Corrine Posted November 29, 2012 Share Posted November 29, 2012 A zero-day Java exploit found for sale in the criminal underground has renewed calls to disable the cross-platform runtime environment in Web browsers. The latest exploit of a vulnerability not yet publicly known was reported on Tuesday by Brian Krebs, author of the KrebsonSecurity blog. An established member of the Underweb forum, an invitation-only site, was selling the exploit for Java JRE 7 Update 9, the latest version of the platform. The expected price was in the "five digits." The flaw was in the Java class "MidiDevice.Info," a component that handles audio input and output, Krebs said. The seller claimed "code execution was very reliable" on Firefox, Microsoft Internet Explorer and Windows 7. The latest exploit discovery comes three months after two other zero-day vulnerabilities and exploit code were found, one by a security researcher at Accuvant and the other by a developer at Immunity. The flaws were in Java 7 and affected Windows, Mac OS X and Linux operating systems running a browser with a Java plug-in. The latest exploit was unusual because they are seldom sold in such an open manner, said Chester Wisniewski, a senior security adviser for Sophos. "Granted it is on a members only criminal forum, but it sounds like the post was rather straight forward." More at the source: Latest Java zero-day exploit renews calls to disable it 1 Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted November 29, 2012 Share Posted November 29, 2012 Again? Yeeesh! This is getting old really fast. Quote Link to comment Share on other sites More sharing options...
Corrine Posted November 29, 2012 Author Share Posted November 29, 2012 When it comes to Java, it has been old for a very long time. Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted November 29, 2012 Share Posted November 29, 2012 And yet, there are still sites I go to that require Java, so... Quote Link to comment Share on other sites More sharing options...
crp Posted November 29, 2012 Share Posted November 29, 2012 More at the source: Latest Java zero-day exploit renews calls to disable it They want to ban ? Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted November 29, 2012 Share Posted November 29, 2012 (edited) First of all this is a bit of a rant. Not at Corrine as I know she is just concerned with Security. But to get the powers that be to stop trying to kill a pervasive system in favor of other systems that are just as full of holes but more proprietary. And to users to stop buying into their Koolaid. Why don't they suggest the same thing (disabling it or removing) with regard to other plugins like Adobe Flash and Adobe Reader? Sheesh! Many folks have Java apps that they use. This is nuts. Sure if you don't use Java, don't install it, but for those that do, that is a useless instruction. Wouldn't it be better to tell Oracle to upgrade their Oracle Forms to match the latest Java? Instead of having things like MyInvoice require an old dilapidated version of Java? And what about some other great programs like: OpenOffice.org LibreOffice RSS Owl GoToAssist VirtualBox Android App Engine Eclipse Java IDE and many other implementations for Eclipse many others As well as websites like: Time.gov, Nasa JPL websites Secunia's Online Software Inspector many others Wait, what am I seeing here? Many of those implementations are free/opensource/GPL software. But there are many corporate and medical tools made from Java as well. Doctors need Java on their home computers to be able to view X-Rays for their patients from home so they are not back and forth all the time. How many other companies depend on Java to do their job? Hmmmm... Just do some searching on Java implementations including; compilers, runtimes, class libraries, etc. This is no small thing. Edited November 29, 2012 by LilBambi Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted November 29, 2012 Share Posted November 29, 2012 Java, like MS Windows, has provided the world with astounding technologies and innovations in the area of computing. I have nothing at all against the app. It's the malcontents (a nice word to use on a family forum) that manipulate, corrupt, abuse, twist, etc. everything for their own ends... be those for profit (SPAM) or just because they are cyber-vandals. I've said this before... the creators or the Internet just had NO CLUE that their invention would be so infested with EEEEVILLL the way it has been. They were tech nerds, of course, not sociology majors. If they'd had a bit more understanding of the human race, they would probably have foreseen all this mess that we have to deal with today. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted November 29, 2012 Share Posted November 29, 2012 (edited) Totally agree, Eric! But the same can be said for Adobe products, Real products, Apple products, Microsoft products, etc. etc. etc. But I still see flash all over the Internet, and intricate forms done with and needs to be filled with Adobe Reader. I see many other products made by these other products that are just as abused by the malcontents as Java, so why focus on Java? All plugins are dangerous. All browsers can be dangerous if they support all that is possible on websites. All Microsoft servers, as well as Apple and Linux servers can be dangerous in the wrong hands. Sure, Java MUST be kept up to date. Java should not be on systems that don't need it. But to tell everyone they should be disabling Java or uninstalling it, I feel is a bit overkill. Don't you? Unless you are going to say the same thing for every other Internet facing plugin and program. Edited November 29, 2012 by LilBambi Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted November 29, 2012 Share Posted November 29, 2012 And government agencies should be ashamed for making people keep an older version of Java on their systems that is not safe, just because Oracle is sitting on their hands and haven't undated Oracle Forms, or maybe they have and the Government is the one who is being cheap on security by not upgrading? Oh, and the Medical community was doing the same thing due to laziness or not wanting to pay to upgrade to a version of their X-Ray software that actually works with a current version of Java. Who knows, but there are lots of issues here and Java is only one part of it but being treated as if they were the whole problem with the Internet. Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted November 29, 2012 Share Posted November 29, 2012 Governments, particularly local governments, usually cannot afford to keep up with the new technologies. My local county is still running Windows XP on its servers. If they upgrade to 7, none of their custom proprietary software will work anymore. They'd have to pay millions to get that upgraded also. It would get UGLY. I have a pal who works IT for the county. That's how I know this. If this is the case in a relatively large metropolitan county like mine, imagine what it's like in little towns and counties all over the country. Private industry can stay on the bleeding edge. The tax payer supported public sector cannot. Quote Link to comment Share on other sites More sharing options...
ross549 Posted November 30, 2012 Share Posted November 30, 2012 In the case of medecine, I can see how you would not want to monkey with the software at all. If a Java glitch causes an incorrect diagnosis, heads are going to be rolling. Then again, maybe those heads *should* roll to get the industry up to speed. But then what would be the cost? Are a few lives worth getting the industry rolling in a new way of business? That's a tough question, and one I don't want to answer.... Adam Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted November 30, 2012 Share Posted November 30, 2012 As much as the Medical community makes off their patients and their HMOs etc., it is a travesty! As far as government is concerned, we are not talking about having to move to another OS, or to the latest Windows out there, to use a current version of Java. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.