dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1363
redwolfe_98
Premium Member
join:2001-06-11

2 recommendations

redwolfe_98

Premium Member

Java Responsible For 93% Of Malware-Infections

according to "Cisco", vulnerabilities in "java" were responsible for 93% of the malware-infections that they have seen, in the first 6 months of 2014:

»www.pcworld.com/article/ ··· own.html

we don't hear much, these days, about how bad it is to have "java" installed..

cableties
Premium Member
join:2005-01-27

1 recommendation

cableties

Premium Member

Double whammy: Windows and Java

goalieskates
Premium Member
join:2004-09-12
land of big

8 recommendations

goalieskates to redwolfe_98

Premium Member

to redwolfe_98
Funny how I run Java and have no infections. So I guess the problem couldn't possibly be anything else out of a zillion variables, it "must be" Java, right?

Like the old saying goes, figures lie and liars figure.

beck
MVM
join:2002-01-29
On The Road

1 recommendation

beck to redwolfe_98

MVM

to redwolfe_98
Well, I just don't believe this. Some friends must be the other 7% since they are infected all the time and don't have java on their system. Or flash either. Or Office. Or even Adobe Reader. Yet they get infected.
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned)

Member

it is called downloading and installing with out regard to security. If i created a root kit or malware for linux and can convince a person to install it and use some social engineering to get them to click through all warnings etc they will get nailed just as fast as any one else.

Malware of all types relies more on end users bad habbits and or out right stupidity to get installed. All software is made by people who are fallible it is in our nature. That code will reflect that fact about us. Be that java flash silverlight active x html vrml asc asm you name it it is flawed. It will always be flawed even if human beings are taken out of the equation it will be just as flawed as the computer that rights it that had its own code wrote by humans. Codes flawed origins (us) will mean that for as long as computers and code exist it will remain flawed.

Simple social engineering >>click me for a great porn jpg file linked to the link porn.jpg.exe If i posted a real link on some random forum with a trojan or keylogger as the pay load how many install reports from it calling home do you suppose i might get?

I emailed my brother a porn.jpg.exe that was a key logger from his own email no less. And just from him in that highly targeted attack i got over 200 email alerts to the install in just over a week. 1 person one email one file 200 results. Now had i been looking to rip off bank account numbers and droped this on a forum some where i would have gotten 1000s of alerts weekly or maybe daily from one single post. All because people like porn or warez or free stuff.

im going to post a poll for fun in a minute and see how many people have what amounts to spyware on their phone android or iphone

therube
join:2004-11-11
Randallstown, MD

1 recommendation

therube

Member

> >>click me for a great porn jpg

Could you repost the link, as I'm not seeing it .

vaxvms
ferroequine fan
Premium Member
join:2005-03-01
Polar Park

2 recommendations

vaxvms to redwolfe_98

Premium Member

to redwolfe_98
Java is responsible for 93% malware infections just like there are no Mac viruses.

sbconslt
join:2009-07-28
Los Angeles, CA

1 recommendation

sbconslt to redwolfe_98

Member

to redwolfe_98
What's reprehensible are software packages that bundle severely outdated and vulnerable versions of JRE alongside their installs. Commonly seen on the driver and application CDs that come with peripherals. Sometimes also in factory restore images or in the manufacturer's restore facility included in a special partition on the drive. Sometimes in packages provided by boneheaded IT departments to facilitate certain business processes for their employees.

I'll show up to disinfect a machine and find Java 1.4.2_something on it. This is an invitation to get infected within three seconds of opening a browser and doing anything.
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned) to therube

Member

to therube
LOL

But isn't that exactly the mentality of most? What you post in jest is the real attitude of most who are infected by tons of malware.

As a fun social experiment maybe one day ill find some nearly abandoned forum and post some dead links with porn like keywords and see how many people post hey can you fix the link. My guess is it would be filled with just that sort of nonsense

. After all we all know the only real reason to be online is to look at free porn.....

I can not for the life of me see how to post a poll.

My idea for a poll was simple. 1 question yes or no answer.

Do you have any king game such as candy crush installed on your phone?

