back to article Java updates too much of a bother? Maybe online banking's just not for you

Security researchers have spotted a surge in attacks against online banking customers, thanks to a new strain of Java-exploiting Trojan Caphaw (aka Shylock). Over the last month or so the malware has targeted customers in at least 24 financial institutions, including Bank of Scotland, Barclays Bank, First Direct, Santander …

COMMENTS

This topic is closed for new posts.

Headline v2.0

Maybe online banking with banks that require Java is just not for you

12
3

Re: Headline v2.0

That's not the issue - the Java is a trojan keylogger that phones home when you use internet banking - the internet bank doesn't (and surely isn't) need to be java related itself

7
0
Anonymous Coward

Re: the internet bank doesn't (and surely isn't) need to be java related

the internet bank doesn't need to be (and surely isn't) java related

0
0
Bronze badge

Luckily first direct does not use Java for its Internet banking. I disabled Java in Firefox long time ago (following kind advice from Firefox itself) and I have other browser to use when I really have to be exposed to this ... Oracle-branded-illware .

1
1

If my bank required Java for online access, I would seriously consider changing bank.

4
0
Anonymous Coward

If you use business banking with the Royal Bank of Scotland you have to have Java. However what is truly appalling is that if you forget your password you are re-directed to another part of their system that REQUIRES Java 6, not 7, but 6.

4
0
Anonymous Coward

For Gods Sake

If you do not need Java then don't install it. Failing that, disable it in the browser.

6
0
Silver badge

Do most people need Java any more?

I mean, I must use Java once every 6 months yet the libraries sit there asking for updates frequently, becomes a massive pain. Decided to uninstall as opposed to keeping it patched. Wonder what the average user ever needs it installed for at all

2
0

Re: Do most people need Java any more?

Minecraft.

5
0
Silver badge

Re: Do most people need Java any more?

Bl00dy Minecraft. A horribly, blocky, ****y pile of total and utter ****. And they add injury to insult by doing it in f***ing Java.

Writing minecraft in Java was a bit like making car from twigs. Technically it is impressive feat of endurance and determination, but the resultant product is still a misbegotten load of old rubbish.

4
5
Anonymous Coward

Re: Do most people need Java any more?

"Writing minecraft in Java was a bit like making car from twigs"

Pretty much the whole Android concept too....

4
7
Anonymous Coward

Re: Do most people need Java any more? @AC 11.48

Oh yes and what are we going to use ?

What that other heap of steaming dung called .NET that has an even more dubious security record than Java.

8
0

Most people do not need Java

Most people do not need Java, the safest thing is to deinstall it. If you're a techy then there's a good chance that you might need it from time-to-time, but you always help to mitigate against threats with Firefox + NoScript.

Keeping Java up-to-date is essential but also futile. There's usually an unpatched vulnerability in it. It really is a heap of crap.

2
0
Gold badge
Unhappy

So likely to hit the non IT literate pretty hard.

Who a)Probably don't know they have Java installed. b)Don't know how insecure it its c)Don't know how to disable it.

So is Java's major use writing malware?

3
0
Silver badge

Re: So likely to hit the non IT literate pretty hard.

Not just writing malware...

Writing butt-ugly, cross platform malware...

6
1
Anonymous Coward

Re: So likely to hit the non IT literate pretty hard.

It will hit the IT-literate harder: In any work environment there will be some kind of enterprise (like the starship, flaky, prone to exploits/explosion or ejecting cores) software that requires java and must be used - Or Else!

The IT-literates blood pressure will be elevated more by this than the IT-illiterates.

1
0
Gold badge
Unhappy

Re: So likely to hit the non IT literate pretty hard.

"Not just writing malware...

Writing butt-ugly, cross platform malware..."

Yay. Java's developers must be so pleased at how successful their development environment has been.

1
1
Bronze badge
Thumb Down

liability for unnecessary executability

Companies whose websites that force you to use Java or Javascript should be liable for any drive-by downloads or other malware you get.

4
2
Anonymous Coward

Re: liability for unnecessary executability

... " Java or Javascript "...

It's best not to lump Java and Javascript together - they are quite different.

