Feeds

back to article Yet another Java zero-day vuln is being exploited

A new Java zero-day vulnerability is being exploited by attackers, and until it is patched everyone should disable Java in their browser. The vulnerability targets browsers that have the latest version of the Java plugin installed – Java v1.6 Update 41 and Java v1.7 Update 15 – malware researchers FireEye reported on Thursday. …

COMMENTS

This topic is closed for new posts.

Page:

Non-admin accounts, Software Restriction Policies, etc etc etc etc

McRAT ensures its persistence by writing a copy of itself as a DLL and making registry modifications

Lather, rinse, repeat.

4
0

Re: Non-admin accounts, Software Restriction Policies, etc etc etc etc

Non-admin accounts are a good start, but can still be an issue if the 'virus' is persistent and updates from a server. The next local privilege exploit can then be used to fully own the machine.

Software restriction has worked great for me in larger businesses with AD and well defined use policies, but outside of that in the small business arena and standalone computer market it doesn't really exist in an easy to manage fashion.

0
0
Anonymous Coward

Re: Non-admin accounts, Software Restriction Policies, etc etc etc etc

Glad we only use .Net - Java is a security and a maintenance nightmare, with loads of code being dependant on legacy versions of the JRE...

2
6
Linux

Re: Non-admin accounts, Software Restriction Policies, ....... LINUX!

Simple fix:

Get rid of Windows. Install something that works properly!

4
5
Anonymous Coward

Re: Non-admin accounts, Software Restriction Policies, ....... LINUX!

Erm so that you can install something with over 900 vulnerabilities in the kernel alone, and that has to have bolts ons like 'SEL' to even approach the inbuilt security in Windows, and that you have to run an 'experimental' file system on to even get proper ACLs? No thanks...

4
10
Silver badge

Re: Non-admin accounts, Software Restriction Policies, ....... LINUX!

The number of known exploits is irrelevant as Linux is developed publicly and openly admits its faults; NTKRNL is developed in secret and no one knows how many exploits it has.

GNU/Linux also does not usually have too many services enabled by default, so is harder to exploit. Windows however sacrifices security and needs to be heavily locked down, often requiring third party software at extra cost.

As for experimental file systems, ext4 is no experiment. There are others, we give you choice, unlike other OSs.

6
4
Silver badge
Linux

Re: Non-admin accounts, Software Restriction Policies, ....... LINUX!

I do not know why do I even bother.

ACLs have been possible just installing the required tools for years.

And yes Windows since the days of NT 4 has have had much more security ACLs and granular controls than any other operating system in the world. It did not stop things like blaster, and certainly does not stop people using Java to exploit bugs in the underlying OS, and will not prevent the millions of holes IE still has.

I do not like Windows, and I do not like Java, they have in common that they are designed to make your life easier, and do not seem to be succeeding much at it.

3
0

Re: Non-admin accounts, Software Restriction Policies, ....... LINUX!

Disagree with the AC, and agree with most of your post but

"Windows however sacrifices security and needs to be heavily locked down, often requiring third party software at extra cost"

Microsoft changed to a everything off by default stance' a few years ago. In 2012 you can even disable the GUI if/when you don't need it, and back on for occasional admin that's a shit in the CLI.

As Linux improves in accessibility and compatibility MS improves on security it seems. Best of both worlds on both platforms if you ask me.

If you need 3rd party tools to lock down Windows you don't - you need to fire your admin.

2
1
Anonymous Coward

Re: Non-admin accounts, Software Restriction Policies, ....... LINUX!

IE has had far fewer holes than Chrome, Firefox or Safari ever since IE7....

0
3
Anonymous Coward

Re: Non-admin accounts, Software Restriction Policies, ....... LINUX!

Core Server build (No GUI) has been available since Server 2008....

0
0
Anonymous Coward

Re: Non-admin accounts, Software Restriction Policies, ....... LINUX!

ext4 doesn't give you full ACLs like Windows. You need NFS4.1 for that....

The number of vulnerabilities is relevant. Its much easier to attack something with 900 known attack methods than something with say 100 known attack methods. The chances of an known exploit being exposed are much higher.

This can be seen in the fact that Linux based servers are far more likely to be hacked than Windows ones (even allowing for market share): http://www.zone-h.org/news/id/4737

0
3
Anonymous Coward

Re: Non-admin accounts, Software Restriction Policies, ....... LINUX!

'....the inbuilt security in Windows'

Hahahahahahahahahahahahahaha, not laughed so much in ages!

0
1
Silver badge
Pint

Re: Non-admin accounts, Software Restriction Policies, ....... LINUX!

People I know working for Microsoft tend to tell that while there is more Linux on the internet there is more Windows on the intranet.

And the mostly used webserver is of course Apache.

From your link about 2010 stats.

