back to article Yet another Java zero-day vuln is being exploited

A new Java zero-day vulnerability is being exploited by attackers, and until it is patched everyone should disable Java in their browser. The vulnerability targets browsers that have the latest version of the Java plugin installed – Java v1.6 Update 41 and Java v1.7 Update 15 – malware researchers FireEye reported on Thursday …

COMMENTS

This topic is closed for new posts.
  1. Gordon Fecyk

    Non-admin accounts, Software Restriction Policies, etc etc etc etc

    McRAT ensures its persistence by writing a copy of itself as a DLL and making registry modifications

    Lather, rinse, repeat.

    1. pixl97

      Re: Non-admin accounts, Software Restriction Policies, etc etc etc etc

      Non-admin accounts are a good start, but can still be an issue if the 'virus' is persistent and updates from a server. The next local privilege exploit can then be used to fully own the machine.

      Software restriction has worked great for me in larger businesses with AD and well defined use policies, but outside of that in the small business arena and standalone computer market it doesn't really exist in an easy to manage fashion.

      1. Anonymous Coward
        Anonymous Coward

        Re: Non-admin accounts, Software Restriction Policies, etc etc etc etc

        Glad we only use .Net - Java is a security and a maintenance nightmare, with loads of code being dependant on legacy versions of the JRE...

    2. AlbertH
      Linux

      Re: Non-admin accounts, Software Restriction Policies, ....... LINUX!

      Simple fix:

      Get rid of Windows. Install something that works properly!

      1. Anonymous Coward
        Anonymous Coward

        Re: Non-admin accounts, Software Restriction Policies, ....... LINUX!

        Erm so that you can install something with over 900 vulnerabilities in the kernel alone, and that has to have bolts ons like 'SEL' to even approach the inbuilt security in Windows, and that you have to run an 'experimental' file system on to even get proper ACLs? No thanks...

        1. The BigYin

          Re: Non-admin accounts, Software Restriction Policies, ....... LINUX!

          The number of known exploits is irrelevant as Linux is developed publicly and openly admits its faults; NTKRNL is developed in secret and no one knows how many exploits it has.

          GNU/Linux also does not usually have too many services enabled by default, so is harder to exploit. Windows however sacrifices security and needs to be heavily locked down, often requiring third party software at extra cost.

          As for experimental file systems, ext4 is no experiment. There are others, we give you choice, unlike other OSs.

          1. The Original Steve

            Re: Non-admin accounts, Software Restriction Policies, ....... LINUX!

            Disagree with the AC, and agree with most of your post but

            "Windows however sacrifices security and needs to be heavily locked down, often requiring third party software at extra cost"

            Microsoft changed to a everything off by default stance' a few years ago. In 2012 you can even disable the GUI if/when you don't need it, and back on for occasional admin that's a shit in the CLI.

            As Linux improves in accessibility and compatibility MS improves on security it seems. Best of both worlds on both platforms if you ask me.

            If you need 3rd party tools to lock down Windows you don't - you need to fire your admin.

            1. Anonymous Coward
              Anonymous Coward

              Re: Non-admin accounts, Software Restriction Policies, ....... LINUX!

              Core Server build (No GUI) has been available since Server 2008....

          2. Anonymous Coward
            Anonymous Coward

            Re: Non-admin accounts, Software Restriction Policies, ....... LINUX!

            ext4 doesn't give you full ACLs like Windows. You need NFS4.1 for that....

            The number of vulnerabilities is relevant. Its much easier to attack something with 900 known attack methods than something with say 100 known attack methods. The chances of an known exploit being exposed are much higher.

            This can be seen in the fact that Linux based servers are far more likely to be hacked than Windows ones (even allowing for market share): http://www.zone-h.org/news/id/4737

            1. Lars Silver badge
              Pint

              Re: Non-admin accounts, Software Restriction Policies, ....... LINUX!

