle (Discoverer) doesn't run properly on a newer version.

(At least the version our organization has doesn't work. There's a theoretical upgrade coming in November. Let's hope I don't get pwned before then.)

Re:Stuck on old versions (1)

leenks (906881) | about 4 years ago | (#33938038)

So fix your broken government department's IT policy.

Re:Stuck on old versions (1)

StoatBringer (552938) | about 4 years ago | (#33939286)

An awful lot of big organisations are terrified of upgrading anything in case things stop working (and of course, nobody wants to be the one who suggested the upgrade if it all goes wrong). I've seen so many places that will not move past IE6 and Java 1.4 because they daren't risk their clunky old systems not working anymore.

Re:Stuck on old versions (1)

JonySuede (1908576) | about 4 years ago | (#33939222)

what is so hard about using the 1.5 jre for this particular app and the modern still supported 1.6 jre for the rest of the system ?

Great (1)

rakuen (1230808) | about 4 years ago | (#33937988)

So now not only are PDFs and Java processing landmines, they're now viral landmines as well.

Oracle just put me in a rough spot (2, Interesting)

Anonymous Coward | about 4 years ago | (#33937990)

This creates a huge issue for the company I provide support for. We have so far not updated beyond 6u20. That is the last version of the JVM to carry the "Sun Microsystems" label instead of something referencing Oracle.

Some divisions of this company (and I would assume others as well) still run apps that seem to be incompatible with anything above 6u20 for this reason. Oracle's poor stewardship toward the Java platform has lead to a situation where we will have to make a decision on a per workstation basis whether to lose access to some important applications, or remain vulnerable to Java exploits for an unknown and possibly indefinite period of time.

Patch bloat (5, Interesting)

edxwelch (600979) | about 4 years ago | (#33938022)

What's annoying is there is no real "patch" as such. You have to install the entire 77mb package from scratch and it installs crap like the yahoo toolbar by default.

Re:Patch bloat (0)

Anonymous Coward | about 4 years ago | (#33938384)

Nonsense. The patch is to disable the web plugin. Java doesn't belong in browsers.

Re:Patch bloat (4, Informative)

TubeSteak (669689) | about 4 years ago | (#33938642)

What's annoying is there is no real "patch" as such. You have to install the entire 77mb package from scratch and it installs crap like the yahoo toolbar by default.

If you update through the java control panel, it definitely does not grab the entire 77MB package + toolbar.

Re:Patch bloat (2, Informative)

_xeno_ (155264) | about 4 years ago | (#33939146)

Last I checked, that just updated the JRE - the only way to update the JDK was to pull a complete new copy.

This article speaks the truth (5, Funny)

gman003 (1693318) | about 4 years ago | (#33938032)

I'm still in the process of repairing my Windows system after a Java-transmitted virus. A hacked website was sending out malware to visitors via Java applet, and the only solution I found was a format/reinstall. Since then, I've disabled Java on all my machines; the only things I've seen it used for are crappy browser games and malware.

Nice try (1)

turgid (580780) | about 4 years ago | (#33938192)

+1 Funny (very bad attempt at trolling).

Re:Nice try (1)

julesh (229690) | about 4 years ago | (#33938400)

Not sure why you think this is a troll. I, too, have recently had a massive malware infection through a Java applet. I did manage to sort it out via an antivirus program, but it took over 3 days for it to clean all 375,000 infected files from my system. It would have been faster to reinstall.

Re:Nice try (1)

Pieroxy (222434) | about 4 years ago | (#33938726)

Dude, stop it! I'm laughiong my ass off !!!!

Re:Nice try (1)

MozeeToby (1163751) | about 4 years ago | (#33938576)

I don't see that as trolling, the only reason my recent Java delivered infection wasn't orders of magnitude worse is because Avira contained the problem before it got out of hand. Yes, I suppose I should be angry that Avira let it get as far as it did (the initial infection was running and Avira couldn't stop or remove it), but I'm grateful that the 20+ infections that the first one tried to spawn weren't able to run. Even still it was a night's work.

Reboot to a live CD, run a scan and remove/repair infected files, search the registry for the infected file names and remove if appropriate, reboot to Windows safe mode and scan again (trying to find anything running), reboot to regular mode, then back to the live CD for another scan (in case something came back when Windows rebooted).

Incidentally, what are some of my fellow Slashdotters' checklists when they experience an infection? I haven't had any problems for years, so I haven't put much thought into it until last week when I got infected.

Re:Nice try (3, Informative)

turgid (580780) | about 4 years ago | (#33938960)

Incidentally, what are some of my fellow Slashdotters' checklists when they experience an infection? I haven't had any problems for years, so I haven't put much thought into it until last week when I got infected.

Me neither. I switched to Linux in 1996.

Advertising (0)

Anonymous Coward | about 4 years ago | (#33938142)

The latest Java patch comes with a prompt to add the Microsoft Bing toolbar.

once again, wrong default (0)

Anonymous Coward | about 4 years ago | (#33938396)

I've said it before and always seem to get modded dowen, but anyone who runs their system setup by default to execute random code from the internet just by visiting a web page is asking for trouble.

You should run things you have a *reason* to run, and a reason to trust. Don't just run anything from anywhere by default, that's stupid. Make a conscious decision. Use your brain! That's what it's there for: to let you make decisions about how to interact with the world around you.

People's computers get jacked because they don't care about what things they run. Even when you think it's sandboxed, there can still be flaws.

Turn off scripting by default! Run scripts on your bank site or whatever, where you have a REASON to and it's for your benefit. Don't just run any random shit that any random web page throws your way, that's idiotic.

