Security company knocks Oracle big time for not fixing problem completely when notified initially in Aug, 2012. And now says ransomware exploits are all Oracle's fault.
I use Firefox 18, which has Java blocked from running. If I absolutely need to run a Java app and completely trust the web site, I can open up an IE tab using an IE Tab addon to run it.
according to Security Explorations, the security firm responsible for identifying most of the latest Java vulnerabilities. Back in late August 2012, the company informed Oracle about the insecure implementation of the Reflection API, dubbed Issue 32, and Oracle released a patch for it in October 2012, but the fix wasnt a complete one.
The zero-day code would not work if Issue 32 was properly addressed, Security Explorations CEO Adam Gowdiak told Softpedia.
We sent Oracle additional Proof of Concept code for Issue 32 that illustrated this exploitation vector in Sep 2012.
Cool Exploit Kit (CEK), already included the latest Java exploit. Before we dive in to how CEK is already being used to push ransomware... CEK has been used to distribute ransomware before, but now its also using this latest Java vulnerability to do so. Trend Micro has detected the exploits in question as JAVA_EXPLOIT.RG and HTML_EXPLOIT.RG, as well as the ransomware payloads as Reveton (TROJ_REVETON.RG and TROJ_REVETON.RJ).
A democracy cannot exist as a permanent form of government. It can only exist until the voters discover that they can vote themselves money from the public treasury.