Forgot your password?
typodupeerror
Crime Java Security

Java Zero-Day Vulnerability Rolled Into Exploit Packs 193

Posted by Unknown Lamer
from the just-can't-win dept.
tsu doh nimh writes "The miscreants who maintain Blackhole and Nuclear Pack — competing crimeware products that are made to be stitched into hacked sites and use browser flaws to foist malware — say they've added a brand new exploit that attacks a previously unknown and currently unpatched security hole in Java. The curator of Blackhole, a miscreant who uses the nickname 'Paunch,' announced yesterday on several Underweb forums that the Java zero-day was a 'New Year's Gift,' to customers who use his exploit kit. The exploit has since been verified to work on all Java 7 versions by AlienVault Labs. The news comes days after it was revealed that Paunch was reserving his best exploits for a more closely-held exploit pack called Cool Exploit Kit, a license for which costs $10,000 per month."
This discussion has been archived. No new comments can be posted.

Java Zero-Day Vulnerability Rolled Into Exploit Packs

Comments Filter:
  • Re:Oh Java... (Score:5, Informative)

    by gstoddart (321705) on Thursday January 10, 2013 @12:48PM (#42547225) Homepage

    At this point does any tech savvy user still have the Java Runtime Environment installed?

    Sure, but I have No Script installed to keep it from running except when I need it to.

    Sadly, I find myself needing Java for a lot of work related stuff. I even have a couple of machines that still have Flash on them because it's occasionally called for.

    In the real world, you can't always get away from using it since there's always some company required thing you need to access -- but that doesn't mean I'm prepared to let it run by default on just any web site.

    Hell, a lot of the tools I need to run daily for work are in Java.

  • by edxwelch (600979) on Thursday January 10, 2013 @12:57PM (#42547375)

    Please, stop the FUD already. All the security holes have been accessed via the java browser plugin, so just disabling the plugin is enough. .. and while you at it, disable the .NET browser plugin. Just as many security holes have been found in that component as java.
    There is no need to uninstall JRE (If you have Java installed on your system, then you probably need it for something)

  • Re:Oh Java... (Score:4, Informative)

    by Anonymous Coward on Thursday January 10, 2013 @01:00PM (#42547415)
    If you use IE you can disable Java for all sites except the "enterprise ones". Even on IE6 - assuming an Enterprise environment typical of the sort you are talking about ;).
  • by DigiShaman (671371) on Thursday January 10, 2013 @01:08PM (#42547527) Homepage

    Ya, and when the next JRE update prompts the user to install from the system tray, the browser plugin gets re-enabled (re-installed really).

  • Re:Oh Java... (Score:4, Informative)

    by DickBreath (207180) on Thursday January 10, 2013 @01:25PM (#42547739) Homepage
    > > If you play Minecraft you need Java installed.

    > False. You don't need the Java browser plugin for Minecraft, only the JRE.

    His statement is true. Having the JRE installed is having Java installed. It is correct that the browser plugin is unnecessary. But his original statement is entirely correct.
  • Re:Oh Java... (Score:5, Informative)

    by robmv (855035) on Thursday January 10, 2013 @01:30PM (#42547813)

    and the latest Java 7 update added features to disable Java applets and JNLP from browsers, that way if you need Java for an application like Eclipse, but don't need Java on the browser, you can secure yourself

  • Re:Oh Java... (Score:3, Informative)

    by molotov303 (182638) on Thursday January 10, 2013 @01:55PM (#42548123)

    I don't know why it isn't enabled by default, but Firefox has a click-to-play plugins option that should dramatically reduce the exposure to exploits like this. So NoScript isn't required.

    about:config
    plugins.click_to_play = true

  • Re:Oh Java... (Score:3, Informative)

    by dna_(c)(tm)(r) (618003) on Thursday January 10, 2013 @06:09PM (#42551693)

    Because some people deployed the applications using Applets and WebStart so just getting rid of it becomes a bit of an issue.

    Nobody uses applets for anything anymore - except the baddies - disable the java browser plugin and be done with it. Webstart is not the problem.

UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. -- Doug Gwyn

Working...