back to article Kill that Java plugin now! New 0-day exploit running wild online

A new Java zero-day security vulnerability is already being actively exploited to compromise PCs. The best way to defend against the attacks is to disable any Java browser plugins on your systems. The offending bug is present in fully patched and up-to-date installations of the Java platform, now overseen by database giant …

COMMENTS

This topic is closed for new posts.

Page:

Anyone still use Java? Isn't it just a pop up that wants to be updated?

5
19
Silver badge

No, we have all migrated to .NET

HEUHEUHEUHEUUHEUUHURRRR

2
3
Anonymous Coward

How do you play minecraft without Java?

But I think the more accurate question, does anyone still use web based java applets? Why are java browser plug ins installed by default anymore? Sure have an extra downloadable if absolutely necessary but it's so rare for anyone to need java in the browser why distribute it in the main runtime installer?

1
1
Bronze badge

But I think the more accurate question, does anyone still use web based java applets? Why are java browser plug ins installed by default anymore? Sure have an extra downloadable if absolutely necessary but it's so rare for anyone to need java in the browser why distribute it in the main runtime installer?

The article made it clear that many users do still use web based Java apps. They may not be an endemic as they once were but that is besides the point: if even one service you need needs browser-based Java you need browser based Java and that is all there is to it. I have little option but to keep it around on my home machines because the web-based configuration for my Epson laser uses it extensively. Why should I replace an otherwise excellent printer just to satisfy somebody else's notion that it isn't needed?

0
0
Anonymous Coward

Because most people don't need a java browser plug in, and if you do then it would make far more sense to have it installed as a seperate plug in.

To counter, just because your web-based printer configuration requires a Java web browser plugin why should I have to install a plug in that has never been secure.

0
0
Anonymous Coward

Anyone still use Java?

Citrix GoToMeeting was the last time I needed it.

Anyone using LibreOffice might want to upgrade to the latest version too, since previous versions bitched like hell if Java wasn't present.

0
0

Lol, touched a geek nerve there. 19 down votes for a tongue in cheek remark. God I hope they are the retards who think JavaScript == Java. Note the expert use of CamelCase, ah I miss coding in Java back in the old days!

0
0
Bronze badge
Childcatcher

Anyone still use Java?

Too many of the games sites that the missus enjoys.

2
0
Bronze badge
Mushroom

Banks and Government

Pretty much EVERY bank and ALL government sites in Denmark.

It is pretty much impossible to function here without Java installed

3
0
Bronze badge
Stop

Re: Banks and Government

Which bank or government sites?

Name one, with URL.

Serious question.

I bet they use Javascript, which IS NOT Java.

0
6

Re: Banks and Government

one you said. danskebank.no. Granted, that's the Norwegian outlet of a Danish bank, but the situation is rather the same here in Norway. Quite annoying: every time Java comes with a security update they deny access to not 100% up-to-date java clients. Guess what happens when there is no fix yet ;)

1
0
Silver badge

Re: Banks and Government

Any bets these banks that require Java get set up for drive-by attacks?

0
0
Anonymous Coward

Re: Banks and Government

Which Norwegian bank is that?

I've got two Norwegian banks (DnB and Skandia) and neither require Java. (JavaScript, yes, Java, no.)

If my bank required Java I would close the account. They are clearly employing imbeciles that don't understand today's security threats if they force their customers to use Java. What other crazy risks are they taking with their internal systems. No thanks, I'll go elsewhere.

For the one site a year that I visit that requires Java, I view it in a XP virtual machine which gets reverted to a clean state after visiting. Come to think of it, it's been several years since I've found a site that needed Java. Usually they don't have any content interesting enough to warrant firing up the XP virtual machine.

2
4
FAIL

Re: Banks and Government

pretty much all of them require Java.

the Danish goverment in all its "wisdom" decided to force a single-signon solutuion for everything from goverment services to banks and a host of other things, if you are in contact with the banking sector or any segment of the goverment a NemID is required.

and it runs on Java.

and it does not properly support mobile systems.

and it's a "black box" in terms of what it does, nobody knows besides what can be gleaned from reverse engineering the applet.

and it's administered by a single private company on a exclusive contract.

and nobody has actual control over their digital ID, you have a cardboard card with key-pairs on to act as a very low tech authenticator. (two part authentication, enter password, enter the requested key, sensible enough really)

https://www.nemid.nu/om_nemid/about_nemid/

oh yea, most people keep them in their wallets, along with their social security card, so as a result you can perform a rather effective identity theft if you get a wallet with both, and empty out people's bank accounts come to think of it. (resetting a password requires your social security number, and a valid card, getting a new one does not, it's just mailed to your registered address after a phone call)

2
0
Silver badge

Re: Banks and Government

I wonder what happens if someone simply transfers money to X, then complains at the bank that he didn't do it, perhaps claiming he got hacked or something...

0
0

Re: Banks and Government

Fokus bank, now Danske Bank. Uses a Java applet. I guess I should take it as good news to be unable to spend any money on frivolous bill paying until Oracle decides to fix java.

0
0
Gold badge
Unhappy

Could be worse

Some site still demand Internet Explorer to display properly.

Let's see how many complain if its disabled.

1
0
Bronze badge

I violently agree with what;s been said.

I've complained for years about all the web sites that will not work without Java. Best example is trying to get in to email and having it say, "JavaScript required to sign in."

0
27

Re: I violently agree with what;s been said.

JavaScript != Java

16
0
Anonymous Coward

Re: I violently agree with what;s been said.

