dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
841
share rss forum feed

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

2 recommendations

NEW: Java Zero-Day

»arstechnica.com/security/2013/03···targets/

Another Java zero-day exploit in the wild actively attacking targets

Latest attacks used to surreptitiously install McRat trojan on victim machines.

Hackers are exploiting a previously unknown and currently unpatched vulnerability in the latest version of Java to surreptitiously infect targets with malware, security researchers said Thursday night.

The critical vulnerability is being exploited to install a remote-access trojan dubbed McRat, researchers from security firm FireEye warned. The attacks work against Java versions 1.6 Update 41 and 1.7 Update 15, which are the latest available releases of the widely used software. The attack is triggered when people with a vulnerable version of the Java browser plugin visit a website that has been booby-trapped with attack code. FireEye researchers Darien Kindlund and Yichong Lin said the exploit is being used against "multiple customers" and that they have "observed successful exploitation."

The security of Java is reaching near-crisis levels as reports of new in-the-wild exploits have become an almost weekly occurrence over the past few months. In the past several weeks, Facebook, Apple, and Twitter have all disclosed that their computers were compromised by exploits that were later linked to a developer website that itself had been hacked and turned into a platform for exploiting zero-day vulnerabilities in Java. Microsoft has also said its computers were hacked in a manner consistent with the same attack. Oracle says Java runs on three billion devices, although only Java browser plugins have been targeted in the string of exploits.

According to FireEye, the observed exploit "is not very reliable, as it tries to overwrite a big chunk of memory." Most of the time, attackers succeed in downloading a malicious payload onto the targeted machine, but it fails to execute. A researcher from Russia-based antivirus provider Kaspersky confirmed the bug to IDG News but went on to say the vulnerability can't be triggered in older versions such as Java 7 Update 10. Kaspersky also said the attacks appeared to target specific individuals or organizations.

While some may be tempted to install an older Java version to protect themselves against this latest exploit, readers should remember that attackers continue to exploit already patched bugs, too. Earlier this week, researchers discovered two additional vulnerabilities in Java. Neither one involves memory corruption, meaning they aren't the ones being exploited in the latest attacks, Adam Gowdiak, CEO of Poland-based Security Explorations, told Ars.

As Ars has advised for months now, people who have no need for Java should consider uninstalling it altogether, uninstalling just the browser plugin, or using a dedicated browser for the handful of sites they frequent that require Java and a separate browser for accessing all other sites.



dib22

join:2002-01-27
Kansas City, MO

3 recommendations

Shouldn't "New java attack discovered" just be made a sticky?



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico

1 edit
reply to redwolfe_98

Ars article referred to in your:
»Java: Same Old Same Old
»Re: Java: Same Old Same Old



chachazz
Premium
join:2003-12-14
kudos:9
reply to redwolfe_98

New holes discovered in latest Java versions



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17

»Re: New holes discovered in latest Java versions



jaynick
lit up
Premium
join:2001-02-06
Sterling Heights, MI
kudos:2

1 recommendation

reply to redwolfe_98

looks like Oracle has former Swiss cheese makers developing their software.



swtnoob

@optonline.net

rofl.....



Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

1 recommendation

reply to redwolfe_98

Java seems well on its way to becoming a software reference standard... as in: "Program X's security is so bad, it's worse than Java, LOL" Once something (especially software) becomes a laughing-stock, it's usually game over. From here on, for Oracle, it's going to be increasingly a much steeper uphill climb...
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville


Mister_E

join:2004-04-02
Etobicoke, ON

1 recommendation

reply to redwolfe_98

Looks like there's another new update to Java - JRE 7 update 17 is now available.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

2 recommendations

reply to Blackbird

Well the US has the National Debt counter. Perhaps Java needs a zero-day countdown timer (wouldn't need many digits).

As in "This many minutes until the next exploit".
--
Don't feed trolls--it only makes them grow!



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 recommendation

reply to Mister_E

said by Mister_E:

Looks like there's another new update to Java...

Ok thanks. I've zeroed my zero-day countdown timer
--
Don't feed trolls--it only makes them grow!

lawrence171
Evilly Yours - Evilness

join:2001-12-24
Canada
Reviews:
·Acanac
reply to dib22

said by dib22:

Shouldn't "New java attack discovered" just be made a sticky?

Same with Flash, MSIE, Firefox, Safari, Chrome, and any popular piece of software
--
What I used to be I no longer am... God, why can't you freeze time for my sake?


La Luna
RIP Lisa
Premium
join:2001-07-12
Warwick, NY
kudos:3

said by lawrence171:

Same with Flash, MSIE, Firefox, Safari, Chrome, and any popular piece of software

None of them are as bad as Java.

lorennerol
Premium
join:2003-10-29
Seattle, WA

said by La Luna:

said by lawrence171:

Same with Flash, MSIE, Firefox, Safari, Chrome, and any popular piece of software

None of them are as bad as Java.

Adobe. I think the crappy developers that Oracle fires for writing exploit-ridden code are hired by Adobe to wreck Flash and Reader.

The fix for the problem is to remove the law that exempts software companies from liability due to defects in their product. Can you imagine what the auto industry would be like if they had the same exemption?


norwegian
Premium
join:2005-02-15
Outback
reply to redwolfe_98

said by redwolfe_98:

Another Java zero-day exploit in the wild actively attacking targets

I think I could safely say Oracle has out done Adobe; not a record they would want to hold for too long if they want to stay in business.