back to article Kill that Java plugin now! New 0-day exploit running wild online

A new Java zero-day security vulnerability is already being actively exploited to compromise PCs. The best way to defend against the attacks is to disable any Java browser plugins on your systems. The offending bug is present in fully patched and up-to-date installations of the Java platform, now overseen by database giant …

COMMENTS

This topic is closed for new posts.
  1. dougal83

    Anyone still use Java? Isn't it just a pop up that wants to be updated?

    1. Destroy All Monsters Silver badge

      No, we have all migrated to .NET

      HEUHEUHEUHEUUHEUUHURRRR

    2. Anonymous Coward
      Anonymous Coward

      How do you play minecraft without Java?

      But I think the more accurate question, does anyone still use web based java applets? Why are java browser plug ins installed by default anymore? Sure have an extra downloadable if absolutely necessary but it's so rare for anyone to need java in the browser why distribute it in the main runtime installer?

      1. the spectacularly refined chap

        But I think the more accurate question, does anyone still use web based java applets? Why are java browser plug ins installed by default anymore? Sure have an extra downloadable if absolutely necessary but it's so rare for anyone to need java in the browser why distribute it in the main runtime installer?

        The article made it clear that many users do still use web based Java apps. They may not be an endemic as they once were but that is besides the point: if even one service you need needs browser-based Java you need browser based Java and that is all there is to it. I have little option but to keep it around on my home machines because the web-based configuration for my Epson laser uses it extensively. Why should I replace an otherwise excellent printer just to satisfy somebody else's notion that it isn't needed?

        1. Anonymous Coward
          Anonymous Coward

          Because most people don't need a java browser plug in, and if you do then it would make far more sense to have it installed as a seperate plug in.

          To counter, just because your web-based printer configuration requires a Java web browser plugin why should I have to install a plug in that has never been secure.

    3. Anonymous Coward
      Anonymous Coward

      Anyone still use Java?

      Citrix GoToMeeting was the last time I needed it.

      Anyone using LibreOffice might want to upgrade to the latest version too, since previous versions bitched like hell if Java wasn't present.

    4. dougal83

      Lol, touched a geek nerve there. 19 down votes for a tongue in cheek remark. God I hope they are the retards who think JavaScript == Java. Note the expert use of CamelCase, ah I miss coding in Java back in the old days!

  2. Robert Helpmann??
    Childcatcher

    Anyone still use Java?

    Too many of the games sites that the missus enjoys.

  3. Philip Lewis
    Mushroom

    Banks and Government

    Pretty much EVERY bank and ALL government sites in Denmark.

    It is pretty much impossible to function here without Java installed

    1. Test Man
      Stop

      Re: Banks and Government

      Which bank or government sites?

      Name one, with URL.

      Serious question.

      I bet they use Javascript, which IS NOT Java.

      1. JanMeijer

        Re: Banks and Government

        one you said. danskebank.no. Granted, that's the Norwegian outlet of a Danish bank, but the situation is rather the same here in Norway. Quite annoying: every time Java comes with a security update they deny access to not 100% up-to-date java clients. Guess what happens when there is no fix yet ;)

        1. Charles 9

          Re: Banks and Government

          Any bets these banks that require Java get set up for drive-by attacks?

        2. Anonymous Coward
          Anonymous Coward

          Re: Banks and Government

          Which Norwegian bank is that?

          I've got two Norwegian banks (DnB and Skandia) and neither require Java. (JavaScript, yes, Java, no.)

          If my bank required Java I would close the account. They are clearly employing imbeciles that don't understand today's security threats if they force their customers to use Java. What other crazy risks are they taking with their internal systems. No thanks, I'll go elsewhere.

          For the one site a year that I visit that requires Java, I view it in a XP virtual machine which gets reverted to a clean state after visiting. Come to think of it, it's been several years since I've found a site that needed Java. Usually they don't have any content interesting enough to warrant firing up the XP virtual machine.

          1. JanMeijer

            Re: Banks and Government

            Fokus bank, now Danske Bank. Uses a Java applet. I guess I should take it as good news to be unable to spend any money on frivolous bill paying until Oracle decides to fix java.

        3. Christian Berger

          Re: Banks and Government

          I wonder what happens if someone simply transfers money to X, then complains at the bank that he didn't do it, perhaps claiming he got hacked or something...

