Feeds

back to article Patch often: Cyber-crim toolkits love stinky old gaping holes

More than two in three exploits kits that attempt to inject malware into web surfers' computers were developed in Russia - and at least one in two exploit rather old vulnerabilities. Blackhole 2.0 is the most often used hacking toolkit - installed on websites to attack and take over visitors' computers - but it targets fewer …

COMMENTS

This topic is closed for new posts.
Bronze badge

Updates?

So we should regularly update our Java runtimes?

Yeah, right...

0
0

This post has been deleted by its author

Gold badge
Unhappy

"So we should regularly update our Java runtimes?"

Or of course disable them.

Or just not connect to the internet.

Your choice.

0
0
Silver badge
Headmaster

Re: "So we should regularly update our Java runtimes?"

Or just not use the Java plugin.

It's amazing how many people are completely confused by the fact that having a "Java runtime" or a "Java JDK" does not imply that it will run Applets from the Internet unless the browser has been configured to do so or one runs JNLP files indiscriminately. Additionally, JVMs from some vendors may exhibit security problems, JVMs from other vendors may not.

In the December 2012 of IEEE Computer, Lee Garber (IEEE Computer Society’s senior news editor) writes about the Java (or rather, the Snoracle) Security wobbles and seems to be totally unsure about the difference between applet running and application running. He then cites Gary McGraw, chief technology officer of software-security consultancy Cigital (who he?) who proceeds to say:

“Java is beginning to show its age. There are many newer platforms that might be better from a security perspective, such as Ruby on Rails, HTML5, and .NET.”

Total confusion. Or lazyness. Or worse. RoR for running applets? .NET?? Securely??? I don't think so.

7
1
Silver badge

The first thing to do is to switch of the computer, unplug the phone line, disconnect the electricity, board up your doors then head down into the cellar.

Remove the shotgun from the cabinet, insert new catridge(s), put end of barrel into mouth and pull trigger.

There, no more problems ..... That's how to fool them damned ruskies............

Now isn't that a nice thought for a Monday morning...

( Statistically. I would think that you would be safer with the latest Java. even with its holes, than you would be with a 2 year old unpatched IE 6)....

4
1

how many times have I correctly told you that AV software doesn't work

a lot. but I continue to get thumbed down for pointing out the truth.

It's all a big scam. The AV companies don't write the viruses, but they sure do make a lot of money pushing pointless "fixes" to old viruses that are dead and buried, slowing down your computer, and NOT addressing the real threats of today. Half those virus definitions you care so much about are for old worms from the early 90s, like you would ever catch one anyway. Wake up.

2
9
Anonymous Coward

Re: how many times have I correctly told you that AV software doesn't work

Perhaps you get voted down for stuff unrelated to the post; for being a bit smug perhaps.

12
0
Anonymous Coward

Re: how many times have I correctly told you that AV software doesn't work

Not to be picky, but AVG and Avast seem to do quite well when you don't have to pay for updates.

1
0
Facepalm

to put it another way

Antivirus software is like putting up special barriers to protect your kids from Michael Jackson and Jimmy Savile long after they're both dead.

2
6
Anonymous Coward

to put it yet another way

Applying antivirus software to your computer is like spraying elephant diarrhoea over your open car to make it less likely to be stolen.

3
0
Silver badge

Re: to put it yet another way

I'd say its more like that annoying steering lock you put over your steering wheel. Its a pain to have to put it on and take it off, but your car looks less attractive to the thieves than one without it. They do the other cars but leave yours alone.

Or you could get something obscure that the thieves have difficulty selling on which makes you safer, but not invulnerable.

0
1
Silver badge
WTF?

"how many times have I correctly told you that AV software doesn't work"

So no anti virus software has ever picked up any malware?

Good, on that basis everyone should remove it immediately, as you say it's not needed, and there have NEVER been any detections, ever!

I feel much safer.

Next week folks, remove seatbelts, air-bags and crumple zones from your cars as not crashing is the best method of defence.

Idiot.

8
2
Bronze badge
Trollface

Re: "how many times have I correctly told you that AV software doesn't work"

Maybe so.

My own view is that while antivirus packages can stop some fo what attacks you, there are those packages that make your system slow and, in some cases, unusable because of all the extra crapware they bundle in with it. Added nag screens and popups that try to get you to "upgrade", pointless extra bits in the background that rarely do anything other than chew up resources, things that essentially duplicate what your software or OS do on their own...

While I like to have an A/V handy on my Windows system, I prefer to make sure that A/V is all it does.

2
0

Re: "how many times have I correctly told you that AV software doesn't work"

I think you are having trouble telling the difference between hardware, the laws of physics, your crap car analogy, and software - which is completely different. Try and write a software seatbelt. You are obviously on drugs.

0
6
FAIL

I ride around in a pimped out hearse

twin turbo, twin superchargers, 6 litre v12, flames down the side, blasting Breaking The Law by Judas Priest through a row of amps in the dead-body compartment.

WHY would I want to wear a seat belt?

0
3
Anonymous Coward

trauma inducing headline!

That headline brings back bad memory of goatse. Please stop referring to stinky old gaping holes.

1
0
(Written by Reg staff) Silver badge

Re: trauma inducing headline!

Perhaps you're right. Maybe we'll just stick to gaping holes.

Another solution would be to stop leaving bugs in software for people to exploit, but everyone makes mistakes in all industries so I'm not holding my breath on that one.

C.

1
0
Anonymous Coward

Re: trauma inducing headline!

"Another solution would be to stop leaving bugs in software for people to exploit, but everyone makes mistakes in all industries "

True. But when we're talking about stuff like buffer overflows, that's not a mistake, that's rank, steaming incompetence that would be easily prevented by proper coding, or easily fixed after the event by proper design and documentation (as opposed to fixing the same conceptual fault through fifty million discrete patches released over severla years).

The prevalence of repeated security flaws with some products indicates that they were originally coded by clods who didn't build to any sensible design, and left behind no useful documentation.

1
0
Silver badge
Trollface

Re: trauma inducing headline!

> holding my breath

Very recherché.

0
0
Gold badge
Unhappy

One of the features of CCM level 5 is

Not only do you find the bugs.

You find the holes in the process that allowed them through in the 1st place.

Then you fix all the similar cases in your code.

Sadly that's not likely to happen any time soon.

0
0

how much are the AV companies paying you to thumb down my posts

You don't take antiviral drugs every winter do you? No. Why not... you could get a cold and die unless you take your Tamiflu.

But Tamiflu doesn't work and neither does AV software.

0
3
Silver badge

Re: how much are the AV companies paying you to thumb down my posts

I am not paid by any AV companies - it would be nice though!

My experience is different from yours - AV works well enough alongside all the other precautions I take.

Out of interest, do you have the same hatred for firewall and anti-spyware manufacturers, or is it only AV producers that are singled out?

0
0

Re: is it only AV producers that are singled out?

Yes.

Firewalls are the dogs nuts, and also I give props to the guys maintaining the spam blacklists which are very effective. They are the real heroes. Everyone else is just trying to cash in on the perceived glory.

Anyone can surf the internet looking for viruses and call themselves a security researcher. It's the easiest job in the world.

1
0
Silver badge

Re: is it only AV producers that are singled out?

Interesting - thanks for taking the time to reply. As I said, I'm happy with my security-in-depth (it seems to work), and I'll keep my AV as part of that.

0
0
This topic is closed for new posts.