Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Java Zero-Day Vulnerability Rolled Into Exploit Packs

Unknown Lamer posted about 2 years ago | from the just-can't-win dept.

Crime 193

tsu doh nimh writes "The miscreants who maintain Blackhole and Nuclear Pack — competing crimeware products that are made to be stitched into hacked sites and use browser flaws to foist malware — say they've added a brand new exploit that attacks a previously unknown and currently unpatched security hole in Java. The curator of Blackhole, a miscreant who uses the nickname 'Paunch,' announced yesterday on several Underweb forums that the Java zero-day was a 'New Year's Gift,' to customers who use his exploit kit. The exploit has since been verified to work on all Java 7 versions by AlienVault Labs. The news comes days after it was revealed that Paunch was reserving his best exploits for a more closely-held exploit pack called Cool Exploit Kit, a license for which costs $10,000 per month."

cancel ×

193 comments

Sorry! There are no comments related to the filter you selected.

Oh Java... (-1, Troll)

AlphaBro (2809233) | about 2 years ago | (#42547091)

At this point does any tech savvy user still have the Java Runtime Environment installed? These days it doesn't seem to be good for much beyond extremely reliable arbitrary remote code execution.

Re:Oh Java... (4, Insightful)

medv4380 (1604309) | about 2 years ago | (#42547195)

It would be very difficult to cull Java in an Enterprise environment that was build on it even if you wanted to. Convincing your Boss that you have to redevelop the entire system just to do it would also be a difficult task.

Re:Oh Java... (4, Insightful)

Nerdfest (867930) | about 2 years ago | (#42547363)

Why would you not develop systemns in it, or rewrite existing ones? Just stop using the ridiculous browser plug-in. It's the new ActiveX.

Re:Oh Java... (1)

medv4380 (1604309) | about 2 years ago | (#42547455)

Because some people deployed the applications using Applets and WebStart so just getting rid of it becomes a bit of an issue.

Re:Oh Java... (0)

Anonymous Coward | about 2 years ago | (#42547689)

Java isn't just applets.
Entire application servers run on J2EE ( JBoss, Glassfish, WAS to name a few ).
In this case the exploit is related to applets, but what if there was a zero day in say, the implementation of java.net.ServerSocket ?

Well, I guess that just means patching all the application servers with a hotfix. There goes my vacation.

Re:Oh Java... (4, Informative)

Anonymous Coward | about 2 years ago | (#42547415)

If you use IE you can disable Java for all sites except the "enterprise ones". Even on IE6 - assuming an Enterprise environment typical of the sort you are talking about ;).

Re:Oh Java... (5, Informative)

gstoddart (321705) | about 2 years ago | (#42547225)

At this point does any tech savvy user still have the Java Runtime Environment installed?

Sure, but I have No Script installed to keep it from running except when I need it to.

Sadly, I find myself needing Java for a lot of work related stuff. I even have a couple of machines that still have Flash on them because it's occasionally called for.

In the real world, you can't always get away from using it since there's always some company required thing you need to access -- but that doesn't mean I'm prepared to let it run by default on just any web site.

Hell, a lot of the tools I need to run daily for work are in Java.

Re:Oh Java... (0)

Anonymous Coward | about 2 years ago | (#42547441)

I disable the Java plugin in all browsers except one, for that one I leave the 64bit JRE installed, Since there's only one 64bit browser, clearly I'm talking about MSIE, the browser you usually don't want this crap to run in. Blame Google and Mozilla.

Re:Oh Java... (1)

GameboyRMH (1153867) | about 2 years ago | (#42547865)

Don't forget 64-bit Firefox.

Re:Oh Java... (1, Funny)

0123456 (636235) | about 2 years ago | (#42548649)

Don't forget 64-bit Firefox.

Or all the other 64-bit browsers.

Oh, I just realised he's running on that wacky Windows thing, where the OS is 64-bit but 99% of apps are still 32-bit.

Re:Oh Java... (3, Informative)

molotov303 (182638) | about 2 years ago | (#42548123)

I don't know why it isn't enabled by default, but Firefox has a click-to-play plugins option that should dramatically reduce the exposure to exploits like this. So NoScript isn't required.

about:config
plugins.click_to_play = true

Re:Oh Java... (1)

gstoddart (321705) | about 2 years ago | (#42548255)

Noscript also stops most JavaScript, which is another potential source of nuisance.

I prefer to have everything blocked and controllable by default, if I want it, I'll run it -- otherwise, your flashing monkey isn't going to happen.