You can't be serious.

0
0
Trollface

Re: I violently agree with what;s been said.

Surely you troll.

3
0
Anonymous Coward

JavaScript != Java

Obviously. One is a scripting language, and the other is a large island in Indonesia.

12
0
Bronze badge
Childcatcher

Re: JavaScript != Java

!=

Insert escape characters where you see fit.

0
9
Silver badge

Re: JavaScript != Java

It is in programmer's parlance, since the official symbol isn't on keyboards nor recognized by compilers (since the symbol is Unicode). At least it's the C- and derivative-standard notation rather than the BASIC notation of <>. Since many of us don't know the escape sequence for the official one, why don't we just let it go at !=?

12
1
Bronze badge

Re: JavaScript != Java

Don't be daft. In this context, he is clearly referring to coffee.

0
0
Flame

Re: JavaScript != Java

"Java is almost entirely of volcanic origin; it contains thirty-eight mountains forming an east-west spine which have at one time or another been active volcanoes."

How many have gone off lately? Maybe we've exhausted them and we're done for awhile?

0
0
Thumb Up

Re: BASIC notation of <>

And SQL...

0
0
Thumb Up

Re: JavaScript != Java

And also a hot beverage

0
0

Java security hole?

To quote Yogi Beera, "It's like deja-vu, all over again".

4
1
Pint

Re: Yogi Beera. . .

Might you mean Yogi Berra? (I think Yogi Beera is the guy who said, "It ain't over 'til it'sh orvrrrzzzzz...)

2
0
Pint

Re: Yogi Beera. . .

Quite possible quaffing pints was on my mind at the time of typing..

0
0

Huh,

I just checked both computers and somehow I forgot to turn the plugin back on the last time they found a security hole.

(or maybe the time before last, I am pretty lazy about crap I never use nor miss.)

2
0
Silver badge
FAIL

can't resist

Wasn't java originally touted as the most secure run time and language available? Didn't Oracle sell its software as Unbreakable for years? What happens when they join forces? How many critical vulnerabilities in the last few years? Adobe has competition for worst security in the industry.

4
0
Silver badge
Boffin

Re: can't resist

I blame Oracle. They've fudged and shat all over the Sun stuff they bought. Is it any wonder that exploits have become commonplace *after* Oracle bought Sun?

14
0
Silver badge
Joke

Re: can't resist

It's called marketing and is all over the place, ever seen a car marketed as not being better than last year's.

0
0
Silver badge
Joke

Re: can't resist

"*after* Oracle bought Sun". Do you feel Oracle has added "exploits" to Java after they bought Sun.

Never mind, could not resist either.

1
1
Silver badge

Re: can't resist

I notice Oracle quietly dropped the marketing after they were the keynote exploit at hacker conferences several years in a row. I also notice people don't talk about how unbelievable Java's security is any more what with it being a malware portal on even *nix based machines the last several years. Granted when your main competition on the web at the time was ActiveX, claiming to be the secure choice really was low hanging fruit.

2
0
Silver badge

Re: can't resist

Or a computing device described as 'magical'.

0
0

Re: can't resist

Java 7 is Oracle's release so I suppose it's on them. New version, new bugs.

0
0

Re: can't resist

Dear sir, you have just made me spill my coffee...

I hereby salute you ^^

0
0
Silver badge
WTF?

Re: can't resist

Damn, that's the second asdf post I've upvoted in 24 hours - what is the World coming to!?!?

0
0
Linux

Does it work on Linux?

"Earlier this morning @Kafeine alerted us about a new Java zeroday being exploited in the wild. With the files we were able to obtain we reproduced the exploit in a fully patched new installation of Java. As you can see below we tricked the malicious Java applet to execute the calc.exe in our lab". link

0
0
Silver badge
Devil

Re: Does it work on Linux?

Good question.

I wonder what went wrong NOW? Shurely the Java sandbox must be one of those things that have no obvious errors, as opposed to obviously no errors.

I also wonder what will happen if that "Native Code Running in the Browser" thing takes off. That's gonna be Clouseau-level.

1
0
Bronze badge

Re: Does it work on Linux?

the security hole will be there in the Linux version but to do any damage you would most likely have to write a specific version of the exploit. The example there shows the windows calculator being started but you could just as easily write it to execute something in perl or bash.

1
0
Anonymous Coward

Re: Does it work on Linux?

Yes it works on Linux. Except that as virtually no one uses Linux probably no one will write any OS exploits that leverage it....

5
11
Silver badge
WTF?

Re: Does it work on Linux?

>Except that as virtually no one uses Linux

Except for most of the webservers on the internet and many of the backend data stores that also run on linux but there is no value in hacking corporate backends eh? I guess its a bit higher risk than key logging Grandma's credit card and its certainly a hell of lot harder as well.

8
1
Linux

Re: Does it work on Linux?

Except that as virtually no one uses Linux... except virtually every web server, every large scale data store, all the Android Telephones, >90% of the routers you can buy, everyone in China with a computer, all the "smart" TVs, etc...........

6
1
Silver badge

Re: Does it work on Linux?

More to the point, does it work on Android's Dalvik?

2
0

Re: Does it work on Linux?

Even my 'dumb' 4 year old Tosh Regza runs Linux

0
0
Silver badge
WTF?

Re: Does it work on Linux?

Well if you're visiting websites on a web server with Java enabled in the browser, then you should be taken out and beaten with a ferret until you are very sore indeed.

1
0

Page:

This topic is closed for new posts.

Forums