Browser Exploit Kits Using Built-In Java Feature 96
tsu doh nimh writes "Security experts from several different organizations are tracking an increase in Windows malware compromises via Java, although not from a vulnerability in Windows itself: the threat comes from a feature of Java that prompts the user to download and run a Java applet. Kaspersky said it saw a huge uptick in PCs compromised by Java exploits in December, but that the biggest change was the use of this Java feature for social engineering. Brian Krebs writes about this trend, and looks at two new exploit packs that are powered mainly by Java flaws, including one pack that advertises this feature as an exploit that works on all Java versions."
Java-free for 2010 (Score:2, Interesting)
I don't have Java installed on my Windows 7 machine. I'd removed it during Firefox install, and never needed it. A few functions in OpenOffice don't work; that's about it.
Re:Java-free for 2010 (Score:3, Interesting)
Yep, any website which requires either Java or Quicktime is asking not to be viewed.
Re:Nothing new here (Score:5, Interesting)
There is a big "Security Warning" dialog box. What should Java do more?
It could tell you that allowing it to run would give it access to all the files on your computer. I had no idea that was the case, but then I disabled Java in my web browsers long ago.
Unsigned is the ONLY way to deploy Java Applets! (Score:5, Interesting)
My first attempt at a commercial website, CardMeeting [cardmeeting.com], is built around a large, unsigned applet. Those "Grant, Deny?" dialog boxes are poison to anyone in the know, and I surely would never visit any site with them. Unsigned applets don't need any security warning dialog because they are untrusted and therefore will receive no privileged access to the user's system. Unsigned == heavily sandboxed. "Unsigned" sounds like a bad thing though, so that's something I could never tout to my users. But in reality, I was looking out for them! :D
I had a heck of a time figuring out how to get the CardMeeting applet jar packed up with scripts and making the applet "stream" data the way it does. Yeargh, I remember that pain. Anyhow, it makes me really sad that news like this may lead people to disable java applets; I think the unsigned form of applets is very powerful and much safer for average users than Flash ever was. I wish there was a way in the browser to disable only signed applets. Perhaps Oracle could bring the hammer down and go ahead and disable them by default in the next Java release.
My new website ClubCompy [clubcompy.com] is 100% HTML+JavaScript. I wrote this whole simulated operating environment to teach kids to code with just the browser. I hope I don't start seeing people disable JavaScript on their browsers, then I'd be outta business!
Dave