"But we should not speak only about the Linux servers, the Win­dows Servers are also in the stats, (not) sur­pris­ingly still hacked by the same flaws like in year 2000 and early. Every year we also recorded a high num­ber of the web­dav and shares mis­con­fig­u­ra­tion attacks. For web­dav there are tons of the updates, for shares too, admin­is­tra­tors just need to put their hands on it and update and/​or change the con­fig­u­ra­tion."

0
0
Silver badge

Re: Non-admin accounts, Software Restriction Policies, ....... LINUX!

Windows since the days of NT 4 has have had much more security ACLs and granular controls than any other operating system in the world

Complete nonsense. While Windows of the NT heritage does offer decently granular security controls, they are by no means "much more [granular] than [in] any other operating system in the world". Many "big iron" OSes, for minicomputers and mainframes, offer security subsystems that can be configured in far more exacting ways, with a stunning array of eclectic rules, than anything available in Windows. Then there are OSes which were written to meet much tighter security criteria, such as Orange Book A-level security.

Perhaps more importantly, "more granular" isn't even a valid metric, except in the most general sense. If, say, ACF2 lets you restrict signon for a particular group of users to specific days of the week, is that "more granular" than Windows restricting it to particular times of day? (ACF2 can do the latter as well - this is just an example of why "granular" isn't one-dimensional.)

0
0
Coat

Just

Another

Vector of

Attack

15
0

Die, Java. Die.

In Chrome at least, Java has a pernicious habit of re-enabling itself after every bloody update, something I only find out after some site requests permission to run an applet. It's bloody annoying to have to poll the settings to make sure all the plugins I want disabled are disabled. Fix it, Google.

5
1

Re: Die, Java. Die.

In Firefox 19 at least it had notified me that 7r15 was vulnerable even before I read it online. Quick moving on the Mozilla team.

5
1
Silver badge
Stop

Re: Die, Java. Die.

>"In Chrome at least, Java has a pernicious habit of re-enabling itself"

Never happened to me. What are you doing wrong?

0
2

This post has been deleted by its author

Anonymous Coward

There's quite a difference between running an application on Java to having a Java applet plugin enabled in your browser.

Over time as OSes get more and more secure the hackers turn to something less secure. PDFs, Flash and now Java.

2
0
Anonymous Coward

"There's quite a difference between running an application on Java to having a Java applet plugin enabled in your browser. Over time as OSes get more and more secure the hackers turn to something less secure. PDFs, Flash and now Java."

Of course there's a difference. Thats not lost on me. Hackers /now/ turning to Flash, PDFs and Java? They turned to all of these in the 90s and have been there ever since.

1
0
Anonymous Coward

AC19:38

Methinks you have a problem with Eadon?

There is a trail of Eadon abuse filtering through the threads..... Maybe you should lay off the personals a little bit.

4
4

This post has been deleted by its author

This post has been deleted by its author

Anonymous Coward

Re: AC19:38

No problem with the person or 50% of his posts but if he insists on posting absurd commentary as fact then no doubt he will reminded about it - hardly 'Eadon abuse'. Yeah he gets a hard time but i would expect that too if I was posting his comments. Anyway getting publically blasted by Trevor Pott is far closer to 'abuse' than the comments eadon gets.

2
1
Anonymous Coward

Re: AC19:38

@AC22:16

OK. Have thought on your comment about he who I shall not mention, and I concede your point - there is quite a bit of that hereabouts. Therefore I have deleted my original post and posted an edited version below:

Edited version "Another one? This is like Java all through the nineties and noughties. Never ending."

Never let it be said that I do not listen to criticism. I am even big enough to say 'Sorry if it offended' to you know who.

2
0
Anonymous Coward

Re: AC19:38 AC 22:37

A salute for you integrity!

1
1
Meh

Java security settings to 'High' is actually the default setting...

... is this supposed to be an improvement?

0
0
Silver badge

Re: Java security settings to 'High' is actually the default setting...

I think that advice is wrong, just because an applet is signed it doesn't mean it's not malware. 'Very High' should be the minimum (prompt before running both signed and unsigned applets), but I don't trust Java enough now to not screw up somewhere there.

0
0
Gold badge

What's this "until it is patched" rubbish?

"and until it is patched everyone should disable Java in their browser."

The vast majority of users have no need to enable Java in their browser, ever. Any installer or update that re-enables the browser support without getting the user's permission first is IMHO performing an unauthorised modification and is therefore probably in breach of the law in several countries.

2
1
Anonymous Coward

Re: What's this "until it is patched" rubbish?

Browsers need better user inferfaces. A nice series of switches on the status or toolbar with enable/disable switches for Java, Javascript, Flash and other "inline" plugins which you may have installed (Office).

0
2
Silver badge
WTF?

Re: What's this "until it is patched" rubbish?

"A nice series of switches on the status or toolbar with enable/disable switches for Java, Javascript, Flash and other "inline" plugins which you may have installed (Office)."

