Latest Java zero-day exploit renews calls to disable it

[Corrine]

A zero-day Java exploit found for sale in the criminal underground has renewed calls to disable the cross-platform runtime environment in Web browsers.

The latest exploit of a vulnerability not yet publicly known was reported on Tuesday by Brian Krebs, author of the KrebsonSecurity blog. An established member of the Underweb forum, an invitation-only site, was selling the exploit for Java JRE 7 Update 9, the latest version of the platform. The expected price was in the "five digits."

 

The flaw was in the Java class "MidiDevice.Info," a component that handles audio input and output, Krebs said. The seller claimed "code execution was very reliable" on Firefox, Microsoft Internet Explorer and Windows 7.

 

The latest exploit discovery comes three months after two other zero-day vulnerabilities and exploit code were found, one by a security researcher at Accuvant and the other by a developer at Immunity. The flaws were in Java 7 and affected Windows, Mac OS X and Linux operating systems running a browser with a Java plug-in.

 

The latest exploit was unusual because they are seldom sold in such an open manner, said Chester Wisniewski, a senior security adviser for Sophos. "Granted it is on a members only criminal forum, but it sounds like the post was rather straight forward."

 

 

More at the source: Latest Java zero-day exploit renews calls to disable it

[V.T. Eric Layton]

Again? Yeeesh! This is getting old really fast.

[Corrine]

When it comes to Java, it has been old for a very long time.

[V.T. Eric Layton]

And yet, there are still sites I go to that require Java, so...

[crp]

More at the source: Latest Java zero-day exploit renews calls to disable it

They want to ban ?

[Guest LilBambi]

First of all this is a bit of a rant. Not at Corrine as I know she is just concerned with Security. But to get the powers that be to stop trying to kill a pervasive system in favor of other systems that are just as full of holes but more proprietary. And to users to stop buying into their Koolaid.

 

Why don't they suggest the same thing (disabling it or removing) with regard to other plugins like Adobe Flash and Adobe Reader?

 

Sheesh! Many folks have Java apps that they use. This is nuts. Sure if you don't use Java, don't install it, but for those that do, that is a useless instruction.

 

Wouldn't it be better to tell Oracle to upgrade their Oracle Forms to match the latest Java? Instead of having things like MyInvoice require an old dilapidated version of Java?

 

 

And what about some other great programs like:

 

OpenOffice.org

LibreOffice

RSS Owl

GoToAssist

VirtualBox

Android App Engine

Eclipse Java IDE and many other implementations for Eclipse

many others

 

As well as websites like:

 

Time.gov,

Nasa JPL websites

Secunia's Online Software Inspector

many others

 

Wait, what am I seeing here? Many of those implementations are free/opensource/GPL software. But there are many corporate and medical tools made from Java as well.

 

Doctors need Java on their home computers to be able to view X-Rays for their patients from home so they are not back and forth all the time.

 

How many other companies depend on Java to do their job?

 

Hmmmm...

 

Just do some searching on Java implementations including; compilers, runtimes, class libraries, etc.

 

This is no small thing.

Edited November 29, 2012 by LilBambi

[V.T. Eric Layton]

Java, like MS Windows, has provided the world with astounding technologies and innovations in the area of computing. I have nothing at all against the app. It's the malcontents (a nice word to use on a family forum) that manipulate, corrupt, abuse, twist, etc. everything for their own ends... be those for profit (SPAM) or just because they are cyber-vandals.

 

I've said this before... the creators or the Internet just had NO CLUE that their invention would be so infested with EEEEVILLL the way it has been. They were tech nerds, of course, not sociology majors. If they'd had a bit more understanding of the human race, they would probably have foreseen all this mess that we have to deal with today.

[Guest LilBambi]

Totally agree, Eric!

 

But the same can be said for Adobe products, Real products, Apple products, Microsoft products, etc. etc. etc.

 

But I still see flash all over the Internet, and intricate forms done with and needs to be filled with Adobe Reader. I see many other products made by these other products that are just as abused by the malcontents as Java, so why focus on Java?

 

All plugins are dangerous. All browsers can be dangerous if they support all that is possible on websites. All Microsoft servers, as well as Apple and Linux servers can be dangerous in the wrong hands.

 

Sure, Java MUST be kept up to date. Java should not be on systems that don't need it. But to tell everyone they should be disabling Java or uninstalling it, I feel is a bit overkill. Don't you? Unless you are going to say the same thing for every other Internet facing plugin and program.

Edited November 29, 2012 by LilBambi

[Guest LilBambi]

And government agencies should be ashamed for making people keep an older version of Java on their systems that is not safe, just because Oracle is sitting on their hands and haven't undated Oracle Forms, or maybe they have and the Government is the one who is being cheap on security by not upgrading?

 

Oh, and the Medical community was doing the same thing due to laziness or not wanting to pay to upgrade to a version of their X-Ray software that actually works with a current version of Java.

 

Who knows, but there are lots of issues here and Java is only one part of it but being treated as if they were the whole problem with the Internet.

[V.T. Eric Layton]

Governments, particularly local governments, usually cannot afford to keep up with the new technologies. My local county is still running Windows XP on its servers. If they upgrade to 7, none of their custom proprietary software will work anymore. They'd have to pay millions to get that upgraded also. It would get UGLY. I have a pal who works IT for the county. That's how I know this. If this is the case in a relatively large metropolitan county like mine, imagine what it's like in little towns and counties all over the country.

 

Private industry can stay on the bleeding edge. The tax payer supported public sector cannot.

[ross549]

In the case of medecine, I can see how you would not want to monkey with the software at all. If a Java glitch causes an incorrect diagnosis, heads are going to be rolling. Then again, maybe those heads *should* roll to get the industry up to speed.

 

But then what would be the cost? Are a few lives worth getting the industry rolling in a new way of business? That's a tough question, and one I don't want to answer....

 

Adam

[Guest LilBambi]

As much as the Medical community makes off their patients and their HMOs etc., it is a travesty!

 

As far as government is concerned, we are not talking about having to move to another OS, or to the latest Windows out there, to use a current version of Java.