      2. Shrike
        FAIL

        Re: Banks and Government

        pretty much all of them require Java.

        the Danish goverment in all its "wisdom" decided to force a single-signon solutuion for everything from goverment services to banks and a host of other things, if you are in contact with the banking sector or any segment of the goverment a NemID is required.

        and it runs on Java.

        and it does not properly support mobile systems.

        and it's a "black box" in terms of what it does, nobody knows besides what can be gleaned from reverse engineering the applet.

        and it's administered by a single private company on a exclusive contract.

        and nobody has actual control over their digital ID, you have a cardboard card with key-pairs on to act as a very low tech authenticator. (two part authentication, enter password, enter the requested key, sensible enough really)

        https://www.nemid.nu/om_nemid/about_nemid/

        oh yea, most people keep them in their wallets, along with their social security card, so as a result you can perform a rather effective identity theft if you get a wallet with both, and empty out people's bank accounts come to think of it. (resetting a password requires your social security number, and a valid card, getting a new one does not, it's just mailed to your registered address after a phone call)

  4. John Smith 19 Gold badge
    Unhappy

    Could be worse

    Some site still demand Internet Explorer to display properly.

    Let's see how many complain if its disabled.

  5. tempemeaty

    I violently agree with what;s been said.

    I've complained for years about all the web sites that will not work without Java. Best example is trying to get in to email and having it say, "JavaScript required to sign in."

    1. Barry Dingle

      Re: I violently agree with what;s been said.

      JavaScript != Java

    2. Anonymous Coward
      Anonymous Coward

      Re: I violently agree with what;s been said.

      You can't be serious.

    3. kissingthecarpet
      Trollface

      Re: I violently agree with what;s been said.

      Surely you troll.

  6. Anonymous Coward
    Anonymous Coward

    JavaScript != Java

    Obviously. One is a scripting language, and the other is a large island in Indonesia.

    1. Robert Helpmann??
      Childcatcher

      Re: JavaScript != Java

      !=

      Insert escape characters where you see fit.

      1. Charles 9

        Re: JavaScript != Java

        It is in programmer's parlance, since the official symbol isn't on keyboards nor recognized by compilers (since the symbol is Unicode). At least it's the C- and derivative-standard notation rather than the BASIC notation of <>. Since many of us don't know the escape sequence for the official one, why don't we just let it go at !=?

        1. tomban
          Thumb Up

          Re: BASIC notation of <>

          And SQL...

    2. Adam 1

      Re: JavaScript != Java

      Don't be daft. In this context, he is clearly referring to coffee.

    3. Notas Badoff
      Flame

      Re: JavaScript != Java

      "Java is almost entirely of volcanic origin; it contains thirty-eight mountains forming an east-west spine which have at one time or another been active volcanoes."

      How many have gone off lately? Maybe we've exhausted them and we're done for awhile?

    4. I think so I am?
      Thumb Up

      Re: JavaScript != Java

      And also a hot beverage

  7. Katie Saucey

    Java security hole?

    To quote Yogi Beera, "It's like deja-vu, all over again".

    1. cordwainer 1
      Pint

      Re: Yogi Beera. . .

      Might you mean Yogi Berra? (I think Yogi Beera is the guy who said, "It ain't over 'til it'sh orvrrrzzzzz...)

      1. Katie Saucey
        Pint

        Re: Yogi Beera. . .

        Quite possible quaffing pints was on my mind at the time of typing..

  8. John F***ing Stepp

    Huh,

    I just checked both computers and somehow I forgot to turn the plugin back on the last time they found a security hole.

    (or maybe the time before last, I am pretty lazy about crap I never use nor miss.)

  9. asdf
    FAIL

    can't resist

    Wasn't java originally touted as the most secure run time and language available? Didn't Oracle sell its software as Unbreakable for years? What happens when they join forces? How many critical vulnerabilities in the last few years? Adobe has competition for worst security in the industry.

    1. Daniel B.
      Boffin

      Re: can't resist

      I blame Oracle. They've fudged and shat all over the Sun stuff they bought. Is it any wonder that exploits have become commonplace *after* Oracle bought Sun?

      1. Lars Silver badge
        Joke

        Re: can't resist

        "*after* Oracle bought Sun". Do you feel Oracle has added "exploits" to Java after they bought Sun.

        Never mind, could not resist either.

        1. Robert Carnegie Silver badge

          Re: can't resist

          Java 7 is Oracle's release so I suppose it's on them. New version, new bugs.

    2. Lars Silver badge
      Joke

      Re: can't resist

      It's called marketing and is all over the place, ever seen a car marketed as not being better than last year's.

      1. asdf

        Re: can't resist

        I notice Oracle quietly dropped the marketing after they were the keynote exploit at hacker conferences several years in a row. I also notice people don't talk about how unbelievable Java's security is any more what with it being a malware portal on even *nix based machines the last several years. Granted when your main competition on the web at the time was ActiveX, claiming to be the secure choice really was low hanging fruit.