Re:once again, wrong default (0)

Anonymous Coward | about 4 years ago | (#33938694)

I don't run scripts by default (proud NoScript user here) but the sad fact is that even this isn't guaranteed to protect you. It's better than running scripts everywhere, but legitimate sites, even those you would expect to be fairly secure, can be exploited to serve malicious content to you. [slashdot.org] How is the end user supposed to know about whether website XYZ is vulnerable to HTML injections or not?

Java Vulnerabilities Patched in 1.6.0_22 (1)

bughunter (10093) | about 4 years ago | (#33938668)

You don't have to be vulnerable. The listed exploits were patched in Update 22, last spring.

Update available here. [java.com]

DoublePlusKarmaWhoreGoodness: For best protection, run a Mozilla browser with the NoScript add-on [mozilla.org] . (AdBlockPlus [adblockplus.org] and RemoveItPermanently [mozdev.org] make great complements to NoScript, too.)

Re:Java Vulnerabilities Patched in 1.6.0_22 (0)

Anonymous Coward | about 4 years ago | (#33939038)

You don't have to be vulnerable. The listed exploits were patched in Update 22, last spring.

Ummm, no. JRE 6 Update 22 was released last week, October 2010.

http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html [oracle.com]

Microsoft warned today ... (0)

Anonymous Coward | about 4 years ago | (#33938828)

"Microsoft warned today ..." - that's how emails from idiots began 5 years ago.

MS and Adobe to join? (1)

cyberjock1980 (1131059) | about 4 years ago | (#33938860)

Since MS has posted this list of exploits that were fixed on Update 22(last spring!) is it safe to assume that Microsoft is simply trying to redirect people who complain about Adobe's security vulnerabilities to look at Java with bigger contempt so Microsoft can buy Adobe and still claim that their software is the most secure?

Seems a bit odd to me that Microsoft would be trying to improve Adobe's image when they need to be looking at their own. Perhaps they ARE looking at their own image because Adobe will soon be a part of Microsoft.

disable java in browser? (1)

Fanro (130986) | about 4 years ago | (#33938898)

Is there a way to disable java across all browsers, but keep it installed for other software like openoffice?
I.e. block all applet functionality, but still allow local java code to run?

That would make maintaining friend's pcs a lot easier. They never update on time, and when they do, I always have to remove a new bundled browser toolbar again.

Cisco is the worst! (0)

Anonymous Coward | about 4 years ago | (#33938930)

Not only does Cisco distribute ancient versions of java with most of their software, Cisco actually requires these ancient versions of java full of security holes to work.

And allegedly Cisco takes security seriously. I pointed this out to my sales rep, who didn't think this was a problem. What a POS (both Cisco and the sales rep).

Yahoo toolbar (0, Troll)

amaupin (721551) | about 4 years ago | (#33938962)

And when you install Java you get the Yahoo toolbar, as well! (Unless you uncheck it.) It's like Sun (or Oracle, I don't know which) sat around a table and brainstormed ways to make Java appear as malware-ific as possible.

Great job guys. You're lucky Flex's mxmlc.exe (and now Minecraft) require Java or I'd have no use whatsoever for your tainted runtimes...

Lies, damn lies, and statistics (0)

Anonymous Coward | about 4 years ago | (#33939040)

The Microsoft announcement cites research by blogger Brian Krebs, who has been warning for several months that Java vulnerabilities are showing up as the top moneymakers for those peddling commercial crimeware exploitation kits

That's a lot of qualifiers in that statement. Four of them, in fact. They are "commercial", "crimeware", "exploitation", and "kit".

Wow, Microsoft happens to have found one small segment of the malware market where a Microsoft vulnerability ISN'T the top money maker for malware authors.

They appear to have left out the "sold by purple gnomes on Tuesdays to fairies riding on pink ponies."

In Other News (1)

Fnord666 (889225) | about 4 years ago | (#33939072)

In other news, Microsoft profits were down somewhat this quarter. Sources at Microsoft cited an increase in overtime expenses as the cause.

Use Only HTML5/JavaScript (1)

smist08 (1059006) | about 4 years ago | (#33939108)

I think this speaks to the need to not run plug-ins in the browser. To only HTML/JavaScript. Ie don't allow the PDF plugin, don't allow Flash, don't allow Silverlight, don't allow Java Applets. All of these proprietary plug-ins cause all kinds of security problems. They have proven to be a bad idea. I think Steve Jobs is on the right track banning them from the iPhone/iPad.

stop bundling toolbars with security updates!!!! (0)

Anonymous Coward | about 4 years ago | (#33939260)

then people would update more often without the worry of installing some additional (spy|crap)ware,
pre-checked toolbar installers should NEVER be included with security updates especially monthly ones and any company that does so should be publicly chastised (or just plain sued)
i guess Oracle isnt the successful billion dollar company we thought it was if they have to resort to installing bottom of the barrel shitty toolbars (which are a night mare in a corpoarte enviroment) to whoever pays them the most, dignity isn't even a consideration.

I think the best for everyone concerned is we simply remove Java from all machines
and stop supporting/recommending it as a platform, same as Adobes horrible Acrobat products,
the numerous security flaws and general incompetence or these companies now outweigh the benefits of using their products, its just easier to remove it permanently and not worry that 10,000 desktops now have some random advertising companies toolbar spying on them than deal with the 3 users that actually need the products specific features in the first place.

Ironically it's in the C-written part of the JVM (0)

Anonymous Coward | about 4 years ago | (#33939298)

In a not-so-unexpected twist, all the buffer overflows leading to remote code execution are present... In the C-written part of the JVM/APIs.

Which is honestly, kinda very lol.

So far there has not been a single buffer overflow targetting pure Java code because, well... The Java specs simply make this impossible (or the hypotetical JVM that would be affected wouldn't be complying with the Sun/Oracle Java specs and hence wouldn't be a "JVM").

So, yup, once again... Buffer-overflow in C-written code. Film at 11.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?