Anyone still use Java? Isn't it just a pop up that wants to be updated?
Kill that Java plugin now! New 0-day exploit running wild online
A new Java zero-day security vulnerability is already being actively exploited to compromise PCs. The best way to defend against the attacks is to disable any Java browser plugins on your systems. The offending bug is present in fully patched and up-to-date installations of the Java platform, now overseen by database giant …
-
-
Sunday 13th January 2013 01:59 GMT Anonymous Coward
How do you play minecraft without Java?
But I think the more accurate question, does anyone still use web based java applets? Why are java browser plug ins installed by default anymore? Sure have an extra downloadable if absolutely necessary but it's so rare for anyone to need java in the browser why distribute it in the main runtime installer?
-
Sunday 13th January 2013 05:31 GMT the spectacularly refined chap
But I think the more accurate question, does anyone still use web based java applets? Why are java browser plug ins installed by default anymore? Sure have an extra downloadable if absolutely necessary but it's so rare for anyone to need java in the browser why distribute it in the main runtime installer?
The article made it clear that many users do still use web based Java apps. They may not be an endemic as they once were but that is besides the point: if even one service you need needs browser-based Java you need browser based Java and that is all there is to it. I have little option but to keep it around on my home machines because the web-based configuration for my Epson laser uses it extensively. Why should I replace an otherwise excellent printer just to satisfy somebody else's notion that it isn't needed?
-
Sunday 13th January 2013 10:23 GMT Anonymous Coward
Because most people don't need a java browser plug in, and if you do then it would make far more sense to have it installed as a seperate plug in.
To counter, just because your web-based printer configuration requires a Java web browser plugin why should I have to install a plug in that has never been secure.
-
-
-
-
-
Thursday 10th January 2013 19:55 GMT JanMeijer
Re: Banks and Government
one you said. danskebank.no. Granted, that's the Norwegian outlet of a Danish bank, but the situation is rather the same here in Norway. Quite annoying: every time Java comes with a security update they deny access to not 100% up-to-date java clients. Guess what happens when there is no fix yet ;)
-
Friday 11th January 2013 01:05 GMT Anonymous Coward
Re: Banks and Government
Which Norwegian bank is that?
I've got two Norwegian banks (DnB and Skandia) and neither require Java. (JavaScript, yes, Java, no.)
If my bank required Java I would close the account. They are clearly employing imbeciles that don't understand today's security threats if they force their customers to use Java. What other crazy risks are they taking with their internal systems. No thanks, I'll go elsewhere.
For the one site a year that I visit that requires Java, I view it in a XP virtual machine which gets reverted to a clean state after visiting. Come to think of it, it's been several years since I've found a site that needed Java. Usually they don't have any content interesting enough to warrant firing up the XP virtual machine.
-
Friday 11th January 2013 12:24 GMT Shrike
Re: Banks and Government
pretty much all of them require Java.
the Danish goverment in all its "wisdom" decided to force a single-signon solutuion for everything from goverment services to banks and a host of other things, if you are in contact with the banking sector or any segment of the goverment a NemID is required.
and it runs on Java.
and it does not properly support mobile systems.
and it's a "black box" in terms of what it does, nobody knows besides what can be gleaned from reverse engineering the applet.
and it's administered by a single private company on a exclusive contract.
and nobody has actual control over their digital ID, you have a cardboard card with key-pairs on to act as a very low tech authenticator. (two part authentication, enter password, enter the requested key, sensible enough really)
https://www.nemid.nu/om_nemid/about_nemid/
oh yea, most people keep them in their wallets, along with their social security card, so as a result you can perform a rather effective identity theft if you get a wallet with both, and empty out people's bank accounts come to think of it. (resetting a password requires your social security number, and a valid card, getting a new one does not, it's just mailed to your registered address after a phone call)
-
-
-
-
-
Thursday 10th January 2013 20:10 GMT Charles 9
Re: JavaScript != Java
It is in programmer's parlance, since the official symbol isn't on keyboards nor recognized by compilers (since the symbol is Unicode). At least it's the C- and derivative-standard notation rather than the BASIC notation of <>. Since many of us don't know the escape sequence for the official one, why don't we just let it go at !=?
-
-
-
Thursday 10th January 2013 21:24 GMT asdf
can't resist
Wasn't java originally touted as the most secure run time and language available? Didn't Oracle sell its software as Unbreakable for years? What happens when they join forces? How many critical vulnerabilities in the last few years? Adobe has competition for worst security in the industry.
-
-
Thursday 10th January 2013 23:56 GMT asdf
Re: can't resist
I notice Oracle quietly dropped the marketing after they were the keynote exploit at hacker conferences several years in a row. I also notice people don't talk about how unbelievable Java's security is any more what with it being a malware portal on even *nix based machines the last several years. Granted when your main competition on the web at the time was ActiveX, claiming to be the secure choice really was low hanging fruit.
