NEW: Java Zero-Day

Author	All Replies
redwolfe_98 Premium join:2001-06-11 kudos:1	NEW: Java Zero-Day »arstechnica.com/security/2013/03···targets/ Another Java zero-day exploit in the wild actively attacking targets Latest attacks used to surreptitiously install McRat trojan on victim machines. Hackers are exploiting a previously unknown and currently unpatched vulnerability in the latest version of Java to surreptitiously infect targets with malware, security researchers said Thursday night. The critical vulnerability is being exploited to install a remote-access trojan dubbed McRat, researchers from security firm FireEye warned. The attacks work against Java versions 1.6 Update 41 and 1.7 Update 15, which are the latest available releases of the widely used software. The attack is triggered when people with a vulnerable version of the Java browser plugin visit a website that has been booby-trapped with attack code. FireEye researchers Darien Kindlund and Yichong Lin said the exploit is being used against "multiple customers" and that they have "observed successful exploitation." The security of Java is reaching near-crisis levels as reports of new in-the-wild exploits have become an almost weekly occurrence over the past few months. In the past several weeks, Facebook, Apple, and Twitter have all disclosed that their computers were compromised by exploits that were later linked to a developer website that itself had been hacked and turned into a platform for exploiting zero-day vulnerabilities in Java. Microsoft has also said its computers were hacked in a manner consistent with the same attack. Oracle says Java runs on three billion devices, although only Java browser plugins have been targeted in the string of exploits. According to FireEye, the observed exploit "is not very reliable, as it tries to overwrite a big chunk of memory." Most of the time, attackers succeed in downloading a malicious payload onto the targeted machine, but it fails to execute. A researcher from Russia-based antivirus provider Kaspersky confirmed the bug to IDG News but went on to say the vulnerability can't be triggered in older versions such as Java 7 Update 10. Kaspersky also said the attacks appeared to target specific individuals or organizations. While some may be tempted to install an older Java version to protect themselves against this latest exploit, readers should remember that attackers continue to exploit already patched bugs, too. Earlier this week, researchers discovered two additional vulnerabilities in Java. Neither one involves memory corruption, meaning they aren't the ones being exploited in the latest attacks, Adam Gowdiak, CEO of Poland-based Security Explorations, told Ars. As Ars has advised for months now, people who have no need for Java should consider uninstalling it altogether, uninstalling just the browser plugin, or using a dedicated browser for the handful of sites they frequent that require Java and a separate browser for accessing all other sites.
	to forum · permalink · 2013-03-01 21:02:19 ·

dib22 join:2002-01-27 Kansas City, MO	Shouldn't "New java attack discovered" just be made a sticky?
	to forum · permalink · 2013-03-01 21:05:33 ·
siljaline I'm lovin' that double wide Premium join:2002-10-12 Montreal, QC kudos:17 Reviews: ·Bell Sympatico 1 edit	reply to redwolfe_98 Ars article referred to in your: »Java: Same Old Same Old »Re: Java: Same Old Same Old
	to forum · permalink · 2013-03-01 23:27:25 ·
chachazz Premium join:2003-12-14 kudos:7	reply to redwolfe_98 New holes discovered in latest Java versions
	to forum · permalink · 2013-03-02 00:00:43 ·
siljaline I'm lovin' that double wide Premium join:2002-10-12 Montreal, QC kudos:17	»Re: New holes discovered in latest Java versions
	to forum · permalink · 2013-03-02 00:04:10 ·
jaynick lit up Premium join:2001-02-06 Sterling Heights, MI kudos:2	reply to redwolfe_98 looks like Oracle has former Swiss cheese makers developing their software.
	to forum · permalink · 2013-03-02 00:08:24 ·
swtnoob @optonline.net	rofl.....
	to forum · permalink · 2013-03-04 13:03:41 ·
Blackbird Built for Speed Premium join:2005-01-14 Fort Wayne, IN kudos:3 Reviews: ·Frontier Communi..	reply to redwolfe_98 Java seems well on its way to becoming a software reference standard... as in: "Program X's security is so bad, it's worse than Java, LOL" Once something (especially software) becomes a laughing-stock, it's usually game over. From here on, for Oracle, it's going to be increasingly a much steeper uphill climb... -- “The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville
	to forum · permalink · 2013-03-04 15:38:20 ·
Mister_E join:2004-04-02 Etobicoke, ON	reply to redwolfe_98 Looks like there's another new update to Java - JRE 7 update 17 is now available.
	to forum · permalink · 2013-03-04 16:00:27 ·
StuartMW Who Is John Galt? Premium join:2000-08-06 Galt's Gulch kudos:2 Reviews: ·CenturyLink	reply to Blackbird Well the US has the National Debt counter. Perhaps Java needs a zero-day countdown timer (wouldn't need many digits). As in "This many minutes until the next exploit". -- Don't feed trolls--it only makes them grow!
	to forum · permalink · 2013-03-04 16:02:53 ·
StuartMW Who Is John Galt? Premium join:2000-08-06 Galt's Gulch kudos:2 Reviews: ·CenturyLink	reply to Mister_E said by Mister_E: Looks like there's another new update to Java... Ok thanks. I've zeroed my zero-day countdown timer -- Don't feed trolls--it only makes them grow!
	to forum · permalink · 2013-03-04 16:09:17 ·
lawrence171 Evilly Yours - Evilness join:2001-12-24 Canada	reply to dib22 said by dib22: Shouldn't "New java attack discovered" just be made a sticky? Same with Flash, MSIE, Firefox, Safari, Chrome, and any popular piece of software -- What I used to be I no longer am... God, why can't you freeze time for my sake?
	to forum · permalink · 2013-03-04 21:54:54 ·
La Luna Survived Ashraful Premium join:2001-07-12 Warwick, NY kudos:3	said by lawrence171: Same with Flash, MSIE, Firefox, Safari, Chrome, and any popular piece of software None of them are as bad as Java.
	to forum · permalink · 2013-03-04 22:45:58 ·
lorennerol Premium join:2003-10-29 Seattle, WA	said by La Luna: said by lawrence171: Same with Flash, MSIE, Firefox, Safari, Chrome, and any popular piece of software None of them are as bad as Java. Adobe. I think the crappy developers that Oracle fires for writing exploit-ridden code are hired by Adobe to wreck Flash and Reader. The fix for the problem is to remove the law that exempts software companies from liability due to defects in their product. Can you imagine what the auto industry would be like if they had the same exemption?
	to forum · permalink · 2013-03-04 23:09:15 ·
norwegian Premium join:2005-02-15 Outback Reviews: ·WestNet Broadband	reply to redwolfe_98 said by redwolfe_98: Another Java zero-day exploit in the wild actively attacking targets I think I could safely say Oracle has out done Adobe; not a record they would want to hold for too long if they want to stay in business.
	to forum · permalink · 2013-03-05 05:13:52 ·

Broadband Tech > Security > Security > NEW: Java Zero-Day