              People I know working for Microsoft tend to tell that while there is more Linux on the internet there is more Windows on the intranet.

              And the mostly used webserver is of course Apache.

              From your link about 2010 stats.

              "But we should not speak only about the Linux servers, the Win­dows Servers are also in the stats, (not) sur­pris­ingly still hacked by the same flaws like in year 2000 and early. Every year we also recorded a high num­ber of the web­dav and shares mis­con­fig­u­ra­tion attacks. For web­dav there are tons of the updates, for shares too, admin­is­tra­tors just need to put their hands on it and update and/​or change the con­fig­u­ra­tion."

        2. John Sanders
          Linux

          Re: Non-admin accounts, Software Restriction Policies, ....... LINUX!

          I do not know why do I even bother.

          ACLs have been possible just installing the required tools for years.

          And yes Windows since the days of NT 4 has have had much more security ACLs and granular controls than any other operating system in the world. It did not stop things like blaster, and certainly does not stop people using Java to exploit bugs in the underlying OS, and will not prevent the millions of holes IE still has.

          I do not like Windows, and I do not like Java, they have in common that they are designed to make your life easier, and do not seem to be succeeding much at it.

          1. Anonymous Coward
            Anonymous Coward

            Re: Non-admin accounts, Software Restriction Policies, ....... LINUX!

            IE has had far fewer holes than Chrome, Firefox or Safari ever since IE7....

          2. Michael Wojcik Silver badge

            Re: Non-admin accounts, Software Restriction Policies, ....... LINUX!

            Windows since the days of NT 4 has have had much more security ACLs and granular controls than any other operating system in the world

            Complete nonsense. While Windows of the NT heritage does offer decently granular security controls, they are by no means "much more [granular] than [in] any other operating system in the world". Many "big iron" OSes, for minicomputers and mainframes, offer security subsystems that can be configured in far more exacting ways, with a stunning array of eclectic rules, than anything available in Windows. Then there are OSes which were written to meet much tighter security criteria, such as Orange Book A-level security.

            Perhaps more importantly, "more granular" isn't even a valid metric, except in the most general sense. If, say, ACF2 lets you restrict signon for a particular group of users to specific days of the week, is that "more granular" than Windows restricting it to particular times of day? (ACF2 can do the latter as well - this is just an example of why "granular" isn't one-dimensional.)

        3. Anonymous Coward
          Anonymous Coward

          Re: Non-admin accounts, Software Restriction Policies, ....... LINUX!

          '....the inbuilt security in Windows'

          Hahahahahahahahahahahahahaha, not laughed so much in ages!

  2. edge_e
    Coat

    Just

    Another

    Vector of

    Attack

  3. JeevesMkII

    Die, Java. Die.

    In Chrome at least, Java has a pernicious habit of re-enabling itself after every bloody update, something I only find out after some site requests permission to run an applet. It's bloody annoying to have to poll the settings to make sure all the plugins I want disabled are disabled. Fix it, Google.

    1. pixl97

      Re: Die, Java. Die.

      In Firefox 19 at least it had notified me that 7r15 was vulnerable even before I read it online. Quick moving on the Mozilla team.

    2. Anonymous Coward
      Stop

      Re: Die, Java. Die.

      >"In Chrome at least, Java has a pernicious habit of re-enabling itself"

      Never happened to me. What are you doing wrong?

  4. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      There's quite a difference between running an application on Java to having a Java applet plugin enabled in your browser.

      Over time as OSes get more and more secure the hackers turn to something less secure. PDFs, Flash and now Java.

      1. Anonymous Coward
        Anonymous Coward

        "There's quite a difference between running an application on Java to having a Java applet plugin enabled in your browser. Over time as OSes get more and more secure the hackers turn to something less secure. PDFs, Flash and now Java."

        Of course there's a difference. Thats not lost on me. Hackers /now/ turning to Flash, PDFs and Java? They turned to all of these in the 90s and have been there ever since.

