The only use for java these days
Are minecraft, android development and viruses. In that order.
Right on cue, Java has responded to my hatred in kind. Shortly after I awoke to discover my previous article denouncing the language had been published, a client called to inform me his computer had contracted some malware. Java has, if you'll forgive the anthropomorphization of a bytecode virtualization engine, decided to exact …
Are minecraft, android development and viruses. In that order.
That's why I play minecraft using Linux...
Java exploits don't only work on Windows, they'll run on anything that Java will run on, including Linux.
What you're displaying is a fairly common mindset that "Windows is the only thing that gets exploited, therefore I'm safe, whatever I do with my non-Windows OS." It's very dangerous and I've seen it bite people, a friend of mine found that his broadband was running slowly because his Linux box had been rooted and was happily serving porn to the world.
Have you got a URL for some good Java coded Linux Malware? I would like to try it out. When I have tried installing malware before it didn't work - not even under wine.
It depends, the virus may be using JNI or an exploit in the VM to access OS resources.
Trevor was talking about his own experience, so it might not have been appropriate in this particular article, but I do wish that more people would remember the penguins when it comes to documenting these risks and recovering from them.
If it saves just one chicken...
The exploits are cross-platform, but the payloads only run on Windows -- so far, at least. So running Linux, for now, IS actually an effective shield. It would be more difficult to craft a payload that did anything harmful on Linux, too, compared to Windows XP, where everybody runs with administrator privileges.
Um...what? OSX is actively under attack using these vulns...as is Ubuntu for those running as root...
Which, if you are not a transplanted M$ n00b, is never recommended.
The good news is that on OS X you can go into the Java preferences, disable the Java plug-in on all browsers with a click on the checkbox, and still have local Java programs (well, in my case Eclipse) running perfectly fine.
Windows, on the other hand, is a fecking nightmare to disable.
Do you have any idea how many Ubuntu users I catch runnign as root? It gives me a sad.
Disables fine in Chrome and Firefox. Even when "disabled" in IE, the thing still can be called. How that works, well...comments, Microsoft? I'd love to hear the explanation.
> a friend of mine found that his broadband was running slowly because his Linux box had been rooted and was happily serving porn to the world ..
Any idea how it got onto your friends computer and how did it disable the firewall on his broadband modem?
How do they run as root on Ubuntu?
Set a root password. Then you can log into the GUI as root.
It would be unethical to send malware to an unknown party or a party not working for a reputable major antivirus or security firm.
If you doubt that Linux has vulnerabilities and exploits search on Linux here:
First you're making an error assuming all broadbank modems have firewalls, they don't.
Secondly, something that can get through a hardware firewall to access Windows computers behind it can get through a hardware firewall to access Linux computers behind it.
As other operating systems become more usable, we'll find more poorly trained and untrained people using them. Which means more people making the mistake of using an elevated privileges account for everyday work.
Perhaps the only solution is to go the Apple route, and maybe a bit further. Create an operating system what will only run software signed by the operating system author. I fear that is where we are headed.
Where we are clearly headed is "Safe Computing" shooting up on 'roids and methamphetamine:
Everyone will run their OS inside a VM. At least one "bundes-trojaner" will be in full control of the VM and continuously monitor all interfaces to the hardware layer for "dangerous traffic". External connections are logged and saved for 7 years in case the definition of "dangerous traffic" mutate and prosecution becomes necessary after the fact.
You cannot install anything outside of the VM, any attempt to hack it will bring the full force of NDAA 2012 or RIAA sturmtroopers to your doorstep. All of this is for our own protection, of course.
What the hell are people running Ubuntu who know enough to set a root password doing setting a root password?
No sympathy for rooted boxes there if they're going to insist on being as stupid as possible.
Which, if you are not a transplanted M$ n00b, is never recommended.
this should read:
Which is never recommended.
To MS'ses credit they are actively trying to persuade everyone since NT 3.51 (that's a very long time ago, thank you) to please not log on as admin. only: nobody listens. neither do you. or he. or she. or who ever. Long story short: migrating these people to Linux will not solve the problem, only make it worse: they will still log on as root (I'm the admin!) and now will not even have a clue how stuff works in linux.
migrating normal users to linux is a disaster waiting to happen. trust me. I know. for sure. been there. and turned back.