Re:Oh Java... (1)

binarylarry (1338699) | about 2 years ago | (#42547255)

This isn't a flaw in the runtime but the browser plugin.

Re:Oh Java... (5, Informative)

robmv (855035) | about 2 years ago | (#42547813)

and the latest Java 7 update added features to disable Java applets and JNLP from browsers, that way if you need Java for an application like Eclipse, but don't need Java on the browser, you can secure yourself

Re:Oh Java... (5, Insightful)

Mathematiker (2759663) | about 2 years ago | (#42547285)

You know the difference between a browser plugin and the JRE?

Do you really think that having eclipse or matlab installed on your computer (both contain a JRE) makes it magically vulnerable?

Re:Oh Java... (2)

gl4ss (559668) | about 2 years ago | (#42547287)

my bank requires it.

most browsers today though ask per page if you want to run it, don't they? at least firefox does..

Re:Oh Java... (1)

TheLink (130905) | about 2 years ago | (#42547515)

Create a browser instance/profile solely for your banking. Then configure the browser to have everything off except for your bank's URLs.

My normal browser runs as a different user from my logged in user account. My bank browser runs as yet another user. So pwning my normal browser still requires a privilege escalation to affect my main user account or my banking stuff.

My main account has access to the files and folders of the normal browser account. But not the other way around.

Re:Oh Java... (0)

The MAZZTer (911996) | about 2 years ago | (#42547319)

If you play Minecraft you need Java installed.

Re:Oh Java... (1)

Luuseens (1422579) | about 2 years ago | (#42547543)

False. You don't need the Java browser plugin for Minecraft, only the JRE.

Re:Oh Java... (1)

peppepz (1311345) | about 2 years ago | (#42547679)

Which is what AlphaBro wanted us to uninstall.

Re:Oh Java... (0)

Anonymous Coward | about 2 years ago | (#42547697)

Did he say you needed the browser plugin?

Can any of you idiots with 7-digit ids even fucking read?

Re:Oh Java... (3, Informative)

DickBreath (207180) | about 2 years ago | (#42547739)

> > If you play Minecraft you need Java installed.

> False. You don't need the Java browser plugin for Minecraft, only the JRE.

His statement is true. Having the JRE installed is having Java installed. It is correct that the browser plugin is unnecessary. But his original statement is entirely correct.

Re:Oh Java... (1)

ByOhTek (1181381) | about 2 years ago | (#42547341)

I do. I administrate/develop for/run a server that is built on java :-(

Also, anyone who plays mincraft would have it installed.

Re:Oh Java... (5, Insightful)

Bill_the_Engineer (772575) | about 2 years ago | (#42547585)

At this point does any tech savvy user still have the Java Runtime Environment installed?

At this point does any tech savvy user don't know the difference between the Java Runtime Environment and the Java Browser Plugin? Just disable/remove the plugin.

WebEx (0)

Anonymous Coward | about 2 years ago | (#42547639)

..is one of the few really good Java apps. But I certainly suggest to disable Java except for these occasions. It is clearly a major security risk, if "on by default".

Re:Oh Java... (1)

peppepz (1311345) | about 2 years ago | (#42547735)

Many tech savvy users write Android applications, for instance. Others play Minecraft. Others contribute to OpenStreetMap. Others even use the Netbeans IDE, lazy them.

Re:Oh Java... (2)

snemarch (1086057) | about 2 years ago | (#42547767)

Sure, I have the JRE installed on my work laptop - but I sure as hell don't have the browser plugin installed. Nor Flash, nor AdobePDF. When I need Flash, I fire up Chrome for that particular site. When I need Java (which us Danes sadly do for online banking and government interaction), I fire up a virtual machine image dedicated just for that.

And my main browser, FireFox, has NoScript, AdBlockPlus, Ghostery and Certificate Patrol (any more addons I should know about?), work laptop as well as my own machines. But I digress. JRE: not a problem in and by itself. Just stay way clear off the browser plugin. And Flash. And AdobePDF.

Just remove Java and get it over with (2, Insightful)

Tridus (79566) | about 2 years ago | (#42547101)

At this point there is no reason for most home user systems to have Java on them at all. Just uninstall it and remove this never ending hole from your life.

If you do need it for something (like Minecraft), you can remove it from the browser, which tends to also solve the security problems (unless the Java updater adds itself back in, which it's been known to do). Still a better option than just leaving it. There's very few websites left that actually use Java for anything today.

It sucks more in the corporate world, where there's a lot more Java and thus no easy answer for the security problems that plague it. But for home users? Just remove it and make your life easier.