    2. Anonymous Coward
      Anonymous Coward

      AC19:38

      Methinks you have a problem with Eadon?

      There is a trail of Eadon abuse filtering through the threads..... Maybe you should lay off the personals a little bit.

      1. This post has been deleted by its author

      2. This post has been deleted by its author

      3. Anonymous Coward
        Anonymous Coward

        Re: AC19:38

        No problem with the person or 50% of his posts but if he insists on posting absurd commentary as fact then no doubt he will reminded about it - hardly 'Eadon abuse'. Yeah he gets a hard time but i would expect that too if I was posting his comments. Anyway getting publically blasted by Trevor Pott is far closer to 'abuse' than the comments eadon gets.

      4. Anonymous Coward
        Anonymous Coward

        Re: AC19:38

        @AC22:16

        OK. Have thought on your comment about he who I shall not mention, and I concede your point - there is quite a bit of that hereabouts. Therefore I have deleted my original post and posted an edited version below:

        Edited version "Another one? This is like Java all through the nineties and noughties. Never ending."

        Never let it be said that I do not listen to criticism. I am even big enough to say 'Sorry if it offended' to you know who.

        1. Anonymous Coward
          Anonymous Coward

          Re: AC19:38 AC 22:37

          A salute for you integrity!

  5. banjomike
    Meh

    Java security settings to 'High' is actually the default setting...

    ... is this supposed to be an improvement?

    1. Dan 55 Silver badge

      Re: Java security settings to 'High' is actually the default setting...

      I think that advice is wrong, just because an applet is signed it doesn't mean it's not malware. 'Very High' should be the minimum (prompt before running both signed and unsigned applets), but I don't trust Java enough now to not screw up somewhere there.

  6. Ken Hagan Gold badge

    What's this "until it is patched" rubbish?

    "and until it is patched everyone should disable Java in their browser."

    The vast majority of users have no need to enable Java in their browser, ever. Any installer or update that re-enables the browser support without getting the user's permission first is IMHO performing an unauthorised modification and is therefore probably in breach of the law in several countries.

    1. Anonymous Coward
      Anonymous Coward

      Re: What's this "until it is patched" rubbish?

      Browsers need better user inferfaces. A nice series of switches on the status or toolbar with enable/disable switches for Java, Javascript, Flash and other "inline" plugins which you may have installed (Office).

      1. ElReg!comments!Pierre
        WTF?

        Re: What's this "until it is patched" rubbish?

        "A nice series of switches on the status or toolbar with enable/disable switches for Java, Javascript, Flash and other "inline" plugins which you may have installed (Office)."

        Yes, more useless cruft encumbering the screen is exactly what we need, because obvously 2 clicks to access the list of enabled plugins is FAR too much effort. I mean, you need it almost once a month, come on, we seriously can't be expected to add these 2 clicks a month to our all-too-busy schedule of refreshing El Reg's comment pages!

      2. adam 77

        Re: What's this "until it is patched" rubbish?

        QuickJava plugin for firefox has on/ off toggle buttons for java, flash, silverlight, others right in the addons bar at bottom of the browser window. Pretty slick.

    2. Anonymous Coward
      Anonymous Coward

      Not possible in Denmark. Most government/public service, bank etc... websites require it for authentication.

      1. John Smith 19 Gold badge
        Thumb Up

        "Not possible in Denmark. Most government/public service, bank etc... websites require it for authentication"

        I did not know this. So how does the Danish government handle exploit issues, since they are forcing people to use it?

        Personally I have found 1 website that requires it that I use semi-regularly.

        I run disabled by default at all other times.

        thumbs up for the information.

  7. TheOldBear
    WTF?

    Attack vector includes a DLL and Registry updates - so this Java attack only impacts Windows [not cross platform]

    1. Anonymous Coward
      Anonymous Coward

      The particular dropped file flavour mentioned is presumably Windows only. The exploit itself is cross platform, and could just as easily exploit Linux or OS-X. Of course with minute and tiny market shares respectively there is less motivation for anyone to bother to do so...