        1. Nuno trancoso

          Re: can't resist

          Dear sir, you have just made me spill my coffee...

          I hereby salute you ^^

      2. jason 7

        Re: can't resist

        Or a computing device described as 'magical'.

    3. Matt Bryant Silver badge
      WTF?

      Re: can't resist

      Damn, that's the second asdf post I've upvoted in 24 hours - what is the World coming to!?!?

  10. Anonymous Coward
    Linux

    Does it work on Linux?

    "Earlier this morning @Kafeine alerted us about a new Java zeroday being exploited in the wild. With the files we were able to obtain we reproduced the exploit in a fully patched new installation of Java. As you can see below we tricked the malicious Java applet to execute the calc.exe in our lab". link

    1. Destroy All Monsters Silver badge
      Devil

      Re: Does it work on Linux?

      Good question.

      I wonder what went wrong NOW? Shurely the Java sandbox must be one of those things that have no obvious errors, as opposed to obviously no errors.

      I also wonder what will happen if that "Native Code Running in the Browser" thing takes off. That's gonna be Clouseau-level.

      1. Eddy Ito

        Re: Does it work on Linux?

        More to the point, does it work on Android's Dalvik?

        1. tomban

          Re: Does it work on Linux?

          Even my 'dumb' 4 year old Tosh Regza runs Linux

        2. bazza Silver badge

          Re: Does it work on Linux?

          @Eddy Ito

          "More to the point, does it work on Android's Dalvik?"

          Android has got plenty of security foul ups as it is, so another would hardly make a difference...

      2. Christian Berger

        Re: Does it work on Linux?

        "'Shurely the Java sandbox must be one of those things that have no obvious errors, as opposed to obviously no errors."

        Well to be fair, Java _is_ 1990s software. Back then I worked in a company where nobody saw the problem with a login which sent the username and password to the server, then replied with the username and password of the sa-account of the SQL-server... unencrypted of course. Back then people just knew less about security.

    2. Fuzz

      Re: Does it work on Linux?

      the security hole will be there in the Linux version but to do any damage you would most likely have to write a specific version of the exploit. The example there shows the windows calculator being started but you could just as easily write it to execute something in perl or bash.

    3. Anonymous Coward
      Anonymous Coward

      Re: Does it work on Linux?

      Yes it works on Linux. Except that as virtually no one uses Linux probably no one will write any OS exploits that leverage it....

      1. asdf
        WTF?

        Re: Does it work on Linux?

        >Except that as virtually no one uses Linux

        Except for most of the webservers on the internet and many of the backend data stores that also run on linux but there is no value in hacking corporate backends eh? I guess its a bit higher risk than key logging Grandma's credit card and its certainly a hell of lot harder as well.

        1. Anonymous Coward
          WTF?

          Re: Does it work on Linux?

          Well if you're visiting websites on a web server with Java enabled in the browser, then you should be taken out and beaten with a ferret until you are very sore indeed.

        2. bazza Silver badge

          Re: Does it work on Linux?

          @asdf

          Except for most of the webservers on the internet and many of the backend data stores that also run on linux

          Except they're not generally used for web browsing, they're the servers, so they don't run the plugin in the first place to be vulnerable.

          The handful of Linux desktop users don't represent a juicy enough target to bother with.

        3. FreeTard

          Re: Does it work on Linux?

          Only for users of said webservers that also have the libjavaplugin linked to the browser - when's that going to happen? It's a webserver, not a workstation :)

          Saying that, I only installed the javaplugin three days ago so as to use webex on my laptop, it is now disabled.

      2. AlbertH
        Linux

        Re: Does it work on Linux?

        Except that as virtually no one uses Linux... except virtually every web server, every large scale data store, all the Android Telephones, >90% of the routers you can buy, everyone in China with a computer, all the "smart" TVs, etc...........

        1. cordwainer 1
          Pirate

          Re: Does it work on Linux?

          Also the in-flight seatback system on many major airlines, you know, the little screen that lets you play games, see your flight progress and airspeed. etc. I know it runs on Linux because I've seen it reboot (one of my row-mates pointed at it and said, "Hey, why is there a penguin on your screen?)

          Speaking of which, what OS do the PLANES use?

          "Prepare for boarding. . ."

          1. Charles 9

            Re: Does it work on Linux?

            The planes themselves use customized built-to-purpose systems for the most part because of the high standards for safety required. As for the onboard entertainment systems, it's not surprising. If what I see in other industries is any indication, it's a customized embedded Linux distro (possibly even a specialist distro like MontaVista), and it likely has no external network access (with the possible exception of when it's undergoing maintenance).

