Non-admin accounts, Software Restriction Policies, etc etc etc etc
McRAT ensures its persistence by writing a copy of itself as a DLL and making registry modifications
Lather, rinse, repeat.
A new Java zero-day vulnerability is being exploited by attackers, and until it is patched everyone should disable Java in their browser. The vulnerability targets browsers that have the latest version of the Java plugin installed – Java v1.6 Update 41 and Java v1.7 Update 15 – malware researchers FireEye reported on Thursday. …
McRAT ensures its persistence by writing a copy of itself as a DLL and making registry modifications
Lather, rinse, repeat.
Non-admin accounts are a good start, but can still be an issue if the 'virus' is persistent and updates from a server. The next local privilege exploit can then be used to fully own the machine.
Software restriction has worked great for me in larger businesses with AD and well defined use policies, but outside of that in the small business arena and standalone computer market it doesn't really exist in an easy to manage fashion.
Glad we only use .Net - Java is a security and a maintenance nightmare, with loads of code being dependant on legacy versions of the JRE...
Get rid of Windows. Install something that works properly!
Erm so that you can install something with over 900 vulnerabilities in the kernel alone, and that has to have bolts ons like 'SEL' to even approach the inbuilt security in Windows, and that you have to run an 'experimental' file system on to even get proper ACLs? No thanks...
The number of known exploits is irrelevant as Linux is developed publicly and openly admits its faults; NTKRNL is developed in secret and no one knows how many exploits it has.
GNU/Linux also does not usually have too many services enabled by default, so is harder to exploit. Windows however sacrifices security and needs to be heavily locked down, often requiring third party software at extra cost.
As for experimental file systems, ext4 is no experiment. There are others, we give you choice, unlike other OSs.
I do not know why do I even bother.
ACLs have been possible just installing the required tools for years.
And yes Windows since the days of NT 4 has have had much more security ACLs and granular controls than any other operating system in the world. It did not stop things like blaster, and certainly does not stop people using Java to exploit bugs in the underlying OS, and will not prevent the millions of holes IE still has.
I do not like Windows, and I do not like Java, they have in common that they are designed to make your life easier, and do not seem to be succeeding much at it.
Disagree with the AC, and agree with most of your post but
"Windows however sacrifices security and needs to be heavily locked down, often requiring third party software at extra cost"
Microsoft changed to a everything off by default stance' a few years ago. In 2012 you can even disable the GUI if/when you don't need it, and back on for occasional admin that's a shit in the CLI.
As Linux improves in accessibility and compatibility MS improves on security it seems. Best of both worlds on both platforms if you ask me.
If you need 3rd party tools to lock down Windows you don't - you need to fire your admin.
IE has had far fewer holes than Chrome, Firefox or Safari ever since IE7....
Core Server build (No GUI) has been available since Server 2008....
ext4 doesn't give you full ACLs like Windows. You need NFS4.1 for that....
The number of vulnerabilities is relevant. Its much easier to attack something with 900 known attack methods than something with say 100 known attack methods. The chances of an known exploit being exposed are much higher.
This can be seen in the fact that Linux based servers are far more likely to be hacked than Windows ones (even allowing for market share): http://www.zone-h.org/news/id/4737
'....the inbuilt security in Windows'
Hahahahahahahahahahahahahaha, not laughed so much in ages!
People I know working for Microsoft tend to tell that while there is more Linux on the internet there is more Windows on the intranet.
And the mostly used webserver is of course Apache.
From your link about 2010 stats.
"But we should not speak only about the Linux servers, the Windows Servers are also in the stats, (not) surprisingly still hacked by the same flaws like in year 2000 and early. Every year we also recorded a high number of the webdav and shares misconfiguration attacks. For webdav there are tons of the updates, for shares too, administrators just need to put their hands on it and update and/or change the configuration."
Windows since the days of NT 4 has have had much more security ACLs and granular controls than any other operating system in the world
Complete nonsense. While Windows of the NT heritage does offer decently granular security controls, they are by no means "much more [granular] than [in] any other operating system in the world". Many "big iron" OSes, for minicomputers and mainframes, offer security subsystems that can be configured in far more exacting ways, with a stunning array of eclectic rules, than anything available in Windows. Then there are OSes which were written to meet much tighter security criteria, such as Orange Book A-level security.
Perhaps more importantly, "more granular" isn't even a valid metric, except in the most general sense. If, say, ACF2 lets you restrict signon for a particular group of users to specific days of the week, is that "more granular" than Windows restricting it to particular times of day? (ACF2 can do the latter as well - this is just an example of why "granular" isn't one-dimensional.)
In Chrome at least, Java has a pernicious habit of re-enabling itself after every bloody update, something I only find out after some site requests permission to run an applet. It's bloody annoying to have to poll the settings to make sure all the plugins I want disabled are disabled. Fix it, Google.
In Firefox 19 at least it had notified me that 7r15 was vulnerable even before I read it online. Quick moving on the Mozilla team.
>"In Chrome at least, Java has a pernicious habit of re-enabling itself"
Never happened to me. What are you doing wrong?
There's quite a difference between running an application on Java to having a Java applet plugin enabled in your browser.
Over time as OSes get more and more secure the hackers turn to something less secure. PDFs, Flash and now Java.
"There's quite a difference between running an application on Java to having a Java applet plugin enabled in your browser. Over time as OSes get more and more secure the hackers turn to something less secure. PDFs, Flash and now Java."