Re:Just remove Java and get it over with (2)

nebulus4 (799015) | about 2 years ago | (#42547187)

Easy for you to say. Here in Norway we are required to have it to do online banking :(

Re:Just remove Java and get it over with (0)

Anonymous Coward | about 2 years ago | (#42547459)

Either setup one browser for banking then, or disable java except when you're doing online banking?

Re:Just remove Java and get it over with (0)

Anonymous Coward | about 2 years ago | (#42547595)

I am running Ubuntu 10 LTS and firefox comes with QuickJava, which allows you to enable and disable Java, Flash and JS by clicking a single button. I normally disable everything except JS.

Re:Just remove Java and get it over with (1)

nebulus4 (799015) | about 2 years ago | (#42547743)

Well, Firefox now comes with click-to-play feature so you can activate plugins on demand or white-list sites. Opera has it too. But it's not the point, OP was talking about removing the whole thing and it's just not an option.

Re:Just remove Java and get it over with (1)

snemarch (1086057) | about 2 years ago | (#42547835)

Same in Denmark - and we need it for .gov interaction as well. Remove the plugin from your primary browser, keep it in a secondary browser you launch just for Java stuff - and if you're slightly paranoid, keep that secondary browser in a virtual machine.

Re:Just remove Java and get it over with (-1)

Anonymous Coward | about 2 years ago | (#42547253)

That and those "Open Source" software that are unfortunately coded in Java by lazy developers... e.g. Eclipse, Netbeans, OpenOffice etc.

Re:Just remove Java and get it over with (1)

snemarch (1086057) | about 2 years ago | (#42547845)

None of those rely on the Java browser plugin - which is what gets you pwzned. Having JRE installed isn't a problem as long as you get rid of the browser plugin.

Re:Just remove Java and get it over with (1, Flamebait)

medv4380 (1604309) | about 2 years ago | (#42547323)

Copy the JRE folder into the Minecraft folder and write a batch file to launch it. Then Kill Java. Works for some enterprise environments too, but not all. All Browsers should block Java. Applets are nothing but plague rats now, and should be burned with fire.

Re:Just remove Java and get it over with (1)

binarylarry (1338699) | about 2 years ago | (#42547379)

Yeah because why have one out of date runtime when you could have dozens of out of date runtimes!

Re:Just remove Java and get it over with (1)

medv4380 (1604309) | about 2 years ago | (#42547593)

You'd rather have an Up-to-date JRE with major vulnerabilities sitting exposed via your Browser? I'd take the chance of an Out-of-date JRE sitting in a folder that's only used for Minecraft when I'm running it to Any of Them sitting exposed on a Browser.

Re:Just remove Java and get it over with (0)

Anonymous Coward | about 2 years ago | (#42547331)

As someone who makes a living writing code in Java, I couldn't agree with you more. Java applets are a thing of the past and should be avoided and no reason to run or install the Java browser plugin.

Java has found a nice niche server-side and in enterprise middleware, but is almost non-existent client side, and as you said those few client side Java programs (like Minecraft) dont' need the browser plugin.

Re:Just remove Java and get it over with (2)

TubeSteak (669689) | about 2 years ago | (#42547345)

If you do need it for something (like Minecraft), you can remove it from the browser, which tends to also solve the security problems (unless the Java updater adds itself back in, which it's been known to do). Still a better option than just leaving it. There's very few websites left that actually use Java for anything today.

This has been my situation for the last few years, )though not for minecraft.)
Adobe's Flash/Shockwave more or less killed java for the average user.

/the mass of exploits that is flash makes for another conversation entirely

Re:Just remove Java and get it over with (2, Informative)

edxwelch (600979) | about 2 years ago | (#42547375)

Please, stop the FUD already. All the security holes have been accessed via the java browser plugin, so just disabling the plugin is enough. .. and while you at it, disable the .NET browser plugin. Just as many security holes have been found in that component as java.
There is no need to uninstall JRE (If you have Java installed on your system, then you probably need it for something)

Re:Just remove Java and get it over with (4, Informative)

DigiShaman (671371) | about 2 years ago | (#42547527)

Ya, and when the next JRE update prompts the user to install from the system tray, the browser plugin gets re-enabled (re-installed really).

Re:Just remove Java and get it over with (1)

edxwelch (600979) | about 2 years ago | (#42547991)

Unfortunately, you are right. Updating java re-enables the plugin (very bad :( ). However, Firefox seems to know that the plugin has security hole and disables it.