Guess what if you answer yes to that congratulations you have spyware on your phone.

I have a old lg rumor touch on virgin mobile one day i get a call from a friend. Shortly after i get a txt telling me about their latest score on candy crush saga and that if i wanted to beat it i could go here to download it. See candy crush and all king saga games want access to your contact list and pretty much every thing in your phone. They then use that contact list to further propagate their garbage games to more users. Now they are obviously selling this data to other companies as well.

As for the topic at hand I will never own a computer that i do not install java on. Java is far to common in use online and off to not have it installed would be worse for usability of my computer than having some malware. I want a computer i can actually do stuff with other than run bench marks and be a glorified door stop with a fancy picture. If i want a glorified door stop ill fire up 3d max make some cool 3d model buy a 3d printer and print me out one. Oh and 3d studio max uses some java in it's scripts as well as vb and a few other things. This is all used so that the user (me) can edit scripts to do what i need them to do with out the need of compiling source code. Being that even the largest of 3ds scripts is very small java is not only just fine it is perfect for the job.

Security and even privacy is a trade off for usability. You can not have a computer locked down to the point where no data leaks out and it can not be infected with some virus trojan or spyware program and still have a computer that even resembles something that can be used.

Chubbzie
join:2014-02-11
Greenville, NC
Hitron CDA3
(Software) OpenBSD + pf

Chubbzie to redwolfe_98

Member

to redwolfe_98
Who is responsible for authoring this article on pcworld?

Cisco vs. Oracle - Round Two - Fight!

"There will be a new market leader in the underground," Gundert said. "I think it's just a matter of time before another Blackhole ... emerges and claims dominance."

Interestingly enough this newly created "Blackhole" will be ordained "Kids of the Black Hole"
dave
Premium Member
join:2000-05-04
not in ohio

1 edit

4 recommendations

dave to redwolfe_98

Premium Member

to redwolfe_98
As a Java programmer, I should point out (again) that there's nothing that's particularly dangerous about running a Java program that you get from a trusted source. It's certainly safer than running a C program you got from the same source; safer because the language doesn't have nearly the same buffer-overflow risk from inattentive programmers.

What is dangerous is letting some random web site give you any program which you then execute without having the slightest clue what it does. Or even that you are executing it.

Why 'Java' is considered dangerous is that there is a virtual machine plug-in for browsers that makes the claim that it is perfectly safe to do just that, run unknown code, because the runtime environment (JRE) provides a security manager that can allow you to safely execute even malicious code. Yeah, uh-huh, sure; just as long as the JRE design and implementation are completely leakproof. And how would you like to buy a bridge?

So: Java accessible via web browser: dangerous. Java: not dangerous.

My headline would be: "web browsers responsible for 95.7% of malware infections".
19579823 (banned)
An Awesome Dude
join:2003-08-04

19579823 (banned) to redwolfe_98

Member

to redwolfe_98

Yea Dave,very true!!!!!!

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

1 recommendation

siljaline to redwolfe_98

Premium Member

to redwolfe_98

Re: Java Responsible For 93% Of Malware-Infections

Link use here numerous times.
Do you need Java - Not on this PC. Unless you expressly need Oracle Java, some do and power to you but for others, it's an unnecessarily user introduced attack vector.
siljaline

1 recommendation

siljaline to redwolfe_98

Premium Member

to redwolfe_98
See also:
IE plays security catch-up, will block outdated Java plug-ins

Chubbzie
join:2014-02-11
Greenville, NC
Hitron CDA3
(Software) OpenBSD + pf

Chubbzie to dave

Member

to dave
said by dave:

And how would you like to buy a bridge?

Jcoins? Hardee-har

Link Logger
MVM
join:2001-03-29
Calgary, AB

1 recommendation

Link Logger to redwolfe_98

MVM

to redwolfe_98
We should also remember that users are somewhat guilty or perhaps only unaware that they need to practice safe hex and that includes installing patches and upgrades as I'd bet there are more then just a few systems out there running older vulnerable versions of Java etc. I know some folks get really bent out of shape when an app calls home, but if its calling home to see if an update is available is that really so bad?

