back to article Java updates too much of a bother? Maybe online banking's just not for you

Security researchers have spotted a surge in attacks against online banking customers, thanks to a new strain of Java-exploiting Trojan Caphaw (aka Shylock). Over the last month or so the malware has targeted customers in at least 24 financial institutions, including Bank of Scotland, Barclays Bank, First Direct, Santander …

COMMENTS

This topic is closed for new posts.
  1. Muckminded

    Headline v2.0

    Maybe online banking with banks that require Java is just not for you

    1. benjymous

      Re: Headline v2.0

      That's not the issue - the Java is a trojan keylogger that phones home when you use internet banking - the internet bank doesn't (and surely isn't) need to be java related itself

      1. Anonymous Coward
        Anonymous Coward

        Re: the internet bank doesn't (and surely isn't) need to be java related

        the internet bank doesn't need to be (and surely isn't) java related

  2. Bronek Kozicki

    Luckily first direct does not use Java for its Internet banking. I disabled Java in Firefox long time ago (following kind advice from Firefox itself) and I have other browser to use when I really have to be exposed to this ... Oracle-branded-illware .

  3. Filippo Silver badge

    If my bank required Java for online access, I would seriously consider changing bank.

  4. Anonymous Coward
    Anonymous Coward

    If you use business banking with the Royal Bank of Scotland you have to have Java. However what is truly appalling is that if you forget your password you are re-directed to another part of their system that REQUIRES Java 6, not 7, but 6.

  5. Anonymous Coward
    Anonymous Coward

    For Gods Sake

    If you do not need Java then don't install it. Failing that, disable it in the browser.

  6. Cliff

    Do most people need Java any more?

    I mean, I must use Java once every 6 months yet the libraries sit there asking for updates frequently, becomes a massive pain. Decided to uninstall as opposed to keeping it patched. Wonder what the average user ever needs it installed for at all

    1. Lockwood

      Re: Do most people need Java any more?

      Minecraft.

      1. Anonymous Coward
        Anonymous Coward

        Re: Do most people need Java any more?

        Bl00dy Minecraft. A horribly, blocky, ****y pile of total and utter ****. And they add injury to insult by doing it in f***ing Java.

        Writing minecraft in Java was a bit like making car from twigs. Technically it is impressive feat of endurance and determination, but the resultant product is still a misbegotten load of old rubbish.

        1. Anonymous Coward
          Anonymous Coward

          Re: Do most people need Java any more?

          "Writing minecraft in Java was a bit like making car from twigs"

          Pretty much the whole Android concept too....

          1. Anonymous Coward
            Anonymous Coward

            Re: Do most people need Java any more? @AC 11.48

            Oh yes and what are we going to use ?

            What that other heap of steaming dung called .NET that has an even more dubious security record than Java.

  7. Conrad Longmore

    Most people do not need Java

    Most people do not need Java, the safest thing is to deinstall it. If you're a techy then there's a good chance that you might need it from time-to-time, but you always help to mitigate against threats with Firefox + NoScript.

    Keeping Java up-to-date is essential but also futile. There's usually an unpatched vulnerability in it. It really is a heap of crap.

  8. John Smith 19 Gold badge
    Unhappy

    So likely to hit the non IT literate pretty hard.

    Who a)Probably don't know they have Java installed. b)Don't know how insecure it its c)Don't know how to disable it.

    So is Java's major use writing malware?

    1. Cliff

      Re: So likely to hit the non IT literate pretty hard.

      Not just writing malware...

      Writing butt-ugly, cross platform malware...

      1. John Smith 19 Gold badge
        Unhappy

        Re: So likely to hit the non IT literate pretty hard.

        "Not just writing malware...

        Writing butt-ugly, cross platform malware..."

        Yay. Java's developers must be so pleased at how successful their development environment has been.

    2. Anonymous Coward
      Anonymous Coward

      Re: So likely to hit the non IT literate pretty hard.

      It will hit the IT-literate harder: In any work environment there will be some kind of enterprise (like the starship, flaky, prone to exploits/explosion or ejecting cores) software that requires java and must be used - Or Else!

      The IT-literates blood pressure will be elevated more by this than the IT-illiterates.

  9. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: liability for unnecessary executability

      ... " Java or Javascript "...

      It's best not to lump Java and Javascript together - they are quite different.

      And while I agree that websites shouldn't need you to use Java, I think you'll have a pretty restricted online experience if you don't use Javascript.