Re:Just remove Java and get it over with (0)

Anonymous Coward | about 2 years ago | (#42547389)

But... but... Javascript is used all over the Web. You'd break almost everything if you uninstalled Java!

[Typical mid-competency-know-it-all user response to the suggestion to uninstall Java.]

Re:Just remove Java and get it over with (3, Funny)

Minwee (522556) | about 2 years ago | (#42547427)

But... but... Javascript is used all over the Web. You'd break almost everything if you uninstalled Java!

I see. Have you tried turning it off and on again?

Is it definitely plugged in?

Re:Just remove Java and get it over with (4, Funny)

DickBreath (207180) | about 2 years ago | (#42547833)

Support: Have you tried pushing the 10 key?
Customer: The 10 key? Do you mean F10?
Support: No. The 10 key is a black rocker on the back of the computer with a 1 and a 0. Pushing that will make your computer secure.

Re:Just remove Java and get it over with (0)

Anonymous Coward | about 2 years ago | (#42547401)

There are a number of java programs that I regularly use, and they have no real alternatives (that don't suck).

The problem isn't Java per se (although I respect the efforts to sandbox it, we all know that's a losing game), but rather that anyone would be crazy enough to allow a web browser to run processes with user level privileges. I blame it primarily on the historical tendency of adding functionality to webpages by relying on plugins; it's inherently insecure design.

captcha: Apology

Re:Just remove Java and get it over with (0)

Anonymous Coward | about 2 years ago | (#42547467)

Really? Java isn't needed on home user systems?

http://www.tiobe.com/index.php/content/paperinfo/tpci/index.html

Pretty sure those apps aren't just in the corporate world.

Re:Just remove Java and get it over with (1)

Tridus (79566) | about 2 years ago | (#42547693)

You take the TIOBE numbers to mean anything whatsoever? Interesting.

If you actually have something that uses Java on your home machine (though most users don't), disable the browser plugin. That solves the problem, assuming Java's updater doesn't go and turn it back on.

Re:Just remove Java and get it over with (1)

SplashMyBandit (1543257) | about 2 years ago | (#42548025)

You take the TIOBE numbers to mean anything whatsoever? Interesting.

The TIOBE numbers are considered approximate, yet you fail to provide any alternative numbers and scoff at the approximation. Java rules the Enterprise, many development tools, and some games (IL-2, Minecraft, Take on Helicopters, the upcoming Arma3). The Java browser plugin may as problematic as Flash or the .NET plugin (Silverlight), but the Java Runtime Environment (JRE) itself is solid and very, very fast (which is why many developers, myself included, prefer Java to alternative development platforms).

So please, enlighten us with your numbers showing Java usage is neglible. You can't. Perhaps it's just you think computing is your desktop only, yes? Well, there's a huge amount of computing (eg. the Enterprise) that the average Joe doesn't see or hear about (because enterprises don't always talk about their competitive advantages) - and a lot of that is Java.

Re:Just remove Java and get it over with (3, Insightful)

Bill_the_Engineer (772575) | about 2 years ago | (#42547497)

While we are at it let's get rid of Python and Ruby which are associated with web exploits in recent news (The Ruby SQL injection being the latest) . It would make more sense to say "Just remove java plugins".

Don't punish an entire language because of a bad implementation of a function that either uses the language or extends the language into where it really isn't needed anymore.

Re:Just remove Java and get it over with (1)

hawkinspeter (831501) | about 2 years ago | (#42547607)

There's a more interesting Ruby exploit (http://www.securityfocus.com/bid/57187 [securityfocus.com] ) that can allows remote command execution.

Re:Just remove Java and get it over with (2)

Bill_the_Engineer (772575) | about 2 years ago | (#42547719)

Thanks! It would be more accurate to call it a "Ruby on Rails" exploit since just because it uses Ruby doesn't make it Ruby's fault which is the point of my parent post.

Re:Just remove Java and get it over with (3, Insightful)

SplashMyBandit (1543257) | about 2 years ago | (#42548183)

.... and get rid of C and C++ for all their buffer overrun holes. Oh, and let us also get rid of Javascript while we're at it for all its exploits. Then we'd better shut down Silverlight/C# as well (http://www.cvedetails.com/product/19887/Microsoft-Silverlight.html?vendor_id=26). By the same measure we'd better ditch our operating systems to (http://www.cvedetails.com/vendor/26/Microsoft.html).

So what do we have left after scorching the earth? nothing? they're all vulnerable and all need to maintained and patched. Java is not alone and not really any worse than any other technology.

