Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Java Security

Experts Develop 3rd-Party Patch For New Java Zero-Day 154

Posted by samzenpus from the patch-it-up dept.
tsu doh nimh writes "A new exploit for a zero-day vulnerability in Oracle's Java JRE version 7 and above is making the rounds. A Metasploit module is now available to attack the flaw, and word in the underground is that it will soon be incorporated into BlackHole, a widely used browser exploit pack. KrebsOnSecurity.com talked to the BlackHole developer, who said the Java exploit would be worth at least $100,000 if sold privately. Instead, this vulnerability appears to have been first spotted in targeted/espionage attacks that used the exploit to drop the remote control malware Poison Ivy, according to experts from Deep End Research. Because Oracle has put Java on a quarterly patch cycle, and the next cycle is not scheduled until October, experts have devised and are selectively releasing an unofficial patch for the flaw."
This discussion has been archived. No new comments can be posted.

Experts Develop 3rd-Party Patch For New Java Zero-Day More

Experts Develop 3rd-Party Patch For New Java Zero-Day

Comments Filter:

  • A better idea... (Score:4, Insightful)

    by DrEnter ( 600510 ) * on Monday August 27, 2012 @01:18PM (#41138639)
    You know what would be better idea than patching Java? Uninstalling it.

  • Re:A better idea... (Score:3, Insightful)

    by MyLongNickName ( 822545 ) on Monday August 27, 2012 @01:31PM (#41138789) Journal

    Can somone explain why this is modded 'funny'? It should be informative. Eliminating attack vectors is the only sure-fire defense. Unless you need Java, you should dump it. If you need it, you should actively find ways to eliminate that dependency.

  • Re:A better idea... (Score:1, Insightful)

    by Anonymous Coward on Monday August 27, 2012 @01:40PM (#41138927)

    Can somone explain why this is modded 'funny'? It should be informative. Eliminating attack vectors is the only sure-fire defense. Unless you need Java, you should dump it. If you need it, you should actively find ways to eliminate that dependency.

    A modest proposal to improve security. You know what be more effective than uninstalling Java? Uninstalling the network and other input devices. In fact, why don't you turn off the computer entirely?

    The number one reason that Java has published security holes is that Java is used heavily. Non-java programs also have security holes. Yes, it makes sense to reduce dependency on Java now, because Java has the current serious security hole. However, your parent wasn't suggesting that. Your parent was suggesting that uninstalling Java was better than fixing the security hole.

  • Re:You know its funny (Score:3, Insightful)

    by binarylarry ( 1338699 ) on Monday August 27, 2012 @01:48PM (#41139037)

    This isn't a flaw in Java itself but yet another flaw in the browser plugin.

    Given that virtually all the major browser plugins technologies I can think of have resulted in an unending stream of exploits, it seems silly to blame this entirely on Java. Adobe PDF, Flash, and the Java plugin have all been the main vectors of attack. Guess what the three most popular browser plugins are?

    Maybe the real issue is a shitty plugin API and/or implementation?

Slashdot Top Deals

"Gravitation cannot be held responsible for people falling in love." -- Albert Einstein

Close