      1. Flocke Kroes Silver badge

        I disabled javascript as soon my browser supported it

        There was a bad time when this noticeably restricted which web sites would render properly, but there were always other places to go. Several sites I remember leaving because they required javascript are now working fine without it. I try enabling javascript occasionally. I find the results more irritating and horrible each time. Try turning javascript off occasionally, and see if you are happier without it.

        1. sabroni Silver badge
          Unhappy

          Re: I disabled javascript as soon my browser supported it

          Unfortunately the option to disable JS is disappearing from "modern" browsers, it's gone from Firefox 23 already (thank fuck for noScript!)

          1. Anonymous Coward
            Anonymous Coward

            JavaScript != Java

            NoScript good.

            Good luck using things on the Internet without JS though!

  10. hammarbtyp
    FAIL

    It's not Java upgrade I hate....

    I would be far happier upgrading Java if it wasn't that each time I have to remember to un-select Ask.com and then spend days trying to remove the mess it makes of my browsers.

    I didn't realize Larry was so hard up that he still needed the $4.50 he got for every install of this little bugger

    1. noboard

      Re: It's not Java upgrade I hate....

      Yeah, as the updater always throws an invalid certificate warning I end up uninstalling and grabbing the latest version when I need it. Seeing that Ask toolbar always pisses me off as one day I'll forget to untick it.

  11. kryptonaut
    Headmaster

    Honing?

    ... part of an exploit kit honing in on vulnerable versions of Java.

    To hone - to put a keen edge on a sharp blade.

    To home in on something - to focus attention on, zero in on something.

    To hone in on something - ???? Gah!!!

    1. Captain DaFt

      Re: Honing?

      "To hone in on something - ???? Gah!!!"

      Right boys, here's where we'll put the bleeding edge!

  12. Soruk

    My Windows machine which has Java on it is a VM, which is only fired up when required (and seems to require an update every time I start it). Otherwise, I use a different machine which does not have Java installed.

  13. danjackson

    No centralised update management

    Maybe if Oracle would provide utilities for centrally managing Java updated then it wouldn't be such a problem.

  14. Bsquared

    Minecraft DOES require Java, but does not require it to be installed in your browser. I have the Java plugin for Firefox disabled and Minecraft runs quite happily outside under the 64-bit JVM. The plugin only gets enabled on the rare occasions I run browser-based Java apps (for molecular biology).

  15. David Ireland

    Why the hell doesn't the pseudo random domain name generation make it easy for law enforcement? Once you have the virus, you know all the command and control domains it will ever use. You can contact the registrars with the list, and tell them to forward any requests for those domains to law enforcement who can then attempt a sting.

    You could also offer a public blacklist for firewalls and DNS servers to use.

  16. John Smith 19 Gold badge
    Unhappy

    I only know that the NIST use Java.

    Anyone else worth looking at?

  17. Infernoz Bronze badge
    WTF?

    Anyone who /still/ has a Java browser plugin version earlier than 1.7 registered is retarded.

    What a retarded article, for an obsolete version of Java!

    The only JRE which should be installed on a machine and registered as a browser plugin currently is for Java 1.7, if you are running an older version (1.6 or earlier), because you ignored the JRE updater prompts, then complain when you get owned; you are a moron! If you run OS-X and Apple don't do timely update releases, blame Apple; same for other poorly supported OS.

    If any website requiring client side Java, including an intranet site, won't run with Java 1.7, flame the retarded owners, and blacklist it until it can. Website owners who require client side Java should ideally host only Java 1.7 compiled code, to force users to upgrade from unsafe versions.

    I am a Java developer who has to support Java 1.5 and 1.6, due to lazy software houses and cheap customers; however I only have the SDK installed for these, /never/ the JREs; the later would be retarded!

    I have had a Java browser plugin installed for many years, but keep it up-to-date (1.7.0_40), so never get hit, and have never had issues with web sites using client hosted Java; so I regard Java slammers as trolls.

    1. ops4096
      WTF?

      Re: Anyone who /still/ has a Java browser plugin version earlier than 1.7 registered is retarded.

      A minor correction. The 64 bit version of Java has never had an automatic updater to notify the user of available upgrades. Users have to manually download and install the update. Simple but Tedious I'm shure and apparently too much for most. Another Oracle FAIL.

This topic is closed for new posts.

Other stories you might like