dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1083
share rss forum feed

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

2 recommendations

Java Responsible For 93% Of Malware-Infections

according to "Cisco", vulnerabilities in "java" were responsible for 93% of the malware-infections that they have seen, in the first 6 months of 2014:

»www.pcworld.com/article/2461760/···own.html

we don't hear much, these days, about how bad it is to have "java" installed..



cableties
Premium
join:2005-01-27

1 recommendation

Double whammy: Windows and Java
--
Splat



goalieskates
Premium
join:2004-09-12
land of big

8 recommendations

reply to redwolfe_98

Funny how I run Java and have no infections. So I guess the problem couldn't possibly be anything else out of a zillion variables, it "must be" Java, right?

Like the old saying goes, figures lie and liars figure.



beck
Premium,MVM
join:2002-01-29
On The Road
kudos:1
Reviews:
·Stablehost.com

1 recommendation

reply to redwolfe_98

Well, I just don't believe this. Some friends must be the other 7% since they are infected all the time and don't have java on their system. Or flash either. Or Office. Or even Adobe Reader. Yet they get infected.
--
Are YOU just a turkey voting for xmas?



novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH

it is called downloading and installing with out regard to security. If i created a root kit or malware for linux and can convince a person to install it and use some social engineering to get them to click through all warnings etc they will get nailed just as fast as any one else.

Malware of all types relies more on end users bad habbits and or out right stupidity to get installed. All software is made by people who are fallible it is in our nature. That code will reflect that fact about us. Be that java flash silverlight active x html vrml asc asm you name it it is flawed. It will always be flawed even if human beings are taken out of the equation it will be just as flawed as the computer that rights it that had its own code wrote by humans. Codes flawed origins (us) will mean that for as long as computers and code exist it will remain flawed.

Simple social engineering >>click me for a great porn jpg file linked to the link porn.jpg.exe If i posted a real link on some random forum with a trojan or keylogger as the pay load how many install reports from it calling home do you suppose i might get?

I emailed my brother a porn.jpg.exe that was a key logger from his own email no less. And just from him in that highly targeted attack i got over 200 email alerts to the install in just over a week. 1 person one email one file 200 results. Now had i been looking to rip off bank account numbers and droped this on a forum some where i would have gotten 1000s of alerts weekly or maybe daily from one single post. All because people like porn or warez or free stuff.

im going to post a poll for fun in a minute and see how many people have what amounts to spyware on their phone android or iphone



therube

join:2004-11-11
Randallstown, MD

1 recommendation

> >>click me for a great porn jpg

Could you repost the link, as I'm not seeing it .



vaxvms
ferroequine fan
Premium
join:2005-03-01
Wormtown
kudos:3

2 recommendations

reply to redwolfe_98

Java is responsible for 93% malware infections just like there are no Mac viruses.



sbconslt

join:2009-07-28
Los Angeles, CA

1 recommendation

reply to redwolfe_98

What's reprehensible are software packages that bundle severely outdated and vulnerable versions of JRE alongside their installs. Commonly seen on the driver and application CDs that come with peripherals. Sometimes also in factory restore images or in the manufacturer's restore facility included in a special partition on the drive. Sometimes in packages provided by boneheaded IT departments to facilitate certain business processes for their employees.

I'll show up to disinfect a machine and find Java 1.4.2_something on it. This is an invitation to get infected within three seconds of opening a browser and doing anything.
--
Scott Brown Consulting, Los Angeles Computer Security & IT Services



novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
reply to therube

LOL

But isn't that exactly the mentality of most? What you post in jest is the real attitude of most who are infected by tons of malware.

As a fun social experiment maybe one day ill find some nearly abandoned forum and post some dead links with porn like keywords and see how many people post hey can you fix the link. My guess is it would be filled with just that sort of nonsense

. After all we all know the only real reason to be online is to look at free porn.....

I can not for the life of me see how to post a poll.

My idea for a poll was simple. 1 question yes or no answer.

Do you have any king game such as candy crush installed on your phone?

Guess what if you answer yes to that congratulations you have spyware on your phone.

I have a old lg rumor touch on virgin mobile one day i get a call from a friend. Shortly after i get a txt telling me about their latest score on candy crush saga and that if i wanted to beat it i could go here to download it. See candy crush and all king saga games want access to your contact list and pretty much every thing in your phone. They then use that contact list to further propagate their garbage games to more users. Now they are obviously selling this data to other companies as well.

As for the topic at hand I will never own a computer that i do not install java on. Java is far to common in use online and off to not have it installed would be worse for usability of my computer than having some malware. I want a computer i can actually do stuff with other than run bench marks and be a glorified door stop with a fancy picture. If i want a glorified door stop ill fire up 3d max make some cool 3d model buy a 3d printer and print me out one. Oh and 3d studio max uses some java in it's scripts as well as vb and a few other things. This is all used so that the user (me) can edit scripts to do what i need them to do with out the need of compiling source code. Being that even the largest of 3ds scripts is very small java is not only just fine it is perfect for the job.

Security and even privacy is a trade off for usability. You can not have a computer locked down to the point where no data leaks out and it can not be infected with some virus trojan or spyware program and still have a computer that even resembles something that can be used.