  11. Destroy All Monsters Silver badge
    Holmes

    That feel when your JRE drops malware on Christmas

    Kaspersky has this to say.

    There appears to be multiple ad networks redirecting to Blackhole sites, amplifying the mass exploitation problem. We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course, adult sites. A few obfuscated files are being delivered to victim systems with names like Stretch.jar, Edit.jar, UTTER-OFFEND.JAR, and more. The first appearance of the exploit's prevention in our KSN community seemed to be January 6th. But as we dig back further, we find related samples from mid-December. So, we have been preventing this 0day in particular for quite some time. At this point, it seems that the first instance of the particular 0day jar file contents ITW is 7550ce423b2981ad5d3aaa5691832aa6. Filenames for the class files remain the same until recently. It would be interesting to see an earlier instance.

  12. Bsquared

    Minecraft

    You need JRE to play Minecraft. Don't sneer - my 8-year-old son would be devastated if I had to kill Minecraft because Java is so woefully insecure.

    But I guess you can disable the browser plugin and still run the standalone Minecraft with JRE active??

    1. Smallbrainfield

      Re: Minecraft

      ^ This. Both my kids play Minecraft and eldest plays Tekkit.

    2. Mykilr

      Re: Minecraft

      You don't *have* to run minecraft through the browser though. You can install Java without adding the plugin to your browser and just run the downloadable minecraft exe.

  13. Kevin McMurtrie Silver badge

    Click to activate

    You should set ALL browser plugins to only activate when clicked. Plugins are used for complex tasks that HTML 5 can't handle, and complex tasks always have bugs.

    1. Anonymous Coward
      Anonymous Coward

      Re: Click to activate

      Better make sure if you are running Chrome that you switch to something safer like IE9 or IE10 too:

      http://secunia.com/advisories/51825/

  14. John Latham

    The Irish Revenue service requires Java

    https://www.ros.ie/PublisherServlet/requirements

    "ROS makes extensive use of Java applets in order to keep your data secure."

    Oh, the irony.

  15. nuked

    "Java support in web browsers is not mandatory for home users, unless required by a banking website"

    Oh, the irony

  16. Anonymous Coward
    Anonymous Coward

    5.000.000 Danish people have to use Java

    The government of Denmark created the monopoly NemID, a suposedly 'secure' means of loggin in to internet banking and government institutions. Guess what? It's Java based.

    So since more and more things are now using the NemID, then more and more people are TOTALLY reliant on it.

    I can't log in to online poker sites, or internet banking or interact with the tax authorities etc etc. without the NemID.

    Way to go Denmark, for creating a monopolized system that is totally reliant on some broken 3rd-party software owned by the Americans.

    Fun fact: NemID stores all the encryption keys, for the entire population, in a central place. Before it was so that each person had his/her own key on their own computer. Now it is centralized and therefore highly interesting for hackers. And what happens when the Chinese buys the *private institution* that runs the NemID monopoly?

    1. Shrike

      Re: 5.000.000 Danish people have to use Java

      to be fair, NemID does work much better than Rejsekortet, its a copy paste of the Oyster card, with several freight-train loads of fail attached, the currently planned model has somebody like me who uses public transport every day needing two cards.

      one to cover the regular trundle to and from work, and another one for when i dare to travel outside my allotted zone.

      so how is this better than the cardboard based travel card and prepaid "serial ticket'" system again ?

    2. skytrench
      Pint

      Re: 5.000.000 Danish people have to use Java

      Stop panicking there, nemid login requires you (besides login and password) to lookup a challenge code on your personal nemid card. The Java vulnerability doesn't break nemid, as it cannot extend out into the physical world and read your nemid code card.

  17. ContentsMayVary

    That reminds me - I forgot to re-enable Java in my browser since the last time this happened. Happily, that means I don't need to do anything now. Seems I don't really need Java enabled in my browser these days.

  18. Leona A
    Linux

    Photobox

    uses a Java plug in to upload pictures, my partner uses it, now how can I explain, in terms they will understand, that they can not longer use this website because it poses a security risk?

    Ok we use Linux so the risks are lower, but its still a risk. This is the only site that 'we' use that uses Java, I might just disable it and wait for the shouting to begin.

    1. Test Man
      Go

      Re: Photobox

      Easy - uninstall Java, then use one of the other methods to upload photos (http://www.photobox.co.uk/my/album/upload/ftp). Fortunately, Photobox isn't stupid to rely on one method that relies on a dodgy plugin so you are free to continue using it.

