Digital Spy

Search Digital Spy
 

DS Forums

 
 

0 day Java exploit


Reply
Thread Tools Search this Thread
Old 11-01-2013, 00:21
Fried Kickin
Forum Member
 
Join Date: Jun 2007
Posts: 50,237

Forgive me if it's already been mentioned here ..
It may be an idea to disable java plugins for the moment.
http://www.theregister.co.uk/2013/01/10/java_0day/
Fried Kickin is offline   Reply With Quote
Please sign in or register to remove this advertisement.
Old 11-01-2013, 00:27
Matt D
Forum Member
 
Join Date: Jun 2007
Location: Cambridge
Posts: 11,279
These seem to be coming quicker and quicker...

I have the browser plugin disabled on every browser anyway as it serves no purpose IMO other than as a malware vector.

I'd uninstall it completely if I didn't need it for PS3 Media Server.
Matt D is offline Follow this poster on Twitter   Reply With Quote
Old 11-01-2013, 01:30
-ajm-
Forum Member
 
Join Date: Sep 2008
Location: Hedge End, Southampton, Hants.
Posts: 2,451
No Java installed on my Mac since I reinstalled ML. I'll be keeping that way. That said does it affect OS X?
-ajm- is offline Follow this poster on Twitter   Reply With Quote
Old 11-01-2013, 08:27
DANCE OF DEATH
Guest
 
Join Date: Mar 2010
Posts: 4,723
I just wish they would stop using Java and Flash player. We don't really need them anymore. That said Java doesn't get to see the light of day on my machine.
DANCE OF DEATH is offline   Reply With Quote
Old 11-01-2013, 09:09
flagpole
Inactive Member
 
Join Date: Jan 2003
Posts: 43,524
thanks for the heads up.
flagpole is offline   Reply With Quote
Old 11-01-2013, 10:09
psionic
Forum Member
 
Join Date: May 2002
Location: Crystal Palace TX
Posts: 18,916
I don't even have Java installed these days.
psionic is offline Follow this poster on Twitter   Reply With Quote
Old 11-01-2013, 10:37
s2k
Forum Member
 
Join Date: Apr 2006
Posts: 5,035
Just realised that ever since building my new PC a few months ago I never actually bothered installing Java. Guess it goes to show its no longer the pre-requisite for the internet that it used to be.

I think we are still a fair way off being able to completely ditch Flash though.
s2k is offline   Reply With Quote
Old 11-01-2013, 10:46
anniebrion
Inactive Member
 
Join Date: Sep 2005
Posts: 16,389
Is this all versions of Java or is Java 8 safe?
anniebrion is offline   Reply With Quote
Old 11-01-2013, 10:53
flagpole
Inactive Member
 
Join Date: Jan 2003
Posts: 43,524
speaking of removing plugins. firefox now has a native pdf viewer in beta
Is this all versions of Java or is Java 8 safe?
every story i've read only references 7.10 but who knows
flagpole is offline   Reply With Quote
Old 11-01-2013, 14:53
Helmut10
Forum Member
 
Join Date: Dec 2011
Posts: 422
You're worried about Java when you're using a Web Browser with 10 times as many vunerabilities but you don't switch that off....
Helmut10 is offline   Reply With Quote
Old 11-01-2013, 15:00
d'@ve
Forum Member
 
Join Date: Oct 2003
Location: Darn Sarf
Posts: 20,843
Forgive me if it's already been mentioned here ..
It may be an idea to disable java plugins for the moment.
http://www.theregister.co.uk/2013/01/10/java_0day/

Kaspersky have known about and have been blocking this for some time, it seems. http://www.securelist.com/en/blog/20...t_Distribution

Java 0day Mass Exploit Distribution
Kurt Baumgartner
Kaspersky Lab Expert
Posted January 10, 18:42 GMT

Tags: Oracle, Malvertizing, Sun Java, Vulnerabilities and exploits, Exploit Kits
0.5

Just a quick note, it's only the second week of January, but early 2013 brings with it the first Java 0day mass exploit distribution of the year.

There appears to be multiple ad networks redirecting to Blackhole sites, amplifying the mass exploitation problem. We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course, adult sites. A few obfuscated files are being delivered to victim systems with names like Stretch.jar, Edit.jar, UTTER-OFFEND.JAR, and more. The first appearance of the exploit's prevention in our KSN community seemed to be January 6th. But as we dig back further, we find related samples from mid-December. So, we have been preventing this 0day in particular for quite some time.
This is dramatically different from the panic quote in The Register: "the only way to protect yourself is by disabling Java." - which I do not believe. They really ought not to rely on just one source!

I suspect that other commercial internet security firms will have been blocking it too, so for many people with automatic updating, there isn't much to worry about or do other than taking the usual sensible precautions.
d'@ve is offline   Reply With Quote
Old 11-01-2013, 15:07
flagpole
Inactive Member
 
Join Date: Jan 2003
Posts: 43,524
You're worried about Java when you're using a Web Browser with 10 times as many vunerabilities but you don't switch that off....
how many exploits for my browser are currently in the wild?
flagpole is offline   Reply With Quote
Old 14-01-2013, 17:01
Tadpole
Forum Member
 
Join Date: Dec 2002
Location: Solihull, West Mids
Posts: 1,573
Over the weekend, Firefox blacklisted and remotely disabled the Java plugin for those running Firefox 17 or later. Apple have also done similar. Java 7 update 11 reportedly fixes the problem. However at the moment people now see Java as a security black hole rather than as a platform-independent application runtime, and I would not put money on this release being watertight.