Of course there's a difference. Thats not lost on me. Hackers /now/ turning to Flash, PDFs and Java? They turned to all of these in the 90s and have been there ever since.
Methinks you have a problem with Eadon?
There is a trail of Eadon abuse filtering through the threads..... Maybe you should lay off the personals a little bit.
No problem with the person or 50% of his posts but if he insists on posting absurd commentary as fact then no doubt he will reminded about it - hardly 'Eadon abuse'. Yeah he gets a hard time but i would expect that too if I was posting his comments. Anyway getting publically blasted by Trevor Pott is far closer to 'abuse' than the comments eadon gets.
OK. Have thought on your comment about he who I shall not mention, and I concede your point - there is quite a bit of that hereabouts. Therefore I have deleted my original post and posted an edited version below:
Edited version "Another one? This is like Java all through the nineties and noughties. Never ending."
Never let it be said that I do not listen to criticism. I am even big enough to say 'Sorry if it offended' to you know who.
A salute for you integrity!
... is this supposed to be an improvement?
I think that advice is wrong, just because an applet is signed it doesn't mean it's not malware. 'Very High' should be the minimum (prompt before running both signed and unsigned applets), but I don't trust Java enough now to not screw up somewhere there.
"and until it is patched everyone should disable Java in their browser."
The vast majority of users have no need to enable Java in their browser, ever. Any installer or update that re-enables the browser support without getting the user's permission first is IMHO performing an unauthorised modification and is therefore probably in breach of the law in several countries.
Yes, more useless cruft encumbering the screen is exactly what we need, because obvously 2 clicks to access the list of enabled plugins is FAR too much effort. I mean, you need it almost once a month, come on, we seriously can't be expected to add these 2 clicks a month to our all-too-busy schedule of refreshing El Reg's comment pages!
Not possible in Denmark. Most government/public service, bank etc... websites require it for authentication.
QuickJava plugin for firefox has on/ off toggle buttons for java, flash, silverlight, others right in the addons bar at bottom of the browser window. Pretty slick.
"Not possible in Denmark. Most government/public service, bank etc... websites require it for authentication"
I did not know this. So how does the Danish government handle exploit issues, since they are forcing people to use it?
Personally I have found 1 website that requires it that I use semi-regularly.
I run disabled by default at all other times.
thumbs up for the information.
Attack vector includes a DLL and Registry updates - so this Java attack only impacts Windows [not cross platform]
The particular dropped file flavour mentioned is presumably Windows only. The exploit itself is cross platform, and could just as easily exploit Linux or OS-X. Of course with minute and tiny market shares respectively there is less motivation for anyone to bother to do so...
.... it only affects Windows (l)users. Those of us bright enough to delete the Redmond rubbish don't (and won't) suffer from vulnerabilities like this.
Much as I hate to rain in your parade, my reading of the blog concurs with the AC above. The attack vector and payload are two discrete objects. In theory the attack could, if it was sophisticated enough to pick up the OS flavour, download a custom package and execute that.
With Linux there are greater obstacles to overcome, for example a Linux user is unlikely to be running as root whereas in Windows that is much more likely.
Don't let that stop you hating Microsoft though... They do deserve stick for some of the crap they have pulled, just not this....
You just keep telling yourself that until you get 0wned like Sony, Apple, etc. etc....
...is that Java is installed on umpty-thousand million computers and appliances worldwide.
I can live with Java not being on my computer but when I hear about Java being used in my car to program the brakes or that it's running my washing machine; do I have to now worry about people hacking into my laundry to put a red sock into my whites and Mossad hacking into my car's braking system.
And all I want are whiter whites and my car to make a significant difference to road traffic safety.
What sort of internet connectivity does your washing machine have?
Fibre, with a SOAP component.
> What sort of internet connectivity does your washing machine have?
I reckon it's only a matter of years (few of them, too) before your washing machine has its own IPv6 adress. A better question would be "what kind of java-enabled web browser does your washing macine have?". Appart from designer prototype I can't imagine anyone browsing the web from their washing machine in the foreseeable future. Laundry rooms have a distinct tendency of being a tad less cosy than bedrooms, living rooms, or even offices (the last one my be debatable...). Maybe that will change and laundry-room-web-browsing will be all the rage, but every time I ask my crystal ball about laundry-room web-browsing I feel like the abyss is gazing into me. Brrrrr
A big pipe?
Fortunately for web users the world over, the exploit "is not very reliable", the researchers write. In most cases, the payload fails to executive and leads to a JVM crash.
So, it's just normal Java code, then?
Java has extensive exceptions handling. Just because some programmers are shit and do:
// do something here
catch (Exception e)
System.err.println("Something went wrong");
Doesn't make Java bad. It's better than some sort of C++ address violation error and the details of a memory address.
> Doesn't make Java bad.
It very much does make Java an internal-use only, hack-prone, quick-and-dirty piece of (somewhat useful) shit.
In the case of Java there was too much emphasis put on the "whatever you type will work" angle and not enough on the "whatever you type won't cause an exploit" angle. In my book, that makes it a useful in-house dirty-hack-that just works language, but verily makes it a VERY bad language to be included as a browser plugin on a machine allowed to reach (and be reached) by the Wild Wild Net.
Yes, Java has extensive exceptions handling.
The language designers were so proud of it they made you put it in there twice, or three times, or four times. Each with its own finally. In every method.
If for some reason you tire of this unreadable unmaintainable mess you make every exception throwable up back to the main class where you do System.err.println("Something went wrong");
fscked by SHA-1 collision? Not so fast, says Linus Torvalds