Or instead we could get real and demand that browsers fix their plugin model and run plugins with almost no privileges, ya know, as Unix/Linux does for services. That way the inevitable security holes are not catastrophic as they are now, and we don't have to do "denial of service" on ourselves by removing useful tools and technologies.

Nice (-1)

Anonymous Coward | about 2 years ago | (#42548453)

,,how you defend the absoultely lazy and ignorant approach of Oracle. Everbody is as crappy as Oracle and M$. The Law Of Bill And Larry, I suppose.

Are you a $hill, by chance ?

Re:Just remove Java and get it over with (1)

girlintraining (1395911) | about 2 years ago | (#42547565)

At this point there is no reason for most home user systems to have Java on them at all. Just uninstall it and remove this never ending hole from your life.

It's used on a lot of websites to launch various games and applets to do things like search a database of parts. The same argument could be used for ActiveX controls and yet, you can't go online for very long without running into someone's website that uses it.

But for home users? Just remove it and make your life easier.

It'd be better to use something like NoScript to control access to it. I pair it with other plugins that prevent cross-site scripting, as most of these exploits take advantage of advertising link-ins to popular websites.

Re:Just remove Java and get it over with (0)

Barlo_Mung_42 (411228) | about 2 years ago | (#42547615)

Minecraft.

Re:Just remove Java and get it over with (1)

Tridus (79566) | about 2 years ago | (#42547701)

Which was specifically mentioned in the comment you're replying to. Awesome attempt at reading comprehension though!

Re:Just remove Java and get it over with (0)

Anonymous Coward | about 2 years ago | (#42548621)

Remove Java? How arrogant, myopic and presumptuous of you to think that home users have no legitimate use for Java, Mr know-it-all.

Java Web Start (0)

Anonymous Coward | about 2 years ago | (#42547167)

Is this exploit possible via Java Web Start, or only applets?

LOL (0)

Anonymous Coward | about 2 years ago | (#42547221)

But Java is supposed to prevent all these security issues according to its evangelists! Seems to be meaningless when its own JVM is a threat vector. Apparetly the JVM writers fail at writing secure code. Throw Java on the trash heap and be done with it. Even Flash Player has less vulnerabilities. And that's really saying something when your software is less secure than shit that Adobe puts out.

Re:LOL (0)

Anonymous Coward | about 2 years ago | (#42547897)

It's also unfortunate that Java developers have been unable to find a way to force AC's to actually RTFA and understand it.

Miscreant? (0)

Anonymous Coward | about 2 years ago | (#42547243)

The repetitive use of miscreant in TFS begs the question: aren't there more modern pejoratives that might be applied here? You know: blackguard, knave, footpad, malefactor, cad, ...

Re:Miscreant? (0)

Anonymous Coward | about 2 years ago | (#42547437)

Yes: mendicant and buffoon?

Best practices? (0)

Anonymous Coward | about 2 years ago | (#42547247)

INTERNET SURFERS: Enforce your browser/s so not run scripts and remove all instances of Java - congratulations, you're almost safe to browse the internet now but have you updated your flash player, Windows and all your non-Windows software? ...there are programs out there that can scan yout machine to alert you of out-of-date software. I seem to remember Trend Micro online scanner doing this, but you needed Java to run it! I know there are others but I can't name them... just use legitimate ones and don't just ask google to look for anitvirus 2013 lol.

Paunch? (1)

Big Hairy Ian (1155547) | about 2 years ago | (#42547249)

There's a hacker called Paunch? You are Kevin Smith and I claim my five pounds!

How has the exploit maker gone unfound? (4, Insightful)

Wokan (14062) | about 2 years ago | (#42547275)

Seriously? This person is licensing an exploit kit for $10,000 per month and nobody has bothered following the money to shut him down? I have a hard time believing anyone could make $10K/mo doing this anyway. Wouldn't the first order of business by the exploit buyers be to make it work without the payments? What's the author going to do? Sue them for non-payment?

Re:How has the exploit maker gone unfound? (3, Interesting)

durrr (1316311) | about 2 years ago | (#42547347)

Follow the money and you probably find that various three letter agencies are his main customers.

Re:How has the exploit maker gone unfound? (2)

Mathematiker (2759663) | about 2 years ago | (#42547383)

Is finding a bug and writing an exploit for it illegal yet?

Re:How has the exploit maker gone unfound? (1)

hawkinspeter (831501) | about 2 years ago | (#42547643)

It depends on where in the world you are and who your friends are.