Yes, more useless cruft encumbering the screen is exactly what we need, because obvously 2 clicks to access the list of enabled plugins is FAR too much effort. I mean, you need it almost once a month, come on, we seriously can't be expected to add these 2 clicks a month to our all-too-busy schedule of refreshing El Reg's comment pages!

1
0
Anonymous Coward

Not possible in Denmark. Most government/public service, bank etc... websites require it for authentication.

0
0

Re: What's this "until it is patched" rubbish?

QuickJava plugin for firefox has on/ off toggle buttons for java, flash, silverlight, others right in the addons bar at bottom of the browser window. Pretty slick.

2
0
Gold badge
Thumb Up

"Not possible in Denmark. Most government/public service, bank etc... websites require it for authentication"

I did not know this. So how does the Danish government handle exploit issues, since they are forcing people to use it?

Personally I have found 1 website that requires it that I use semi-regularly.

I run disabled by default at all other times.

thumbs up for the information.

0
0
WTF?

Attack vector includes a DLL and Registry updates - so this Java attack only impacts Windows [not cross platform]

2
0
Anonymous Coward

The particular dropped file flavour mentioned is presumably Windows only. The exploit itself is cross platform, and could just as easily exploit Linux or OS-X. Of course with minute and tiny market shares respectively there is less motivation for anyone to bother to do so...

1
2
Linux

Of course....

.... it only affects Windows (l)users. Those of us bright enough to delete the Redmond rubbish don't (and won't) suffer from vulnerabilities like this.

1
3

This post has been deleted by its author

Re: Of course....

Much as I hate to rain in your parade, my reading of the blog concurs with the AC above. The attack vector and payload are two discrete objects. In theory the attack could, if it was sophisticated enough to pick up the OS flavour, download a custom package and execute that.

With Linux there are greater obstacles to overcome, for example a Linux user is unlikely to be running as root whereas in Windows that is much more likely.

Don't let that stop you hating Microsoft though... They do deserve stick for some of the crap they have pulled, just not this....

3
0
Anonymous Coward

Re: Of course....

You just keep telling yourself that until you get 0wned like Sony, Apple, etc. etc....

0
0
Bronze badge
Mushroom

From what I hear...

...is that Java is installed on umpty-thousand million computers and appliances worldwide.

I can live with Java not being on my computer but when I hear about Java being used in my car to program the brakes or that it's running my washing machine; do I have to now worry about people hacking into my laundry to put a red sock into my whites and Mossad hacking into my car's braking system.

And all I want are whiter whites and my car to make a significant difference to road traffic safety.

0
3
Silver badge

Re: From what I hear...

What sort of internet connectivity does your washing machine have?

2
0
Coat

Re: From what I hear...

Fibre, with a SOAP component.

15
0
Silver badge

Re: From what I hear...

> What sort of internet connectivity does your washing machine have?

I reckon it's only a matter of years (few of them, too) before your washing machine has its own IPv6 adress. A better question would be "what kind of java-enabled web browser does your washing macine have?". Appart from designer prototype I can't imagine anyone browsing the web from their washing machine in the foreseeable future. Laundry rooms have a distinct tendency of being a tad less cosy than bedrooms, living rooms, or even offices (the last one my be debatable...). Maybe that will change and laundry-room-web-browsing will be all the rage, but every time I ask my crystal ball about laundry-room web-browsing I feel like the abyss is gazing into me. Brrrrr

0
0
Bronze badge
Mushroom

Re: From what I hear...

A big pipe?

1
0
Bronze badge
Trollface

Fortunately for web users the world over, the exploit "is not very reliable", the researchers write. In most cases, the payload fails to executive and leads to a JVM crash.

So, it's just normal Java code, then?

7
1
Anonymous Coward

Java has extensive exceptions handling. Just because some programmers are shit and do:

try

{

// do something here

}

catch (Exception e)

{

e.printStackTrace();

System.err.println("Something went wrong");

}

Doesn't make Java bad. It's better than some sort of C++ address violation error and the details of a memory address.

1
3
Silver badge

> Doesn't make Java bad.

It very much does make Java an internal-use only, hack-prone, quick-and-dirty piece of (somewhat useful) shit.

In the case of Java there was too much emphasis put on the "whatever you type will work" angle and not enough on the "whatever you type won't cause an exploit" angle. In my book, that makes it a useful in-house dirty-hack-that just works language, but verily makes it a VERY bad language to be included as a browser plugin on a machine allowed to reach (and be reached) by the Wild Wild Net.

2
3
Silver badge
Trollface

RAII FTW

Yes, Java has extensive exceptions handling.

The language designers were so proud of it they made you put it in there twice, or three times, or four times. Each with its own finally. In every method.

If for some reason you tire of this unreadable unmaintainable mess you make every exception throwable up back to the main class where you do System.err.println("Something went wrong");

4
2

Page:

This topic is closed for new posts.