"Do you have any idea how many Ubuntu users I catch runnign as root? It gives me a sad."
Even a few is surprising - on a default Ubuntu install, you can't login or su root.
"Windows, on the other hand, is a fecking nightmare to disable."
You can go into the Java preferences and disable the Java plug-in by clicking on the checkbox.......
Let me guess. You've been fannying around with the options in the various browsers rather than going to the horse's mouth of the Java console in Control Panel, haven't you?
You need to run the Java control panel from an elevated command prompt (obvious, that) and while that works for alternative browsers it still doesn't work properly for IE and IE is part of Windows. See my post on the next page.
Your icon is self referential I suppose?
True, the software would run on any machine with a suitable java runtime. However, most non-windows installations use sensible user permissions as default. Plus, the exploit code is going to be very OS specific so you'd need to have something explicitly targeting linux, osx, vms, ...
"was happily serving porn to the world" Must have a really good broadband connection!
It would almost serve them right if they did get infected.
A "broadband firewall" is just a NAT. It doesn't give you any protection whatsoever from malware that installs itself via booby-trapped websites or received in E-mail.
"...compared to Windows XP, where everybody runs with administrator privileges"?
In the corporate environment this is unforgivable (and if there's a sysadmin of any note it won't be true). I will concede that in the home it's more tempting to run as an administrator. Bear in mind that full admin rights aren't given by default to newly created accounts: it is the owner's choice.
"How do they run as root on Ubuntu?"
Most obvious way I can think of.
sudo passwd root
Enter a pssword
Now you can log in to the GUI. What's so hard about that?
It is designed to make that difficult, therefore unlikely.
I can "sudo su" in a terminal and forget that I'm root --- but I'm not even sure how to be running the entire desktop as root.
Which shows that my last reply must be, err ...wrong. Oh well, that happens! :)
But I wonder why they bother, as it is so unnecessary for everything except admin tasks. It would make me sad too.
Not that I never spent all day logged in as root on a work machine. And not that I never screwed up when doing so <Blush>
You can sudo su or sudo su - which is pretty much the same as being logged in as root.
And in mid post, I tried sudo su root. Yes, you can su root.
"The exploits are cross-platform, but the payloads only run on Windows -- so far, at least. So running Linux, for now, IS actually an effective shield. It would be more difficult to craft a payload that did anything harmful on Linux, too, compared to Windows XP, where everybody runs with administrator privileges."
Utter bollocks I am afraid too say. It would not be hard at all to craft a payload that did anything harmful on a Linux install. What planet are you living on? Clearly not the same one as me. Running Linux is not an effective shield for now. Windows and Linux boxes are exploited for differing reasons.
Windows - Exploited these days to slurp mostly banking data and anything else they fancy due to the high volume of Windows users and therefore banking details available to be stolen. Making target No.1 for anything exploiting for Cash profit that can be rapidly taken advantage of.
Linux - Small desktop percentage and therefore low volume of banking transactions compared to Windows. Hence why you don't see you & your friends Linux desktops hit with a slew of Malware. There is no substantial profit to be made. Linux has a heavy server percentage and the exploits developed reflect that. Stating that it's harder to exploit a Linux system is utter drivel of the highest order. It's secure on the desktop due to it's obscurity/low install base. As simple as that. On the server it needs proper care & attention to detail or your open to all sorts of attack .
So to be short. There is no profit in exploiting Linux Destop users at this time. If the user base blew up so would the number of Malware kits produced for it.
Yep, although I do wonder how he managed to get incoming tcp connections through the router firewall... oh wait, upnp... another fine invention for malware.
We need something which is inherently less capable than java. You don't need to root a box if it can happily run a java web-server as a local user, or spend some time scanning your RPC services for exploits now or in the future or (I suspect is the most common) wait some time and then pretend to be a flash update requesting admin privileges to install.
Linux is a good model with its repositories. No per-application update systems please. Flash should never ask to install updates, the system should keep a list of updates which the user can check (or silently install). How often have we seen "posing as a flash update"?