    2. Robert Carnegie Silver badge

      Re: Photobox

      Several web browsers let you be selective as to which web sites can run plugins. Or you can probably run a proxy server or web filter on your PC that imposes a similar restriction. So just allow Java on Photobox. And expect a fixed release fairly soon.

  19. jason 7
    Stop

    I'll say it till I'm blue in the face - EMET3.0

    It's designed to stop Zero Day Stuff.

    Install it, set EMET to maximum security and then load up the application profile called 'ALL' in the EMET Program Folder/Deployment/Protection Profiles.

    http://www.microsoft.com/en-us/download/details.aspx?id=29851

    For god's sake MS just install this as standard and start using the bloody security you install by default.

    Who cares if some bit of shareware from 1998 wont work if you do.

  20. David Martin

    Partial solution if you cannot disable the Java browser plugin for whatever reason

    There is only need to be concerned about deliberately malicious sites, or non-malicious sites which may have been hacked. If you really can't avoid Java applets, switch to using Firefox and install the noscript plugin. Only allow Java for trusted sites. You can even permit specific objects (applets) on a trusted site, so a hacker would have to deploy a malicious version of the specific applet(s) you have permitted on a trusted site in order to compromise your security.

  21. Anonymous Coward
    Stop

    Disable Java?

    Excellent, can I go home now as I no longer can do my job.

  22. Test Man
    Go

    After the last scare, I removed Java from all my PCs (except I had to put it back on my PC as PS3 Media Player needed it).

    Not once have I ever needed to install it again. Not once have I come across a website that needed it. And I surf a ton of varied websites every day.

  23. John70

    I've not needed to use Java in years.

    I wanted to try Minecraft the other month until I realised it requres JRE.

    I'll just wait for a native Windows version if they ever create one.

  24. Anonymous Coward
    Anonymous Coward

    Java / Javascript

    I'd cheerfully string up the person who thought that naming which ever of those two came second, similar to the first, was a good idea.

    But we are stuck with it :(

    However, apart from those poor souls mentioned earlier, who are stuck with Java, the rest of us can vote with our feet if something that should be secure, like internet banking, requires either, or both, because NEITHER is required.

    When you do move, tell them WHY, eventually they will get the message.

    Two banks that meet the criteria Coop, & HBOS (possibly Lloyds as well).

    A browser - NetSurf (this has a non-Javascript build available), there are others.

    Thankss for reading.

  25. Ejnar

    What is the problem?

    Guys, just about all software contains security issues / bugs. This being said the error in question sounds serious.

    As many have pointed out Java (as in applets) is still widely used by many websites.

    What I cannot understand is why it needs to a completely binary question whether I want to use it from within the browser or not? Why can't I have a solution where the browser would prompt me before executing any applet.(the prompt would need to come regardless of the applet is trusted/signed or not). This way I could answer 'yes' for the sites I trust (e.g. my netbank) and 'no' for the ones I do not trust. Is this really not possible ? Why would I have to completely disable the plug-in ?

    Adding to this functionality the browser could be configured so it would answer 'yes' by default for sites on the local intranet? That is what corporate organizations would be looking for.

    Perhaps this is already possible in some browsers?

    If not, then why doesn't such feature exist? What am I missing?

    To me all kinds of code that does more than just HTML is potentially a security risk. This includes Java, Javascript, .Net, and what have you. I would like to be prompted every time a site tries to execute code that does more than HTML.

  26. Ejnar

    Use NoScript extension for Firefox

    As a follow-up to my post above "What is the problem?" I've tested out the NoScript extension for Firefox. It does the job for me so I do not have to disable Java in the browser.

    Strange that these IT security organizations are unaware of such solutions ?

    ... and even stranger that such solutions are not part of the browser by default.

  27. Anonymous Coward
    Anonymous Coward

    JAVA + iframe, frame, xframe

    Poor old govt agencies can't get cudo's for dumping (1994-6?) 15 year old "good dump java advice" , pre-dick't another 20 years late for the "early frame workz abandonment"

    While JAVA wasn't isn't oh hell nevermind why waste my finger, knew this a LONG time ago

    Today if you are blind, you know framework isn't your friend, so out the web-stain-mangle-master's who still publishes kit and caboodle in *frame = unfiltered death

  28. dssf
    Terminator

    Patch/Fix Coming Soon?

    Per:

    http://www.pcworld.com/article/2025171/oracle-says-java-update-coming-tuesday.html

    It is coming Tuesday... More at the URL.

    1. o2bearebel
      Go

      Re: Patch/Fix Coming Soon?

      Nope - patch has already been released by Oracle. 7u11 is available :

      http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html

This topic is closed for new posts.

Other stories you might like