And while I agree that websites shouldn't need you to use Java, I think you'll have a pretty restricted online experience if you don't use Javascript.

8
0
Silver badge

I disabled javascript as soon my browser supported it

There was a bad time when this noticeably restricted which web sites would render properly, but there were always other places to go. Several sites I remember leaving because they required javascript are now working fine without it. I try enabling javascript occasionally. I find the results more irritating and horrible each time. Try turning javascript off occasionally, and see if you are happier without it.

2
1
Silver badge
Unhappy

Re: I disabled javascript as soon my browser supported it

Unfortunately the option to disable JS is disappearing from "modern" browsers, it's gone from Firefox 23 already (thank fuck for noScript!)

2
1
Anonymous Coward

JavaScript != Java

NoScript good.

Good luck using things on the Internet without JS though!

1
0
Silver badge
FAIL

It's not Java upgrade I hate....

I would be far happier upgrading Java if it wasn't that each time I have to remember to un-select Ask.com and then spend days trying to remove the mess it makes of my browsers.

I didn't realize Larry was so hard up that he still needed the $4.50 he got for every install of this little bugger

16
0

Re: It's not Java upgrade I hate....

Yeah, as the updater always throws an invalid certificate warning I end up uninstalling and grabbing the latest version when I need it. Seeing that Ask toolbar always pisses me off as one day I'll forget to untick it.

3
0
Headmaster

Honing?

... part of an exploit kit honing in on vulnerable versions of Java.

To hone - to put a keen edge on a sharp blade.

To home in on something - to focus attention on, zero in on something.

To hone in on something - ???? Gah!!!

13
0
Silver badge

Re: Honing?

"To hone in on something - ???? Gah!!!"

Right boys, here's where we'll put the bleeding edge!

2
0

My Windows machine which has Java on it is a VM, which is only fired up when required (and seems to require an update every time I start it). Otherwise, I use a different machine which does not have Java installed.

0
0

No centralised update management

Maybe if Oracle would provide utilities for centrally managing Java updated then it wouldn't be such a problem.

1
0

Minecraft DOES require Java, but does not require it to be installed in your browser. I have the Java plugin for Firefox disabled and Minecraft runs quite happily outside under the 64-bit JVM. The plugin only gets enabled on the rare occasions I run browser-based Java apps (for molecular biology).

3
0

Why the hell doesn't the pseudo random domain name generation make it easy for law enforcement? Once you have the virus, you know all the command and control domains it will ever use. You can contact the registrars with the list, and tell them to forward any requests for those domains to law enforcement who can then attempt a sting.

You could also offer a public blacklist for firewalls and DNS servers to use.

1
0
Gold badge
Unhappy

I only know that the NIST use Java.

Anyone else worth looking at?

0
0
Bronze badge
WTF?

Anyone who /still/ has a Java browser plugin version earlier than 1.7 registered is retarded.

What a retarded article, for an obsolete version of Java!

The only JRE which should be installed on a machine and registered as a browser plugin currently is for Java 1.7, if you are running an older version (1.6 or earlier), because you ignored the JRE updater prompts, then complain when you get owned; you are a moron! If you run OS-X and Apple don't do timely update releases, blame Apple; same for other poorly supported OS.

If any website requiring client side Java, including an intranet site, won't run with Java 1.7, flame the retarded owners, and blacklist it until it can. Website owners who require client side Java should ideally host only Java 1.7 compiled code, to force users to upgrade from unsafe versions.

I am a Java developer who has to support Java 1.5 and 1.6, due to lazy software houses and cheap customers; however I only have the SDK installed for these, /never/ the JREs; the later would be retarded!

I have had a Java browser plugin installed for many years, but keep it up-to-date (1.7.0_40), so never get hit, and have never had issues with web sites using client hosted Java; so I regard Java slammers as trolls.

2
4
WTF?

Re: Anyone who /still/ has a Java browser plugin version earlier than 1.7 registered is retarded.

A minor correction. The 64 bit version of Java has never had an automatic updater to notify the user of available upgrades. Users have to manually download and install the update. Simple but Tedious I'm shure and apparently too much for most. Another Oracle FAIL.

1
0
This topic is closed for new posts.

Forums