See: "The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop."

Maybe Oracle should disable the plugin by default and just use browsers to launch external java apps. However Scandinavian banks use Java for online banking so I guess they are not best pleased at the moment.
Tadpole is offline   Reply With Quote
Old 14-01-2013, 17:06
barky99
Forum Member
 
Join Date: Jul 2011
Location: Scotland - near a whirly thing
Posts: 2,826
No Java installed on my Mac since I reinstalled ML. I'll be keeping that way. That said does it affect OS X?
yes affects all windows & unix (osx, linux etc) operating systems
barky99 is offline   Reply With Quote
Old 14-01-2013, 20:02
Call_me_Dave
Inactive Member
 
Join Date: Nov 2012
Posts: 456
Has there been a fix for this yet?
Call_me_Dave is offline   Reply With Quote
Old 14-01-2013, 21:29
alanwarwic
Forum Member
 
Join Date: Oct 2003
Location: Researchington
Posts: 24,542
Only effects 7 and the temp fix available at java.com simply sets security to high.

There's loads of other zero day malware out there, not just with Java 7.
alanwarwic is offline   Reply With Quote
Old 15-01-2013, 15:25
Fried Kickin
Forum Member
 
Join Date: Jun 2007
Posts: 50,237
Java SE7 U11 is out .. fixing the current exploit apparently.
Fried Kickin is offline   Reply With Quote
Old 15-01-2013, 16:11
Tadpole
Forum Member
 
Join Date: Dec 2002
Location: Solihull, West Mids
Posts: 1,573
Oracle are planning to upgrade Java 6 users to Java 7 automatically during February. It appears that this is for Windows users only.

http://www.oracle.com/technetwork/ja...667051.html#11

Java 6 will also reach end of life next month, with the final security update expected to be 39. Update 38 is the current patch level for Java 6.

The retirement of Java 6 was originally scheduled for July 2012, then was postponed twice.
Tadpole is offline   Reply With Quote
Old 17-01-2013, 19:10
alanwarwic
Forum Member
 
Join Date: Oct 2003
Location: Researchington
Posts: 24,542
MSE in the news again

"Security Essentials failed largely due to poor protection against 0-day real-world attacks, "
http://www.neowin.net/news/microsoft...fication-again
http://betanews.com/2013/01/17/secur...oes-not-matter

Myself, I've always thought zero day AV protection of high importance.
alanwarwic is offline   Reply With Quote
Old 16-05-2013, 17:39
Tadpole
Forum Member
 
Join Date: Dec 2002
Location: Solihull, West Mids
Posts: 1,573
Just found out via reading up that a Java update with an odd number is now a security fix, a Java update with an even number is a non-critical update, albeit often with bug fixes or minor enhancements.

Hence Java 6 updates going updates 39-41-43-45 and recent Java 7 updates going updates 9-10-11-13-15-17-21 (not sure what happened to 19). This has not always been the case, but has been since late 2012.
Tadpole is offline   Reply With Quote
Old 16-05-2013, 18:17
SnowStorm86
Forum Member
 
Join Date: Aug 2011
Location: Lincs
Posts: 12,213
Glad I don't have Java installed anymore.
SnowStorm86 is offline   Reply With Quote
Old 16-05-2013, 19:31
flagpole
Inactive Member
 
Join Date: Jan 2003
Posts: 43,524
I need it for mine craft. But you don't need the browser plugin.
flagpole is offline   Reply With Quote
Old 17-05-2013, 00:34
LION8TIGER
Forum Member
 
Join Date: May 2005
Posts: 7,356
I need it to play chess and backgammon on Pogo and in the past couple of weeks I have been getting THIS, click yes and it goes away but it must be a new thing in the latest Java ??

You can go into the advanced settings in Java control panel and disable the warning but still stay protected.

Apart from Pogo I have no need for Java.
LION8TIGER is offline   Reply With Quote
Old 17-05-2013, 22:02
alanwarwic
Forum Member
 
Join Date: Oct 2003
Location: Researchington
Posts: 24,542
I have no idea if it still does but Yahoo games used mainly Java.
It was seen as fast to write and fast enough to run too.

The move to block Java, Flash and dare I say it WebGL tells us that a fast open web is unwelcome.
The corporate vision is apps so the web as a lower class citizen suits.
alanwarwic is offline   Reply With Quote
Old 17-06-2013, 10:14
Tadpole
Forum Member
 
Join Date: Dec 2002
Location: Solihull, West Mids
Posts: 1,573
New Java security update due out tomorrow : "This Critical Patch Update contains 40 new security fixes for Oracle Java SE. 37 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. "

Oracle website : http://www.oracle.com/technetwork/to...3-1899847.html
Sophos "Naked Security" write-up : http://nakedsecurity.sophos.com/2013...-18-june-2013/

The patch is only for Java 7. Java 6 and its predecessors are now at end of life and will not be patched.
Tadpole is offline   Reply With Quote
 
Reply



Thread Tools Search this Thread
Search this Thread:

Advanced Search

 
Forum Jump


All times are GMT +1. The time now is 11:20.