Feeds

back to article Kill that Java plugin now! New 0-day exploit running wild online

A new Java zero-day security vulnerability is already being actively exploited to compromise PCs. The best way to defend against the attacks is to disable any Java browser plugins on your systems. The offending bug is present in fully patched and up-to-date installations of the Java platform, now overseen by database giant …

COMMENTS

This topic is closed for new posts.

Page:

Bronze badge

Re: Does it work on Linux?

@asdf

Except for most of the webservers on the internet and many of the backend data stores that also run on linux

Except they're not generally used for web browsing, they're the servers, so they don't run the plugin in the first place to be vulnerable.

The handful of Linux desktop users don't represent a juicy enough target to bother with.

0
2
Bronze badge

Re: Does it work on Linux?

@Eddy Ito

"More to the point, does it work on Android's Dalvik?"

Android has got plenty of security foul ups as it is, so another would hardly make a difference...

0
1
Pirate

Re: Does it work on Linux?

Also the in-flight seatback system on many major airlines, you know, the little screen that lets you play games, see your flight progress and airspeed. etc. I know it runs on Linux because I've seen it reboot (one of my row-mates pointed at it and said, "Hey, why is there a penguin on your screen?)

Speaking of which, what OS do the PLANES use?

"Prepare for boarding. . ."

0
0
Silver badge

Re: Does it work on Linux?

"'Shurely the Java sandbox must be one of those things that have no obvious errors, as opposed to obviously no errors."

Well to be fair, Java _is_ 1990s software. Back then I worked in a company where nobody saw the problem with a login which sent the username and password to the server, then replied with the username and password of the sa-account of the SQL-server... unencrypted of course. Back then people just knew less about security.

0
0
Silver badge

Re: Does it work on Linux?

The planes themselves use customized built-to-purpose systems for the most part because of the high standards for safety required. As for the onboard entertainment systems, it's not surprising. If what I see in other industries is any indication, it's a customized embedded Linux distro (possibly even a specialist distro like MontaVista), and it likely has no external network access (with the possible exception of when it's undergoing maintenance).

0
0

Re: Does it work on Linux?

Only for users of said webservers that also have the libjavaplugin linked to the browser - when's that going to happen? It's a webserver, not a workstation :)

Saying that, I only installed the javaplugin three days ago so as to use webex on my laptop, it is now disabled.

0
0
Silver badge
Holmes

That feel when your JRE drops malware on Christmas

Kaspersky has this to say.

There appears to be multiple ad networks redirecting to Blackhole sites, amplifying the mass exploitation problem. We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course, adult sites. A few obfuscated files are being delivered to victim systems with names like Stretch.jar, Edit.jar, UTTER-OFFEND.JAR, and more. The first appearance of the exploit's prevention in our KSN community seemed to be January 6th. But as we dig back further, we find related samples from mid-December. So, we have been preventing this 0day in particular for quite some time. At this point, it seems that the first instance of the particular 0day jar file contents ITW is 7550ce423b2981ad5d3aaa5691832aa6. Filenames for the class files remain the same until recently. It would be interesting to see an earlier instance.

0
0

Minecraft

You need JRE to play Minecraft. Don't sneer - my 8-year-old son would be devastated if I had to kill Minecraft because Java is so woefully insecure.

But I guess you can disable the browser plugin and still run the standalone Minecraft with JRE active??

2
0

Re: Minecraft

^ This. Both my kids play Minecraft and eldest plays Tekkit.

0
0

Re: Minecraft

You don't *have* to run minecraft through the browser though. You can install Java without adding the plugin to your browser and just run the downloadable minecraft exe.

0
0
Bronze badge

Click to activate

You should set ALL browser plugins to only activate when clicked. Plugins are used for complex tasks that HTML 5 can't handle, and complex tasks always have bugs.

3
0
Anonymous Coward

Re: Click to activate

Better make sure if you are running Chrome that you switch to something safer like IE9 or IE10 too:

http://secunia.com/advisories/51825/

0
1

The Irish Revenue service requires Java

https://www.ros.ie/PublisherServlet/requirements

"ROS makes extensive use of Java applets in order to keep your data secure."

Oh, the irony.

2
0
Bronze badge

"Java support in web browsers is not mandatory for home users, unless required by a banking website"

Oh, the irony

1
0
Anonymous Coward

5.000.000 Danish people have to use Java

The government of Denmark created the monopoly NemID, a suposedly 'secure' means of loggin in to internet banking and government institutions. Guess what? It's Java based.

So since more and more things are now using the NemID, then more and more people are TOTALLY reliant on it.

I can't log in to online poker sites, or internet banking or interact with the tax authorities etc etc. without the NemID.

Way to go Denmark, for creating a monopolized system that is totally reliant on some broken 3rd-party software owned by the Americans.

Fun fact: NemID stores all the encryption keys, for the entire population, in a central place. Before it was so that each person had his/her own key on their own computer. Now it is centralized and therefore highly interesting for hackers. And what happens when the Chinese buys the *private institution* that runs the NemID monopoly?

4
1

Re: 5.000.000 Danish people have to use Java

to be fair, NemID does work much better than Rejsekortet, its a copy paste of the Oyster card, with several freight-train loads of fail attached, the currently planned model has somebody like me who uses public transport every day needing two cards.

one to cover the regular trundle to and from work, and another one for when i dare to travel outside my allotted zone.

so how is this better than the cardboard based travel card and prepaid "serial ticket'" system again ?

