Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×
Java Security

Experts Develop 3rd-Party Patch For New Java Zero-Day 154

Posted by samzenpus
from the patch-it-up dept.
tsu doh nimh writes "A new exploit for a zero-day vulnerability in Oracle's Java JRE version 7 and above is making the rounds. A Metasploit module is now available to attack the flaw, and word in the underground is that it will soon be incorporated into BlackHole, a widely used browser exploit pack. KrebsOnSecurity.com talked to the BlackHole developer, who said the Java exploit would be worth at least $100,000 if sold privately. Instead, this vulnerability appears to have been first spotted in targeted/espionage attacks that used the exploit to drop the remote control malware Poison Ivy, according to experts from Deep End Research. Because Oracle has put Java on a quarterly patch cycle, and the next cycle is not scheduled until October, experts have devised and are selectively releasing an unofficial patch for the flaw."
This discussion has been archived. No new comments can be posted.

Experts Develop 3rd-Party Patch For New Java Zero-Day

Comments Filter:
  • by JDG1980 (2438906) on Monday August 27, 2012 @12:33PM (#41138831)

    There is no good reason to have Java installed in your primary browser. The only reason why it's everywhere is that it often comes preinstalled for no good reason, and (even worse) the installer shoves its way into all your browsers, for even less reason. If there are specific business sites using Java that you must access, then use IE with Java exclusively for those, and Firefox or Chrome for normal browsing. Using Java on the open web is just asking to get 0wned.

  • by Megahard (1053072) on Monday August 27, 2012 @12:43PM (#41138961)
    Agreed. Before HTML5, Java was an acceptable way to implement app-like stuff in the browser. Now with dynamic HTML, Canvas, SVG, and AJAX, Java in the browser has become an anachronism.
  • by Anonymous Coward on Monday August 27, 2012 @12:46PM (#41139007)

    I'm not sure if you are trolling, but here's why:

    There is a significant amount of work to test the software before doing a release.

    The code base is big and old, there are a lot of targets, and I'm guessing that not all tests are automated.
    Also, there is this issue of reducing the number of versions "out in the wild", at least for paying customers,
    as more versions that costs money to provide support for.

    All this will take resources away from fixing bugs and working on new features.
    It's not as if there are nothing to do if no new bugs are found...

  • by MacColossus (932054) on Monday August 27, 2012 @12:49PM (#41139051) Journal
    Not any more. Oracle is providing Java 7 and later for Mac. http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1637588.html [oracle.com]
  • by Anonymous Coward on Monday August 27, 2012 @12:50PM (#41139081)

    Better yet, disable all plugins by default (or set for "click to run"), and whitelist sites you regularly visit and trust. You should have a minimal attack surface when visiting *any* site you don't explicitly trust.

  • Re:A better idea... (Score:2, Informative)

    by Anonymous Coward on Monday August 27, 2012 @01:14PM (#41139335)

    Your parent was suggesting that uninstalling Java was better than fixing the security hole.

    It *is* better than fixing the security hole. Fixing the security hole fixes ONE security problem. Uninstalling Java fixes that ONE security problem AND all unknown/future Java security problems.

  • by Anonymous Coward on Monday August 27, 2012 @02:30PM (#41140319)

    Not true...

    http://dev.metasploit.com/redmine/projects/framework/repository/revisions/52ca1083c22de7022baf7dca8a1756909f803341/entry/external/source/exploits/CVE-2012-XXXX/Exploit.java

    It's a bug in how java bean statements interact with security domains, as far as I can tell. Definitely a JRE bug.
    It really is just more reason why you should never let your language's runtime get completely out of hand - this kind of stuff should have been in libraries, not in the runtime.

All the evidence concerning the universe has not yet been collected, so there's still hope.

Working...