-
-
Thursday 10th January 2013 22:25 GMT Anonymous Coward
Does it work on Linux?
"Earlier this morning @Kafeine alerted us about a new Java zeroday being exploited in the wild. With the files we were able to obtain we reproduced the exploit in a fully patched new installation of Java. As you can see below we tricked the malicious Java applet to execute the calc.exe in our lab". link
-
Thursday 10th January 2013 23:01 GMT Destroy All Monsters
Re: Does it work on Linux?
Good question.
I wonder what went wrong NOW? Shurely the Java sandbox must be one of those things that have no obvious errors, as opposed to obviously no errors.
I also wonder what will happen if that "Native Code Running in the Browser" thing takes off. That's gonna be Clouseau-level.
-
Saturday 12th January 2013 12:39 GMT Christian Berger
Re: Does it work on Linux?
"'Shurely the Java sandbox must be one of those things that have no obvious errors, as opposed to obviously no errors."
Well to be fair, Java _is_ 1990s software. Back then I worked in a company where nobody saw the problem with a login which sent the username and password to the server, then replied with the username and password of the sa-account of the SQL-server... unencrypted of course. Back then people just knew less about security.
-
Thursday 10th January 2013 23:07 GMT Fuzz
Re: Does it work on Linux?
the security hole will be there in the Linux version but to do any damage you would most likely have to write a specific version of the exploit. The example there shows the windows calculator being started but you could just as easily write it to execute something in perl or bash.
-
-
Friday 11th January 2013 00:03 GMT asdf
Re: Does it work on Linux?
>Except that as virtually no one uses Linux
Except for most of the webservers on the internet and many of the backend data stores that also run on linux but there is no value in hacking corporate backends eh? I guess its a bit higher risk than key logging Grandma's credit card and its certainly a hell of lot harder as well.
-
Saturday 12th January 2013 00:43 GMT bazza
Re: Does it work on Linux?
@asdf
Except for most of the webservers on the internet and many of the backend data stores that also run on linux
Except they're not generally used for web browsing, they're the servers, so they don't run the plugin in the first place to be vulnerable.
The handful of Linux desktop users don't represent a juicy enough target to bother with.
-
Monday 14th January 2013 08:35 GMT FreeTard
Re: Does it work on Linux?
Only for users of said webservers that also have the libjavaplugin linked to the browser - when's that going to happen? It's a webserver, not a workstation :)
Saying that, I only installed the javaplugin three days ago so as to use webex on my laptop, it is now disabled.
-
-
Saturday 12th January 2013 02:19 GMT cordwainer 1
Re: Does it work on Linux?
Also the in-flight seatback system on many major airlines, you know, the little screen that lets you play games, see your flight progress and airspeed. etc. I know it runs on Linux because I've seen it reboot (one of my row-mates pointed at it and said, "Hey, why is there a penguin on your screen?)
Speaking of which, what OS do the PLANES use?
"Prepare for boarding. . ."
-
Sunday 13th January 2013 20:55 GMT Charles 9
Re: Does it work on Linux?
The planes themselves use customized built-to-purpose systems for the most part because of the high standards for safety required. As for the onboard entertainment systems, it's not surprising. If what I see in other industries is any indication, it's a customized embedded Linux distro (possibly even a specialist distro like MontaVista), and it likely has no external network access (with the possible exception of when it's undergoing maintenance).
-
-
-
-
-
Thursday 10th January 2013 23:11 GMT Destroy All Monsters
That feel when your JRE drops malware on Christmas
There appears to be multiple ad networks redirecting to Blackhole sites, amplifying the mass exploitation problem. We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course, adult sites. A few obfuscated files are being delivered to victim systems with names like Stretch.jar, Edit.jar, UTTER-OFFEND.JAR, and more. The first appearance of the exploit's prevention in our KSN community seemed to be January 6th. But as we dig back further, we find related samples from mid-December. So, we have been preventing this 0day in particular for quite some time. At this point, it seems that the first instance of the particular 0day jar file contents ITW is 7550ce423b2981ad5d3aaa5691832aa6. Filenames for the class files remain the same until recently. It would be interesting to see an earlier instance.
-
Friday 11th January 2013 09:49 GMT Anonymous Coward
5.000.000 Danish people have to use Java
The government of Denmark created the monopoly NemID, a suposedly 'secure' means of loggin in to internet banking and government institutions. Guess what? It's Java based.
So since more and more things are now using the NemID, then more and more people are TOTALLY reliant on it.
I can't log in to online poker sites, or internet banking or interact with the tax authorities etc etc. without the NemID.
Way to go Denmark, for creating a monopolized system that is totally reliant on some broken 3rd-party software owned by the Americans.
