Another Zero-Day Java Exploit Discovered, When Will It Stop?

Is there a world record for number of software vulnerabilities exposed within the span of a single month? If so, I'm willing to bet that Oracle's Java is the clear winner. We've reported on many Java happenings over the past couple of months, and it doesn't look like the fun is going to end anytime soon.

Security firm FireEye is responsible for the latest finding, noting that this zero-day exploit has been successfully executed using Java 1.6 update 41 and the most recent 1.7 update 15. It takes advantage of a vulnerability that might allow someone to overwrite bits of data Java has stored in the RAM - such as the area that tells it whether or not the security manager is enabled. While success is hit or miss, if it does land, an HTTP GET command will be issued that downloads the McRAT malware, which could be used to download additional malware.

FireEye recommends disabling Java until a patch has been released, or to at least set its security to "High". We'd recommend considering getting rid of it entirely, because with the number of vulnerabilities being made known about all the time, things are just getting ridiculous. If you do have Java installed, it might be worth asking yourself what you're using it for. In talking to friends, I've discovered that it's not uncommon for people to have Java installed from something they needed once, and then just never bothered to uninstall it.

For those who do require it, we feel your pain.

Via:  FireEye
JvanHummel one year ago

Oracle have stepped up their game. Surely all these leaks, most of them being found by security firms and luckily not malicious hackers, will be patched soon. People have been shaken awake and are now all finding leaks in Java. This will make 1) Oracle more aware of theri security shortcomings and 2) make Java safer.

Of course I'd much rather that Java be phased out. It's an extra weakness on a system. But realistically, Java is out there and widespread. Not everyone can just Ditch it, and if that's the case, we might as well look for all the leaks we can find and toughen Java up.

It's a good thing :)

CraigSeamons1 one year ago

The company I work for has advised our customers to get rid of it completely. Adobe and Java are being exploited hard. Good article.

CidAttwater one year ago

This has just gotten out of hand. Java is barley even needed anymore, and it is nothing but a security risk. It should be disabled if it has not been already. Here is how if anyone doesn’t know

WadeArenberg one year ago

Its Java it will never stop.

mike coyne one year ago

Another BAD NEWS from Java. I already uninstalled both 32 and 64 bit Java out of my PC.. I think Java need to step and make more beefed up the sercuity on Java. I will hold off until Java get fix or look else to get new program similar to Java

Dorkstar one year ago

And this is exactly why I decided not to learn Java.  It just seems like it's becoming a dead code at a very quick pace.  On the other hand, a lot of people still depend on it.  Will we ever see it completely phased out?  I doubt it.

realneil one year ago

It's like the never ending story. JAVA gets it again.

Just say no,.......

RWilliams one year ago

I unfortunately do need Java for one thing, so I've moved it to a virtual machine instead. Next best thing to not having it at all.

3vi1 one year ago

Simply don't allow your browser to run Java (but allow Javascript, which is a completely different thing).

Integrating Java with the browser is the worst idea since Microsoft invented ActiveX.

Post a Comment
or Register to comment