      1. This post has been deleted by its author

    2. AlbertH
      Linux

      Of course....

      .... it only affects Windows (l)users. Those of us bright enough to delete the Redmond rubbish don't (and won't) suffer from vulnerabilities like this.

      1. ChrisM

        Re: Of course....

        Much as I hate to rain in your parade, my reading of the blog concurs with the AC above. The attack vector and payload are two discrete objects. In theory the attack could, if it was sophisticated enough to pick up the OS flavour, download a custom package and execute that.

        With Linux there are greater obstacles to overcome, for example a Linux user is unlikely to be running as root whereas in Windows that is much more likely.

        Don't let that stop you hating Microsoft though... They do deserve stick for some of the crap they have pulled, just not this....

      2. Anonymous Coward
        Anonymous Coward

        Re: Of course....

        You just keep telling yourself that until you get 0wned like Sony, Apple, etc. etc....

  8. BongoJoe
    Mushroom

    From what I hear...

    ...is that Java is installed on umpty-thousand million computers and appliances worldwide.

    I can live with Java not being on my computer but when I hear about Java being used in my car to program the brakes or that it's running my washing machine; do I have to now worry about people hacking into my laundry to put a red sock into my whites and Mossad hacking into my car's braking system.

    And all I want are whiter whites and my car to make a significant difference to road traffic safety.

    1. Phil O'Sophical Silver badge

      Re: From what I hear...

      What sort of internet connectivity does your washing machine have?

      1. mhoulden
        Coat

        Re: From what I hear...

        Fibre, with a SOAP component.

      2. ElReg!comments!Pierre

        Re: From what I hear...

        > What sort of internet connectivity does your washing machine have?

        I reckon it's only a matter of years (few of them, too) before your washing machine has its own IPv6 adress. A better question would be "what kind of java-enabled web browser does your washing macine have?". Appart from designer prototype I can't imagine anyone browsing the web from their washing machine in the foreseeable future. Laundry rooms have a distinct tendency of being a tad less cosy than bedrooms, living rooms, or even offices (the last one my be debatable...). Maybe that will change and laundry-room-web-browsing will be all the rage, but every time I ask my crystal ball about laundry-room web-browsing I feel like the abyss is gazing into me. Brrrrr

      3. TheVogon
        Mushroom

        Re: From what I hear...

        A big pipe?

  9. Tom Maddox Silver badge
    Trollface

    Fortunately for web users the world over, the exploit "is not very reliable", the researchers write. In most cases, the payload fails to executive and leads to a JVM crash.

    So, it's just normal Java code, then?

    1. Anonymous Coward
      Anonymous Coward

      Java has extensive exceptions handling. Just because some programmers are shit and do:

      try

      {

      // do something here

      }

      catch (Exception e)

      {

      e.printStackTrace();

      System.err.println("Something went wrong");

      }

      Doesn't make Java bad. It's better than some sort of C++ address violation error and the details of a memory address.

      1. ElReg!comments!Pierre

        > Doesn't make Java bad.

        It very much does make Java an internal-use only, hack-prone, quick-and-dirty piece of (somewhat useful) shit.

        In the case of Java there was too much emphasis put on the "whatever you type will work" angle and not enough on the "whatever you type won't cause an exploit" angle. In my book, that makes it a useful in-house dirty-hack-that just works language, but verily makes it a VERY bad language to be included as a browser plugin on a machine allowed to reach (and be reached) by the Wild Wild Net.

      2. Dan 55 Silver badge
        Trollface

        RAII FTW

        Yes, Java has extensive exceptions handling.

        The language designers were so proud of it they made you put it in there twice, or three times, or four times. Each with its own finally. In every method.