Fun fact: NemID stores all the encryption keys, for the entire population, in a central place. Before it was so that each person had his/her own key on their own computer. Now it is centralized and therefore highly interesting for hackers. And what happens when the Chinese buys the *private institution* that runs the NemID monopoly?
-
Friday 11th January 2013 12:22 GMT Shrike
Re: 5.000.000 Danish people have to use Java
to be fair, NemID does work much better than Rejsekortet, its a copy paste of the Oyster card, with several freight-train loads of fail attached, the currently planned model has somebody like me who uses public transport every day needing two cards.
one to cover the regular trundle to and from work, and another one for when i dare to travel outside my allotted zone.
so how is this better than the cardboard based travel card and prepaid "serial ticket'" system again ?
-
Monday 14th January 2013 15:18 GMT skytrench
Re: 5.000.000 Danish people have to use Java
Stop panicking there, nemid login requires you (besides login and password) to lookup a challenge code on your personal nemid card. The Java vulnerability doesn't break nemid, as it cannot extend out into the physical world and read your nemid code card.
-
-
Friday 11th January 2013 10:39 GMT Leona A
Photobox
uses a Java plug in to upload pictures, my partner uses it, now how can I explain, in terms they will understand, that they can not longer use this website because it poses a security risk?
Ok we use Linux so the risks are lower, but its still a risk. This is the only site that 'we' use that uses Java, I might just disable it and wait for the shouting to begin.
-
Friday 11th January 2013 11:19 GMT jason 7
I'll say it till I'm blue in the face - EMET3.0
It's designed to stop Zero Day Stuff.
Install it, set EMET to maximum security and then load up the application profile called 'ALL' in the EMET Program Folder/Deployment/Protection Profiles.
http://www.microsoft.com/en-us/download/details.aspx?id=29851
For god's sake MS just install this as standard and start using the bloody security you install by default.
Who cares if some bit of shareware from 1998 wont work if you do.
-
Friday 11th January 2013 11:22 GMT David Martin
Partial solution if you cannot disable the Java browser plugin for whatever reason
There is only need to be concerned about deliberately malicious sites, or non-malicious sites which may have been hacked. If you really can't avoid Java applets, switch to using Firefox and install the noscript plugin. Only allow Java for trusted sites. You can even permit specific objects (applets) on a trusted site, so a hacker would have to deploy a malicious version of the specific applet(s) you have permitted on a trusted site in order to compromise your security.
-
Friday 11th January 2013 14:24 GMT Anonymous Coward
Java / Javascript
I'd cheerfully string up the person who thought that naming which ever of those two came second, similar to the first, was a good idea.
But we are stuck with it :(
However, apart from those poor souls mentioned earlier, who are stuck with Java, the rest of us can vote with our feet if something that should be secure, like internet banking, requires either, or both, because NEITHER is required.
When you do move, tell them WHY, eventually they will get the message.
Two banks that meet the criteria Coop, & HBOS (possibly Lloyds as well).
A browser - NetSurf (this has a non-Javascript build available), there are others.
Thankss for reading.
-
Saturday 12th January 2013 11:55 GMT Ejnar
What is the problem?
Guys, just about all software contains security issues / bugs. This being said the error in question sounds serious.
As many have pointed out Java (as in applets) is still widely used by many websites.
What I cannot understand is why it needs to a completely binary question whether I want to use it from within the browser or not? Why can't I have a solution where the browser would prompt me before executing any applet.(the prompt would need to come regardless of the applet is trusted/signed or not). This way I could answer 'yes' for the sites I trust (e.g. my netbank) and 'no' for the ones I do not trust. Is this really not possible ? Why would I have to completely disable the plug-in ?
Adding to this functionality the browser could be configured so it would answer 'yes' by default for sites on the local intranet? That is what corporate organizations would be looking for.
Perhaps this is already possible in some browsers?
If not, then why doesn't such feature exist? What am I missing?
To me all kinds of code that does more than just HTML is potentially a security risk. This includes Java, Javascript, .Net, and what have you. I would like to be prompted every time a site tries to execute code that does more than HTML.
-
Saturday 12th January 2013 17:30 GMT Ejnar
Use NoScript extension for Firefox
As a follow-up to my post above "What is the problem?" I've tested out the NoScript extension for Firefox. It does the job for me so I do not have to disable Java in the browser.
Strange that these IT security organizations are unaware of such solutions ?
... and even stranger that such solutions are not part of the browser by default.
-
Sunday 13th January 2013 04:05 GMT Anonymous Coward
JAVA + iframe, frame, xframe
Poor old govt agencies can't get cudo's for dumping (1994-6?) 15 year old "good dump java advice" , pre-dick't another 20 years late for the "early frame workz abandonment"
While JAVA wasn't isn't oh hell nevermind why waste my finger, knew this a LONG time ago
Today if you are blind, you know framework isn't your friend, so out the web-stain-mangle-master's who still publishes kit and caboodle in *frame = unfiltered death