Re:How has the exploit maker gone unfound? (3, Insightful)

i kan reed (749298) | about 2 years ago | (#42547393)

The mechanism that keeps his clients from cheating him is presumably the same mechanism that operates in every black market. Threat of retaliation. As for why they don't just follow the money, my guess is that it goes through some completely unregulated bank with a quickly opened then closed account for each transaction, in combination with hush money to appropriate government officials.

Two Words (0)

Anonymous Coward | about 2 years ago | (#42547841)

Bitcoin, TOR.

Re:How has the exploit maker gone unfound? (2)

CanHasDIY (1672858) | about 2 years ago | (#42547405)

Seriously? This person is licensing an exploit kit for $10,000 per month and nobody has bothered following the money to shut him down?

Shut him down? For what? Selling something that someone somewhere might use to break a law? That's not a crime in itself, you know.

If the government could legally 'shut down' anyone and everyone capable of using a tool for crime, we'd all be in some seriously deep shit.

Re:How has the exploit maker gone unfound? (2)

Bill_the_Engineer (772575) | about 2 years ago | (#42547671)

Shut him down? For what? Selling something that someone somewhere might use to break a law? That's not a crime in itself, you know. If the government could legally 'shut down' anyone and everyone capable of using a tool for crime, we'd all be in some seriously deep shit.

Explain laws against selling drug paraphernalia, subsections of the DMCA, or consumer protection against malware laws in several states like California, Arizona, Indiana and others...

Re:How has the exploit maker gone unfound? (1)

DarkOx (621550) | about 2 years ago | (#42548217)

One could argue as packaged what he is selling amounts to the digital equivalent of criminals tools. There absolutely are laws that bar you from selling tools specifically designed for criminal use. That is why its hard to get lock pick sets etc in many places.

There are plenty of ways to publish the info anyone in the security community without assembling a nice script kiddy / petty criminal ready tool to go cause mayhem with. Yes if you give me a white paper that describes the resulting offsets you got from the fuzzer you wrote, and some memory locations large enough for shell code I can put together a C program in moments to do something nasty, as can tens of thousands of others, but that is the risk of living in a free society. Odds are pretty good you have by not passing out binaries raised the bar enough that the folks who can use the information for evil have other economic opportunities.

Duct tape, a short baton, party mask, toy or real pistol are all things that are perfectly legal to sell by themselves. I bet the local DA will do something about you pretty quickly if you put them all together in one box label "Rape Kit" and attempt market them though.

You Are the Local Government $hill Here ? (0)

Anonymous Coward | about 2 years ago | (#42548547)

This guy is doing everbody a service, because he openly sells exploits. He demonstrates what kind of royal crap Java actually is. Then, there is freedom of speech. There are people who do not believe in the infinite wisdom and power of government.

Does the guy kill, rape or maim ? No he does not. He demonstrates how insanely crappy a certain piece of software is. Something to be defended against government meddling - I am quite positive.

But, I will be nice to you Mr $hill and ask you what would happen if we outlawed his activity: Chinese intelligence would silently use Java to subvert thousands of critical computers worldwide. So would the Russian Mafia do.

This guy ensures people simply deinstall or disable this abomination called Java. Thank God this man exists and does his business !

Re:How has the exploit maker gone unfound? (5, Interesting)

Nerdfest (867930) | about 2 years ago | (#42547407)

There's a person finding exploits for $10,000 per month and Oracle, Microsoft and Adobe don't subscribe to it? That's just silly.

Re:How has the exploit maker gone unfound? (0)

Anonymous Coward | about 2 years ago | (#42547557)

There exist several companies who do this. "Weaponizing" is illegal, though, except if you are authorized by government, of course. See StuxNet.

Re:How has the exploit maker gone unfound? (1)

DarkOx (621550) | about 2 years ago | (#42548055)

I have been wondering this ever since this guy surfaced. My assumption now is that he is an FBI honeypot. They don't mind letting a few actual Java/Webstart vuluns into the wild to give them credibility because they (the FBI) are

1. not really in the business of protecting the ordinary citizen.

2. secretly at least of the mostly correct opinion any assets put at risk by these vuluns are either controlled by those up on these things, capable of working around the issues and securing them anyway or operating systems riddled with so many other unmitigated vulnerabilities its mostly irrelevant from a security posture standpoint.

Its all more valuable to them to passively watch what sorta of organized crime folks appear out of the wood work.

