Forgot your password?
typodupeerror
Java Oracle Security

Another Java Exploit For Sale 150

Posted by samzenpus
from the a-new-flavor dept.
tsamsoniw writes "Mere days after Oracle rolled out a fix for the latest Java zero-day vulnerabilities, an admin for an Underweb hacker forum put code for a purportedly new Java exploit up for sale for $5,000. Though unconfirmed, it's certainly plausible that the latest Java patch didn't do the job, based on an analysis by the OpenJDK community. Maybe it's high time for Oracle to fix Java to better protect both its enterprise customers and the millions of home users it picked up when it acquired Sun."
This discussion has been archived. No new comments can be posted.

Another Java Exploit For Sale

Comments Filter:
  • by thue (121682) on Wednesday January 16, 2013 @08:14PM (#42611241) Homepage

    Surely the bad publicity from a root exploit is worth more to Oracle than $5000? $5000 is peanuts in this context. Why doesn't Oracle have a bug bounty program to avoid problems like this?

  • by Shoten (260439) on Wednesday January 16, 2013 @08:22PM (#42611303)

    Actually, this sounds off to me. $5K for an exploitable Java vulnerability? That's waaaaaay too cheap for the exploit market...white, grey or black. I think this guy is selling a crock of shit, but he knows that the big-money purchasers would be able to tell. So he's offering it for chump change, which is exactly what a chump happens to have on hand to pay.

  • Re:Kill it with FIRE (Score:1, Interesting)

    by Anonymous Coward on Wednesday January 16, 2013 @09:09PM (#42611701)

    Except that there are still a good chunk of websites that still use Java. For example, Minecraft and RuneScape to name two.

    Both applications that should be completely client side

    And sure you -can- have it be fully client side but it doesn't always work. Many schools and workplaces will filter out .exe file extensions but will let you run in-browser applications just fine.

    So the Java browser plugin deserves to exist because... otherwise kiddies can't get around Sonicwall? Really?

    Furthermore, that's a terrible argument because an institution that can prevent non-whitelisted applications from launching can also trivially block whatever website hosts the .jar for the program you want to run. And if they do, it's their damn equipment anyway, stop screwing around on it.

    The web is not just things developed in 2013, but also for things developed back in 1997. And as such, it needs to be at least partially backwards compatible with older technologies.

    This is completely true, but people have pretty much given up on Flash. I doubt you pine for ActiveX.

    The real issue here isn't about browser plugins but it is the terrible management of Java by Oracle. There is nothing that inherently should make Java more unsafe than a generic web browser

    Java is a plugin, not a web browser

    , the problem is unlike most web browsers

    Java is a plugin, not a web browser

    , Oracle has time and time again proven to be unable or unwilling to fix gaping holes in their programs. Even when they do create a fix they still try to bundle in crapware such as the "Ask" toolbar and switch my default search engine to Ask. A slimeball tactic that should be reserved for those making keygens and the like.

    Agreed. Oracle is terrible.

    There is nothing that makes Java any more insecure than JavaScript

    Yes, there most definitely is. Javascript cannot access the filesystem. Java can. Javascript cannot spawn processes. Java can. The difference is that the Java plugin takes something that is fundamentally unsafe and attempts to bottle it up, where Javascript simply doesn't have the dangerous parts that malware gains access to.

    except for Oracle. Rather than simply dropping a useful element of the web, we should pressure Oracle to do what a software firm should do: fix the bugs!

    Why? As a user, what reason is there for you, personally, to have the Java browser plugin installed? So you can play minecraft? Use the standalone client instead. You'll get a better framerate without the browser, ffs. For the mathematical applets that I was linked to once? Please. Those are trivial to write in Javascript.

  • by hairyfeet (841228) <bassbeast1968@NOsPAM.gmail.com> on Thursday January 17, 2013 @12:44AM (#42613407) Journal

    The problem is that 2 different security groups have been analyzing the flaws that the malware guys used for the last exploit and say it could be 2 years before a proper fix is in place [zdnet.com] because the underlying code is "a mess".

    Of course any of us who had to deal with Sun's products in the past could have told them this, Sun was pretty piss poor when it came to code and security, this is why I've been saying give the LO guys at least 3 years before we start bitching simply because it'll probably take that long to clean up the mess Sun left.

    The monkey in the wrench though, the fly in the ointment, the pain in the ass, is that Java usage was waaay down among consumers....until that fucking game showed up. I hope the guy who wrote Minecraft is happy because just when we had weened a lot of home users away from the tripe that is Java he had to build a hit game on it and drag us all back into the mess. I don't know which is worse, Micecraft bringing shitty Java back to the consumer desktop or that fact Java will add the browser plugin (along with crapware) every time you update the damned thing. But in any case the malware writers are gonna have a field day as all those Minecraft installs are a botnet waiting to happen and if those security researchers are right all Oracle can do is slap band aids on the mess that is Java..

  • Re:This is insane (Score:4, Interesting)

    by idontgno (624372) on Thursday January 17, 2013 @12:56PM (#42617695) Journal

    It's so weird. This betrayal at acquisition seems to play out over and over. A great team is disbanded by the heavy-handed and mouth-breathing attitude of the new boss.

    I'm reminded of the Easter egg in Amiga OS 1.2, which was a secret message accessible by an obscure sequence of keystrokes, UI mouse clicks, and floppy disk ejection/insertion.

    Now press both Alts, both shifts, press F1 and eject DF0: all at once and you'll see:

    The Amiga, Born a Champion

    Whilst holding this click the left mouse button on the "screen to back" gadget and re-insert the disk. You'll see:

    We [wikipedia.org] made Amiga, They [wikipedia.org] fucked it up

Faith may be defined briefly as an illogical belief in the occurence of the improbable. - H. L. Mencken

Working...