I'd like to see further OS controls, especially for mobiles. Few applications need access to the internet, mostly they just need to talk to one domain. How about controls set during an installation which limit what an application can access? Should that be part of the standard application installation system? So the OS restricts flash to *.adobe.com for updates. Anything which wants wide or unusual internet access should be easily spotted. Hmm, why does that pack of emoticons need any outbound network connections, let alone access to the entire internet? How about path restrictions? Why not set the binary path and library requirements at installation and get the OS to prevent loading/execution of anything else?
a java trojan and then upnp would do it on most home systems.
Or rooted and then keylogged?
I would say that MS says one thing and does another.
On a default install of Windows 2000 Professional/Server you are root (administrator) by default, so are you in Windows XP/2003, then on Vista you get elevated privileges through UAC all the time which is neither an administrator account, neither a non-privileged user, same for Windows 7/2008/R2.
Microsoft had the oportunity with Win7 to go to a fully user/admin separated model like everything on the industry other than them for the last 30 years.
But no, they know that will break software and alienate users, and the bottom line is more important than doing things the right way.
Exploiting a Linux workstation and installing a rootkit running as a regular user requires much more than a simple Java exploit.
Most hacks that I have encountered in Linux follows only one pattern, the people using it are completely clueless.
I have never faced an exploit on a Linux desktop, but I have been exploited by a 0-day vulnerability in Opera in Windows, thanks god I never run as Admin and the little nasty only got to infect my profile.
Seriously I have yet to face the same thing in Linux.
"So to be short. There is no profit in exploiting Linux Destop users at this time. If the user base blew up so would the number of Malware kits produced for it."
I am eager to see Linux being exploited in this manner, I would love to see what the response will be from the technical community, the Linux crowd will not sit idle, as thankfully there is no inertia to overcome.
I want to lynch the people who write malware.
I have had to clean out systems in a way that the author has described before and I have a dim view of damage control and rebuilding systems from malware take overs...
The amount of shit and misery they cause in terms of people "tens of millions of years of people time, to fix up the shit" to billions of people many times over, over the decades - I think the sentence ought to be burning at the stake.
In how many other OS's could a virus get in through a NON priviledged account yet not only hide itself all over the system but disable core services AND create a new friggin partition?? I think this demonstrates that despite what the Seattle snake oil salesmen have to say , Windows never was and never will be a serious OS and certainly not one fit for 24/7 use in a high availability corporate enviroment. Requiring anti virus in an OS is like putting rollers under a car because the wheels have been designed square.
Unfortunately for your prejudices this security flaw affects all versions of Java - if you don't believe me ask oracle.
Try understanding something before you let the words fall out.
I think he did. He was pointing out that it takes two to tango, and that while JITB is a high risk gamble, running an OS that apparently just lies down, rolls over and sticks it's legs up in the air isn't actually going to help matters.
Ironic that Java was originally intended to be a browser thing that was going to be the secure multi platform alternative to the evil that was (and still is) activeX. Finally, nice article and lots of useful information that I really hope I never have to use.
At least malware authors are paying proper attention to version management :-)
> certainly not one fit for 24/7 use in a high availability corporate enviroment.
Er the number of corporate environments running it like that would seem to indicate otherwise.
Relevant vulnerabilities exist in Windows and Java Runtime Engine. The attack vector starts with Java then goes into Windows from there. Assuming it's using Java.Awetook, the payload is downloaded from a webserver in J2RE then executed in Windows with elevated privileges. Both MS and Oracle may be responsible for vulnerabilities and security weaknesses here.
Because the Windows 'every user has to be an administrator else nothing works right' model is broken...
No he wasn't - he was windows bashing. And while windows might need a bash now and then it should really be for things that are wrong with windows. The supposed evil of Microsoft is nothing compared to the incompetent, irresponsible malware that is java. Windows can be done secure with the right amount of application - java cannot be done secure - on any OS - period.
I really do feel sorry for anyone who has to maintain any system with a java reliant component.
"Unfortunately for your prejudices this security flaw affects all versions of Java - if you don't believe me ask oracle."
You clearly have no idea what security and (non)priviledge accounts mean. You must be a Windows user.
"And while windows might need a bash now and then it should really be for things that are wrong with windows."
So allowing a browser plugin to execute priviledged code from a non priviledged account ISN'T a problem with the OS? Whose fault is it then , the magic malware pixie?? Jeez....
Oh I don't know - maybe the person who configured the account to allow that to happen. I bet it's quite possible to get into lots of trouble running any OS if you don't know what you are doing.