        If for some reason you tire of this unreadable unmaintainable mess you make every exception throwable up back to the main class where you do System.err.println("Something went wrong");

  10. Anonymous Coward
    Joke

    We shouldn't worry

    Oracle will have this fixed asap, so with a little luck we can expect the fix to be released somewhere in December this year. Think of it as a Christmas present from those generous caring people at Oracle.

  11. 1Rafayal
    Joke

    where is Eadon?

    he will be able to prove that this isn't the case....

    1. Anonymous Coward
      Anonymous Coward

      He'll probably blame it on the Microsoft Java VM.

  12. sprag

    Java6 EOL

    Java 6 EOL was yesterday -- we'll see if Oracle decides to patch it or if they're going to stick with the EOL date.

    1. Anonymous Coward
      Anonymous Coward

      Re: Java6 EOL

      On projects I'm involved with we're still stuck with 1.4 on a crappy old version of Solaris. We keep saying how much better 1.6 and 1.7 are but they won't move to a newer hardware stack.

    2. Anonymous Coward
      Anonymous Coward

      Re: Java6 EOL

      Especially since Oracle Beehive web conf only works with Java 6 on anything except Windows...

    3. Anonymous Coward
      Anonymous Coward

      Re: Java6 EOL

      Under Oracle rules EOL isnt relevant for security patch production. All supported versions of something must get security patches, so it will be EOSL (support life) that counts. That's likely to be years away yet.

  13. Anonymous Coward
    Linux

    OpenJDK ..

    Does this exploit work under the OpenJDK Runtime Environment?

    1. AlbertH
      Linux

      Re: OpenJDK ..

      No - of course not. It only affects Windows

      1. Anonymous Coward
        Anonymous Coward

        Re: OpenJDK ..

        No, the exploit effects all OS platforms.

  14. Joe Montana
    FAIL

    Ubiquity...

    This is why no single piece software should be installed on 90% of machines...

    When IE was the dominant browser, it made a great target for hackers. Now that there is diversity in browsers, they simply move to something else where there is no diversity.

    The sooner there are 3 or more implementations of something each with a decent level of market share, it becomes a far less attractive target for hackers. And if there is an unpatched 0day vulnerability it's much easier for users to switch to another implementation, even if only temporarily.

  15. ElReg!comments!Pierre

    Midas' touch strikes again...

    It's getting harder and harder not to see Oracle as a kind of reverse-Midas.

  16. Ilgaz

    Every Android sold

    Forget these 0 days stuff. Ellison should ask "what did/do we wrong?" themselves when they see Android phones and developers.

    Mindless fans? Image? No. Talk to any developer about Android and you will be surprised.

    1. Anonymous Coward
      Anonymous Coward

      Re: Every Android sold

      Care to elaborate what's that to do with Java or what you're trying to say? Might be only me, but I'm not following.

      1. gollux
        Mushroom

        Re: Every Android sold

        All these Oracle Sievemaster Java fans like to make noise by pointing out that Android phones supposedly run Java applications.

        Android uses the Java programming language and the Android API. Java source code is compiled to run on Dalvic. They had the good sense to boot the Java API and Java Virtual Machine to the curb.

        1. Ilgaz

          Re: Every Android sold

          So, there is/was something wrong with Java. Developers aren't really blind fans of google/Android too. That excuse works with Apple but not Android.

          Does oracle do anything to fix the problem? No. They just broke sun.com domain by buying it and nothing else.

          That is what I talk about.

  17. Lars Silver badge
    Alien

    Vulnerabilities and attackers

    I am no expert on security at all. But would it, perhaps, be an interesting topic to discuss how those vulnerabilities are found. Adobe, Windows and I suppose Java are closed source (not sure about Java now). So how are those vulnerabilities found. Just trial and error or are those attackers so damned educated that they read the binary code (like we did a long time ago).

  18. Tomas K.

    Unless you actually need Java, don't install it

    That's the advice from many security analysts.

This topic is closed for new posts.

Other stories you might like