Blake

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

1 recommendation

NetFixer

Premium Member

said by Link Logger:

I know some folks get really bent out of shape when an app calls home, but if its calling home to see if an update is available is that really so bad?

I consider it bad when an automatically installed update (that the PC owner might not even know had been installed) suddenly trashes the system. BTDT for myself and numerous clients before I wised up and turned off auto updates for everything (automatic update checking, not so bad, but automatic updating, no way). I know that "somebody" needs to be the guinea pig, but I prefer not to play that part (I will wait for multiple other people to try it before I try it).

DownTheShore
Pray for Ukraine
Premium Member
join:2003-12-02
Beautiful NJ

2 recommendations

DownTheShore to Link Logger

Premium Member

to Link Logger
Back in the day, I would turn off auto-update checking for most programs because they slowed down my computer too much, with all of their phoning home.

Now, the only things I allow to auto-update without asking specific permission from me is my security software. Everything else that can be set to just alert me that an update is available, is set that way. If it only allows automatic updating, then I turn it off and manually check for new versions periodically.

Davesnothere
Change is NOT Necessarily Progress
Premium Member
join:2009-06-15
Canada

Davesnothere

Premium Member

 
Way to Go !
psloss
Premium Member
join:2002-02-24

psloss to redwolfe_98

Premium Member

to redwolfe_98
said by redwolfe_98:

according to "Cisco", vulnerabilities in "java" were responsible for 93% of the malware-infections that they have seen, in the first 6 months of 2014:

»www.pcworld.com/article/ ··· own.html

we don't hear much, these days, about how bad it is to have "java" installed..

This sounds like an over-generalization. Drive-by kits didn't die towards the end of last year along with Blackhole, but a significant (and noticeable) shift in emphasis to payloads attached to emails occurred after the arrests. Those emails took advantage of a related vulnerability (PEBCAK); more specifically there's a percentage of people that can be consistently tricked into clicking on links to drive-by sites or opening even "extensively wrapped" email attachments. (Zero-attention-span cultures and high-stress environments probably help the bad guys, too.)

(And as others have noted, it's not "Java" that Blackhole and derivatives attacked but web browser plugins in the Java implementation that Oracle subsumed.)
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned) to Link Logger

Member

to Link Logger
Whats funny about updates and my computers. Until recently i have always had 2 or more computers. 1 i could not care less about. If it got hosed to the ground oh well i could reformat reinstall and go. Hell it never had more than basic drivers that would give me fairly high res and refresh on vid and basic sound mouse etc. The other one was my 3d development system. It was never even on line. I would update only drivers and direct x etc. I could not care about any thing security wise on it. I would install sygate fire wall when a update was avail for something i needed install a network card connect grab install disconnect remove network card and done. When i was heavy in to beta testing that computer was always fully updated other than security. Again i just had no need for it. I ran fire walls etc on bother net connected systems to block all out going other than what i wanted to go out. So even if it got smacked with a worm it would never spread from my system. Oddly on my disposable comp running occasional virus scans i never had any lol. Obviously this doesn't apply to when i would infect my comp on purpose.

Boooost
@24.190.186.x

Boooost to siljaline

Anon

to siljaline
said by siljaline:

Do you need Java - Not on this PC. Unless you expressly need Oracle Java, some do and power to you but for others, it's an unnecessarily user introduced attack vector.

I use Java at home to play Minecraft. At work, we use Java because some major software development tools are written in Java.
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned)

Member

Well again java is exploited more because it is in use more. Ive seen security patches etc for silverlight but don't know of any malware that use it to infect.Im sure there is some but just don't hear bout it much because it is not as wide spread as active x or java.

And same thing here (i dont bother with mine craft but) i work with 3d studio max and it does make use of some java script and java as well as vb etc.
If you do any form of programing or development your going to need java. I would say it is a some what safe bet that most of those who hang out on the sec forums here are also in some way shape or form developers. Meaning most of us use java.
psloss
Premium Member
join:2002-02-24

psloss

Premium Member

said by Nanaki:

Well again java is exploited more because it is in use more.