Re:How has the exploit maker gone unfound? (1)

Anonymous Coward | about 2 years ago | (#42548635)

I do think your are overestimating the intelligence of FBI personnel by a large degree. They simply don't give a shit because the guy actually doesn't do anything criminal. His customers might do, but the same can be said about sellers of fertilizer.
They are after people who use fertilizer to build Diesel-fertilizer bombs, though. And certainly after people who use viruses for criminal activity such as collecting CC numbers and account details. But they are also realistic and know that 50% of Windows PCs worldwide are already infested by dozens of viruses. So...what ?

Safer browsing (2)

ArcadeMan (2766669) | about 2 years ago | (#42547353)

Disable Flash and Java. Most websites with video will work fine, even if some require to change your user-agent to "iPad".

What do you mean, your browser can't display H.264 natively? Get a real browser.

The bigger surprise... (1)

Last_Available_Usern (756093) | about 2 years ago | (#42547487)

The Java exploit is much less surprising to me than how casually we include the fact that this guy (and others) are selling exploit kits online. I remember when stuff like this used to be so underground you had to "know someone who knew someone" to find it. Perhaps what he's selling isn't technically illegal, but it's still surprising to read.

Here's A Real Programming Language (1)

Anonymous Coward | about 2 years ago | (#42547517)

Sappeur:

+ Memory Safe
+ No VM
+ No GC but reference-counted smart pointers
+ extremely quick startup times (down to 10ms)
+ almost all C and C++ style high-performance features such as stack allocation, value arrays, destructors available
+ memory safe even for multithreaded applications
+ destructors
+ RAII

http://sourceforge.net/p/sappeurcompiler/code-0/2/tree/trunk/doc/SAPPEUR.pdf?format=raw

http://sourceforge.net/p/sappeurcompiler/code-0/2/tree/trunk/

Is it 100% delivering the security it promises ? Probably not at this point, but my guess is that with the same amount of engineering work as has been put into the JVM, Sappeur could be almost 100% delivering the advertised security. It is actually a quite simple concept.
Currently, it is in the proof-of-concept stage.

Re:Here's A Real Programming Language (1)

SplashMyBandit (1543257) | about 2 years ago | (#42548309)

  • - no standard networking library.
  • - no standard UI library.
  • - no standard Web library or application servers.
  • - no standard memory/CPU profiler (JVisualVM r0x0r!!!)
  • - no standard database access.
  • - no standard dependency injection framework.
  • - no standard XML handling framework.
  • - no standard logging framework.
  • - no standard way to integration with LDAP/Active Directory
  • - compiles to C++ so requires porting to every destination platform.
  • ... etc

It is the libraries that matter, not the language. Add libraries and you get hugely increased functionality and productivity, but unfortunately some security holes also creep in as different parts interact (this is true for any development language). I'd rather take the productivity, thanks.

Re:Here's A Real Programming Language (0)

Anonymous Coward | about 2 years ago | (#42548583)

- compiles to C++ so requires porting to every destination platform.

Because Java programs work on different platforms through magic rather than having to port the JVM to each of the platforms? Also, it is nonsense to say that a C++ program needs porting to each platform. I write complex Qt apps that need ZERO source porting between platforms.

cluelessness of slashdot (0)

Anonymous Coward | about 2 years ago | (#42547561)

Of course you need Java (JRE). More so on servers. Of course you don't need Java plugin, which is the only thing that has security issues. Clueless "security researchers" feeding bad info to clueless consumers.

Re:cluelessness of slashdot (0)

Anonymous Coward | about 2 years ago | (#42547627)

Of course you need Java (JRE).

For what exactly? Name a single piece of irreplaceable Java software for the average home user.

Re:cluelessness of slashdot (2)

SplashMyBandit (1543257) | about 2 years ago | (#42548379)

Name any piece of irreplaceable software for any user. Windows? nope, not for Mac users or Linux users. Firefox? not for Chrome users. The only irreplaceable software is based on C, but customers don't need to be aware of that. There are plenty of great Java programs out there that are without peer for users that need them (which doesn't happen to include you). So your argument is bunk - you just made it because you don't like Java - but you are lacking the insight to see that your argument extends to all software technologies (with the exception of C, which is pretty much core to all systems). So get real, eh? Java has plenty of uses - unless all you do all day is consume web content like Facebook and make mindless statements as an AC on Slashdot.

Re:cluelessness of slashdot (0)

Anonymous Coward | about 2 years ago | (#42548443)

There are plenty of great Java programs out there that are without peer for users that need them

Such as...? Notice how I asked for examples not more hand-waving assertions.

Why does Slashdot glorify hackers? (5, Insightful)

GodfatherofSoul (174979) | about 2 years ago | (#42547631)

These are the idiots who make life so difficult for legit network guys. That summary reads like George Washington just raided another British outpost. Whether for curiosity or profit, remember who the bad guys are!