Chubbzie

join:2014-02-11
Greenville, NC
reply to redwolfe_98

Who is responsible for authoring this article on pcworld?

Cisco vs. Oracle - Round Two - Fight!

"There will be a new market leader in the underground," Gundert said. "I think it's just a matter of time before another Blackhole ... emerges and claims dominance."

Interestingly enough this newly created "Blackhole" will be ordained "Kids of the Black Hole"


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

1 edit

4 recommendations

reply to redwolfe_98

As a Java programmer, I should point out (again) that there's nothing that's particularly dangerous about running a Java program that you get from a trusted source. It's certainly safer than running a C program you got from the same source; safer because the language doesn't have nearly the same buffer-overflow risk from inattentive programmers.

What is dangerous is letting some random web site give you any program which you then execute without having the slightest clue what it does. Or even that you are executing it.

Why 'Java' is considered dangerous is that there is a virtual machine plug-in for browsers that makes the claim that it is perfectly safe to do just that, run unknown code, because the runtime environment (JRE) provides a security manager that can allow you to safely execute even malicious code. Yeah, uh-huh, sure; just as long as the JRE design and implementation are completely leakproof. And how would you like to buy a bridge?

So: Java accessible via web browser: dangerous. Java: not dangerous.

My headline would be: "web browsers responsible for 95.7% of malware infections".



Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
kudos:12
reply to redwolfe_98

Yea Dave,very true!!!!!!



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico

1 recommendation

reply to redwolfe_98

Re: Java Responsible For 93% Of Malware-Infections

Link use here numerous times.
Do you need Java - Not on this PC. Unless you expressly need Oracle Java, some do and power to you but for others, it's an unnecessarily user introduced attack vector.



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17

1 recommendation

reply to redwolfe_98

See also:
IE plays security catch-up, will block outdated Java plug-ins



Chubbzie

join:2014-02-11
Greenville, NC
reply to dave

said by dave:

And how would you like to buy a bridge?

Jcoins? Hardee-har


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3

1 recommendation

reply to redwolfe_98

We should also remember that users are somewhat guilty or perhaps only unaware that they need to practice safe hex and that includes installing patches and upgrades as I'd bet there are more then just a few systems out there running older vulnerable versions of Java etc. I know some folks get really bent out of shape when an app calls home, but if its calling home to see if an update is available is that really so bad?

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool



NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

1 recommendation

said by Link Logger:

I know some folks get really bent out of shape when an app calls home, but if its calling home to see if an update is available is that really so bad?

I consider it bad when an automatically installed update (that the PC owner might not even know had been installed) suddenly trashes the system. BTDT for myself and numerous clients before I wised up and turned off auto updates for everything (automatic update checking, not so bad, but automatic updating, no way). I know that "somebody" needs to be the guinea pig, but I prefer not to play that part (I will wait for multiple other people to try it before I try it).
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.


DownTheShore
Honoring The Captain
Premium
join:2003-12-02
Beautiful NJ
kudos:14
Reviews:
·Verizon Online DSL

2 recommendations

reply to Link Logger

Back in the day, I would turn off auto-update checking for most programs because they slowed down my computer too much, with all of their phoning home.

Now, the only things I allow to auto-update without asking specific permission from me is my security software. Everything else that can be set to just alert me that an update is available, is set that way. If it only allows automatic updating, then I turn it off and manually check for new versions periodically.
--
Patriotism is not waving a flag, it is living the ideals.

I want to retire to the Isle of Sodor and ride the trains.

Life is just better when Jeter is in the lineup.

The only difference between a rut and a grave is their dimensions.



Davesnothere
No-BHELL-ity DOES have its Advantages
Premium
join:2009-06-15
START Today!
kudos:7

 
Way to Go !


psloss
Premium
join:2002-02-24
Lebanon, KS
reply to redwolfe_98

said by redwolfe_98:

according to "Cisco", vulnerabilities in "java" were responsible for 93% of the malware-infections that they have seen, in the first 6 months of 2014:

»www.pcworld.com/article/2461760/···own.html

we don't hear much, these days, about how bad it is to have "java" installed..

This sounds like an over-generalization. Drive-by kits didn't die towards the end of last year along with Blackhole, but a significant (and noticeable) shift in emphasis to payloads attached to emails occurred after the arrests. Those emails took advantage of a related vulnerability (PEBCAK); more specifically there's a percentage of people that can be consistently tricked into clicking on links to drive-by sites or opening even "extensively wrapped" email attachments. (Zero-attention-span cultures and high-stress environments probably help the bad guys, too.)

(And as others have noted, it's not "Java" that Blackhole and derivatives attacked but web browser plugins in the Java implementation that Oracle subsumed.)


novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
reply to Link Logger

Whats funny about updates and my computers. Until recently i have always had 2 or more computers. 1 i could not care less about. If it got hosed to the ground oh well i could reformat reinstall and go. Hell it never had more than basic drivers that would give me fairly high res and refresh on vid and basic sound mouse etc. The other one was my 3d development system. It was never even on line. I would update only drivers and direct x etc. I could not care about any thing security wise on it. I would install sygate fire wall when a update was avail for something i needed install a network card connect grab install disconnect remove network card and done. When i was heavy in to beta testing that computer was always fully updated other than security. Again i just had no need for it. I ran fire walls etc on bother net connected systems to block all out going other than what i wanted to go out. So even if it got smacked with a worm it would never spread from my system. Oddly on my disposable comp running occasional virus scans i never had any lol. Obviously this doesn't apply to when i would infect my comp on purpose.