1
0
Pint

Re: 5.000.000 Danish people have to use Java

Stop panicking there, nemid login requires you (besides login and password) to lookup a challenge code on your personal nemid card. The Java vulnerability doesn't break nemid, as it cannot extend out into the physical world and read your nemid code card.

0
0

That reminds me - I forgot to re-enable Java in my browser since the last time this happened. Happily, that means I don't need to do anything now. Seems I don't really need Java enabled in my browser these days.

0
0
Linux

Photobox

uses a Java plug in to upload pictures, my partner uses it, now how can I explain, in terms they will understand, that they can not longer use this website because it poses a security risk?

Ok we use Linux so the risks are lower, but its still a risk. This is the only site that 'we' use that uses Java, I might just disable it and wait for the shouting to begin.

0
0
Bronze badge
Go

Re: Photobox

Easy - uninstall Java, then use one of the other methods to upload photos (http://www.photobox.co.uk/my/album/upload/ftp). Fortunately, Photobox isn't stupid to rely on one method that relies on a dodgy plugin so you are free to continue using it.

0
0
Bronze badge

Re: Photobox

Several web browsers let you be selective as to which web sites can run plugins. Or you can probably run a proxy server or web filter on your PC that imposes a similar restriction. So just allow Java on Photobox. And expect a fixed release fairly soon.

0
0
Silver badge
Stop

I'll say it till I'm blue in the face - EMET3.0

It's designed to stop Zero Day Stuff.

Install it, set EMET to maximum security and then load up the application profile called 'ALL' in the EMET Program Folder/Deployment/Protection Profiles.

http://www.microsoft.com/en-us/download/details.aspx?id=29851

For god's sake MS just install this as standard and start using the bloody security you install by default.

Who cares if some bit of shareware from 1998 wont work if you do.

2
1

Partial solution if you cannot disable the Java browser plugin for whatever reason

There is only need to be concerned about deliberately malicious sites, or non-malicious sites which may have been hacked. If you really can't avoid Java applets, switch to using Firefox and install the noscript plugin. Only allow Java for trusted sites. You can even permit specific objects (applets) on a trusted site, so a hacker would have to deploy a malicious version of the specific applet(s) you have permitted on a trusted site in order to compromise your security.

0
0
Silver badge
Stop

Disable Java?

Excellent, can I go home now as I no longer can do my job.

0
0
Bronze badge
Go

After the last scare, I removed Java from all my PCs (except I had to put it back on my PC as PS3 Media Player needed it).

Not once have I ever needed to install it again. Not once have I come across a website that needed it. And I surf a ton of varied websites every day.

0
0

I've not needed to use Java in years.

I wanted to try Minecraft the other month until I realised it requres JRE.

I'll just wait for a native Windows version if they ever create one.

0
0
Anonymous Coward

Java / Javascript

I'd cheerfully string up the person who thought that naming which ever of those two came second, similar to the first, was a good idea.

But we are stuck with it :(

However, apart from those poor souls mentioned earlier, who are stuck with Java, the rest of us can vote with our feet if something that should be secure, like internet banking, requires either, or both, because NEITHER is required.

When you do move, tell them WHY, eventually they will get the message.

Two banks that meet the criteria Coop, & HBOS (possibly Lloyds as well).

A browser - NetSurf (this has a non-Javascript build available), there are others.

Thankss for reading.

0
0

What is the problem?

Guys, just about all software contains security issues / bugs. This being said the error in question sounds serious.

As many have pointed out Java (as in applets) is still widely used by many websites.

What I cannot understand is why it needs to a completely binary question whether I want to use it from within the browser or not? Why can't I have a solution where the browser would prompt me before executing any applet.(the prompt would need to come regardless of the applet is trusted/signed or not). This way I could answer 'yes' for the sites I trust (e.g. my netbank) and 'no' for the ones I do not trust. Is this really not possible ? Why would I have to completely disable the plug-in ?

Adding to this functionality the browser could be configured so it would answer 'yes' by default for sites on the local intranet? That is what corporate organizations would be looking for.

Perhaps this is already possible in some browsers?

If not, then why doesn't such feature exist? What am I missing?

To me all kinds of code that does more than just HTML is potentially a security risk. This includes Java, Javascript, .Net, and what have you. I would like to be prompted every time a site tries to execute code that does more than HTML.

0
0

Use NoScript extension for Firefox

As a follow-up to my post above "What is the problem?" I've tested out the NoScript extension for Firefox. It does the job for me so I do not have to disable Java in the browser.

Strange that these IT security organizations are unaware of such solutions ?

... and even stranger that such solutions are not part of the browser by default.

1
0
Anonymous Coward

JAVA + iframe, frame, xframe

Poor old govt agencies can't get cudo's for dumping (1994-6?) 15 year old "good dump java advice" , pre-dick't another 20 years late for the "early frame workz abandonment"

While JAVA wasn't isn't oh hell nevermind why waste my finger, knew this a LONG time ago

Today if you are blind, you know framework isn't your friend, so out the web-stain-mangle-master's who still publishes kit and caboodle in *frame = unfiltered death

0
0
Bronze badge
Terminator

Patch/Fix Coming Soon?

Per:

http://www.pcworld.com/article/2025171/oracle-says-java-update-coming-tuesday.html

It is coming Tuesday... More at the URL.

0
0
Go

Re: Patch/Fix Coming Soon?

Nope - patch has already been released by Oracle. 7u11 is available :

http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html

0
0

Page:

This topic is closed for new posts.