Ask Mr Gosling (0)

Anonymous Coward | about 2 years ago | (#42547723)

If that guy had been a real engineer as opposed to something else, this thing would have never been this bag of fleas.

But hey, robustness is not hip. Let's deliver 1001 "standard library classes" and give shit about security. Make it complex as hell, because That's Cool !!

Instead they set up all sorts of cool crap-processes such as the "JCP" and pile more poo on their already sizeable craphill. These guys never understood what really matters, namely reliability and quality. I take a reliable, old Pascal compiler any time over a fancy bag of fleas with all sorts of "cool" features. And yes, I did some serious Java time. Now I am back to C++ for work.

Re:Ask Mr Gosling (0)

Anonymous Coward | about 2 years ago | (#42547825)

I work in cellular. For several years I did all of the real-time, call processing work in C. Never had a problem. Since I had no bugs left to fix they moved me on to working on the billing/provisioning stuff. It's all in Java and a complete disaster. Many of the people working on it don't want to do it in Java (opting for something a little less complex) but management insisted on Java.

I don't think a great majority of people who write in Java don't want to. The language and architecture have lots of problems. But people often don't understand that a de facto standard in software doesn't often work well.

Sigh.

Well (0)

Anonymous Coward | about 2 years ago | (#42547993)

In the world of MBAs they want CHEAP developers. How do they get that ? Use a "simple" language many people are fluent in. That's Java.

What the MBAs will never grasp that "cheap" is only cheap on the short run. On the long run, using Java means buying whopping amounts of hardware and attracting lots of Junior and generally crappy developers. On the long run, investment into expensive C++ developers and their more expensive development efforts pays off nicely. These people know that the "new" operator comes at a price and use it wisely. Just as an example.

Now, I am a C++ guy, so maybe I am not objective on this. I am confident the darwinism of the market will sort this out. Let's see.

There are 2 archetypes of bad Java coders (3, Insightful)

Anonymous Coward | about 2 years ago | (#42548405)

I have been coding in Java for quite a long time and there are essentially two archetypes of very crappy coders:

1) The people who don't have what it takes to be a decent engineer (in any language) and are just creating horrible crap because that's the only thing they were taught in college.

2) The people who "Would rather be coding something else". Often (but not always) a bit older engineers who might not have had any education in Java and any understanding they do have (whether it's from formal education or from them having read half a book a decade ago) is horribly outdated and incomplete. They stubbornly insist that if some of the architectural structures that they learned decades ago for different type of applications and for different environments end up creating a bad Java application, Java is to blame.

The first archetype are useless but harmless: They write bad code but do so very slowly and don't dare to touch anything that looks intimidating which means they generally can't screw anything important up. The second archetype is who I immediately blame whenever I get a "WTF was someone thinking?" moment when looking at some major design decision.

Setting browser preferences is enough (0)

Anonymous Coward | about 2 years ago | (#42547815)

In Opera Preferences you can set that any plugins should only start after you explicitly click on the rectangle in which they appear. Chrome by default does prompts the user before running Java applets. Internet Explorer 9 by default enables installed add-ons everywhere, but you can remove the "*" from the list of allowed sites, and after that it prompts before it runs that plugin. I do not find a solution for Firefox yet.

There is one sure way to keep your computer safe. (0)

Anonymous Coward | about 2 years ago | (#42547983)

The IT department would like you to no loner turn on your computer to protect you from harmful viruses. We are going to coming around over lunch and install a safety device (by drilling a hole through your CPU / Disk). After the install you will be safe to use your computer as you see fit.

A "license" or a "copy/key"? (0)

Anonymous Coward | about 2 years ago | (#42548057)

How can a _license_ for an exploit kit cost anything? A license is a legal term, and I would expect that you can't enforce a license for an exploit kit, neither from the position of the buyer nor of the seller.

It's like saying that the Mafia gives out licenses for blackmail.

SlashVertisement much (0)

Anonymous Coward | about 2 years ago | (#42548161)

no more please

java is shit (-1)

Anonymous Coward | about 2 years ago | (#42548271)

and if you use it you're a little bitch.

He needs got (2)

ThatsNotPudding (1045640) | about 2 years ago | (#42548425)

Folks like Paunch need to get got if for no other reason than to remove a justification for governents around the world (China and the US getting closer to the same page everyday) to regulate the Internet and render online anonymity a crime (all in the name of Snowflake Security, of course).
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?