Boooost

@24.190.186.x
reply to siljaline

said by siljaline:

Do you need Java - Not on this PC. Unless you expressly need Oracle Java, some do and power to you but for others, it's an unnecessarily user introduced attack vector.

I use Java at home to play Minecraft. At work, we use Java because some major software development tools are written in Java.


novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH

Well again java is exploited more because it is in use more. Ive seen security patches etc for silverlight but don't know of any malware that use it to infect.Im sure there is some but just don't hear bout it much because it is not as wide spread as active x or java.

And same thing here (i dont bother with mine craft but) i work with 3d studio max and it does make use of some java script and java as well as vb etc.
If you do any form of programing or development your going to need java. I would say it is a some what safe bet that most of those who hang out on the sec forums here are also in some way shape or form developers. Meaning most of us use java.


psloss
Premium
join:2002-02-24
Lebanon, KS

said by novaflare:

Well again java is exploited more because it is in use more.

No, popularity is only part of it -- the current generation of exploit kits try several different popular plugins for Windows browsers; Oracle/Sun Java is only one of them. The bigger issue with Oracle's Java browser plugin is that it became the proverbial lowest hanging fruit; Oracle didn't respond emphatically to reported security issues until after even Adobe (well after in Internet time).

said by novaflare:

Ive seen security patches etc for silverlight but don't know of any malware that use it to infect.

It was still in mix of exploits for kits in the (Northern Hemisphere) Spring, like Angler. There are at least a couple of link threads here.


therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL
reply to sbconslt

> software packages that bundle severely outdated and vulnerable versions of JRE alongside their installs

Does Java need (necessarily) to be "installed"?
Just recommissioned an old (last used 4 years ago, 512KB SDRAM, Compaq) XP system & noted that java.exe was in the (I think it was) PC Doctor directory, but there was no 'Add or Remove' entry for Java.
(Runs like a champ, btw.)



sbconslt

join:2009-07-28
Los Angeles, CA

PC-Doctor is commonly bundled as part of e.g. Dell Support Center, you can remove it as such, or Compaq in your case, remove all that junk. It doesn't plug with the browser per se but you don't need to be running manufacturer accessory software anyway.



novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH

1 recommendation

reply to psloss

A person could create a is with a billion exploitable flaws give it to a few 100 people and it would never get exploited even if it was well known so long as it has no real market share it will never be a target. I remember a vunrability that was supper easy to exploit in a little used server some years back. The was zero in the wild exploits. There was just next to no one using it. Java is in wide spread use and has flaws it gets exploited. You mention a couple threads on silver light. Notice a couple not a 1000. Silver light is just not used enough to be worth targeting. Sure some did but not very many. Linux is now getting enough market share that it has been targeted a couple times now. Sim to silver light. As popularity goes up so to do the attacks.



NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

said by novaflare:

You mention a couple threads on silver light. Notice a couple not a 1000. Silver light is just not used enough to be worth targeting.

I am not a Netflix customer, so I can't say with any authority, but I am pretty sure that Netflix uses Silverlight to playback their streaming content (that is one of the reasons that I am not a Netflix customer). Netflix is not exactly a small outfit with only a handful of customers. I can recall seeing some talk about Netflix migrating to html5, but has that been done already? Their on-line FAQ How does Netflix work? says this:

To begin watching movies and TV shows from your PC or Mac:

1. Open an Internet browser and go to www.netflix.com
2. Sign into your Netflix account
3. Select a title to Play

If you do not already have Microsoft Silverlight plug-in installed, you will be prompted to download and install the free plug-in for your web browser. Just follow the instructions to get started.


--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.


novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH

Used by netflix and a very few other sites. It is not that common over all a few sites use it not literally millions. Just because netflix has millions of customers don't mean all that much. Let silverlight be used on millions of sites and watch how fast we start seeing posts out the wazoo about it being exploited. As it stands how many infections are traced back to it compared to java?

edited to add...\/

Just did a forum search here. Of the 3k plus posts on it on 4 pages i looked at most are about compatibility or complaints about quality of. A few questions on how to or if you can turn off web cam mic etc which are some what a security threat. But did not actually see any about it being a attack vector. Could have missed them though as i clicked on a few random page links



Chubbzie

join:2014-02-11
Greenville, NC

1 recommendation

said by novaflare:

Let silverlight be used on millions of sites and watch how fast we start seeing posts out the wazoo about it being exploited

Silverlight has just been added to a few exploit kits within the last few months.

Here's a listing of CVE's currently known Silverlight vulnerabilities:
Microsoft Silverlight: List of Vulnerabilities

There are a few corporations/large institutions that I know of that are forced to use Silverlight b/c of some lazy development staff...