No, popularity is only part of it -- the current generation of exploit kits try several different popular plugins for Windows browsers; Oracle/Sun Java is only one of them. The bigger issue with Oracle's Java browser plugin is that it became the proverbial lowest hanging fruit; Oracle didn't respond emphatically to reported security issues until after even Adobe (well after in Internet time).
said by Nanaki:

Ive seen security patches etc for silverlight but don't know of any malware that use it to infect.

It was still in mix of exploits for kits in the (Northern Hemisphere) Spring, like Angler. There are at least a couple of link threads here.

therube
join:2004-11-11
Randallstown, MD

therube to sbconslt

Member

to sbconslt
> software packages that bundle severely outdated and vulnerable versions of JRE alongside their installs

Does Java need (necessarily) to be "installed"?
Just recommissioned an old (last used 4 years ago, 512KB SDRAM, Compaq) XP system & noted that java.exe was in the (I think it was) PC Doctor directory, but there was no 'Add or Remove' entry for Java.
(Runs like a champ, btw.)

sbconslt
join:2009-07-28
Los Angeles, CA

sbconslt

Member

PC-Doctor is commonly bundled as part of e.g. Dell Support Center, you can remove it as such, or Compaq in your case, remove all that junk. It doesn't plug with the browser per se but you don't need to be running manufacturer accessory software anyway.
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

1 recommendation

Nanaki (banned) to psloss

Member

to psloss
A person could create a is with a billion exploitable flaws give it to a few 100 people and it would never get exploited even if it was well known so long as it has no real market share it will never be a target. I remember a vunrability that was supper easy to exploit in a little used server some years back. The was zero in the wild exploits. There was just next to no one using it. Java is in wide spread use and has flaws it gets exploited. You mention a couple threads on silver light. Notice a couple not a 1000. Silver light is just not used enough to be worth targeting. Sure some did but not very many. Linux is now getting enough market share that it has been targeted a couple times now. Sim to silver light. As popularity goes up so to do the attacks.

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer

Premium Member

said by Nanaki:

You mention a couple threads on silver light. Notice a couple not a 1000. Silver light is just not used enough to be worth targeting.

I am not a Netflix customer, so I can't say with any authority, but I am pretty sure that Netflix uses Silverlight to playback their streaming content (that is one of the reasons that I am not a Netflix customer). Netflix is not exactly a small outfit with only a handful of customers. I can recall seeing some talk about Netflix migrating to html5, but has that been done already? Their on-line FAQ How does Netflix work? says this:

To begin watching movies and TV shows from your PC or Mac:

1. Open an Internet browser and go to www.netflix.com
2. Sign into your Netflix account
3. Select a title to Play

If you do not already have Microsoft Silverlight plug-in installed, you will be prompted to download and install the free plug-in for your web browser. Just follow the instructions to get started.

Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned)

Member

Used by netflix and a very few other sites. It is not that common over all a few sites use it not literally millions. Just because netflix has millions of customers don't mean all that much. Let silverlight be used on millions of sites and watch how fast we start seeing posts out the wazoo about it being exploited. As it stands how many infections are traced back to it compared to java?

edited to add...\/

Just did a forum search here. Of the 3k plus posts on it on 4 pages i looked at most are about compatibility or complaints about quality of. A few questions on how to or if you can turn off web cam mic etc which are some what a security threat. But did not actually see any about it being a attack vector. Could have missed them though as i clicked on a few random page links

Chubbzie
join:2014-02-11
Greenville, NC
Hitron CDA3
(Software) OpenBSD + pf

1 recommendation

Chubbzie

Member

said by Nanaki:

Let silverlight be used on millions of sites and watch how fast we start seeing posts out the wazoo about it being exploited

Silverlight has just been added to a few exploit kits within the last few months.

Here's a listing of CVE's currently known Silverlight vulnerabilities:
Microsoft Silverlight: List of Vulnerabilities

There are a few corporations/large institutions that I know of that are forced to use Silverlight b/c of some lazy development staff...