Another Zero-Day Java Exploit Discovered, When Will It Stop?

rated by 0 users
This post has 9 Replies | 0 Followers

Top 10 Contributor
Posts 24,882
Points 1,116,835
Joined: Sep 2007
ForumsAdministrator
News Posted: Fri, Mar 1 2013 11:23 AM

Is there a world record for number of software vulnerabilities exposed within the span of a single month? If so, I'm willing to bet that Oracle's Java is the clear winner. We've reported on many Java happenings over the past couple of months, and it doesn't look like the fun is going to end anytime soon.

Security firm FireEye is responsible for the latest finding, noting that this zero-day exploit has been successfully executed using Java 1.6 update 41 and the most recent 1.7 update 15. It takes advantage of a vulnerability that might allow someone to overwrite bits of data Java has stored in the RAM - such as the area that tells it whether or not the security manager is enabled. While success is hit or miss, if it does land, an HTTP GET command will be issued that downloads the McRAT malware, which could be used to download additional malware.

FireEye recommends disabling Java until a patch has been released, or to at least set its security to "High". We'd recommend considering getting rid of it entirely, because with the number of vulnerabilities being made known about all the time, things are just getting ridiculous. If you do have Java installed, it might be worth asking yourself what you're using it for. In talking to friends, I've discovered that it's not uncommon for people to have Java installed from something they needed once, and then just never bothered to uninstall it.

For those who do require it, we feel your pain.

  • | Post Points: 125
Not Ranked
Posts 78
Points 660
Joined: Oct 2011

Oracle have stepped up their game. Surely all these leaks, most of them being found by security firms and luckily not malicious hackers, will be patched soon. People have been shaken awake and are now all finding leaks in Java. This will make 1) Oracle more aware of theri security shortcomings and 2) make Java safer.

Of course I'd much rather that Java be phased out. It's an extra weakness on a system. But realistically, Java is out there and widespread. Not everyone can just Ditch it, and if that's the case, we might as well look for all the leaks we can find and toughen Java up.

It's a good thing :)

  • | Post Points: 5
Not Ranked
Posts 25
Points 135
Joined: Mar 2013

The company I work for has advised our customers to get rid of it completely. Adobe and Java are being exploited hard. Good article.

  • | Post Points: 5
Not Ranked
Posts 1
Points 5
Joined: Mar 2013

This has just gotten out of hand. Java is barley even needed anymore, and it is nothing but a security risk. It should be disabled if it has not been already. Here is how if anyone doesn’t know http://disablejava.com/#howto

  • | Post Points: 5
Not Ranked
Posts 2
Points 10
Joined: Mar 2013

Its Java it will never stop.

  • | Post Points: 5
Top 500 Contributor
Posts 252
Points 2,845
Joined: Sep 2009
Location: Port Orchard, WA

Another BAD NEWS from Java. I already uninstalled both 32 and 64 bit Java out of my PC.. I think Java need to step and make more beefed up the sercuity on Java. I will hold off until Java get fix or look else to get new program similar to Java

  • | Post Points: 20
Top 150 Contributor
Posts 756
Points 7,635
Joined: Nov 2012
Location: Dallas, Tx

And this is exactly why I decided not to learn Java.  It just seems like it's becoming a dead code at a very quick pace.  On the other hand, a lot of people still depend on it.  Will we ever see it completely phased out?  I doubt it.

  • | Post Points: 5
Top 10 Contributor
Posts 8,439
Points 102,180
Joined: Apr 2009
Location: Shenandoah Valley, Virginia
MembershipAdministrator
Moderator

It's like the never ending story. JAVA gets it again.

Just say no,.......

Don't part with your illusions. When they are gone you may still exist, but you have ceased to live.

(Mark Twain)

  • | Post Points: 5
Top 150 Contributor
Posts 579
Points 5,260
Joined: Sep 2012
Location: Canada
ForumsAdministrator
Moderator

I unfortunately do need Java for one thing, so I've moved it to a virtual machine instead. Next best thing to not having it at all.

  • | Post Points: 5
Top 10 Contributor
Posts 5,048
Points 60,675
Joined: May 2008
Location: U.S.
Moderator
3vi1 replied on Sat, Mar 2 2013 11:48 AM

Simply don't allow your browser to run Java (but allow Javascript, which is a completely different thing).

Integrating Java with the browser is the worst idea since Microsoft invented ActiveX.

What part of "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn" don't you understand?

++++++++++++[>++++>+++++++++>+++>+<<<<-]>+++.>++++++++++.-------------.+++.>---.>--.

  • | Post Points: 5
Page 1 of 1 (10 items) | RSS