Comments on: Java Zero-Day Exploit on Sale for ‘Five Digits’

By: Joe

Joe — Fri, 07 Dec 2012 16:41:22 +0000

what white hat firms are paying 5 figures for java exploits. doesn’t seem plausible.

By: christi parks

christi parks — Sun, 02 Dec 2012 09:13:39 +0000

Hello, sir i would like to ask that what is the scope of java training, what all topics should be covered and it is kinda bothering me … and has anyone studies from this course http://www.wiziq.com/course/1779-core-and-advance-java-concepts of core and advance java online ?? or tell me any other guidance…
would really appreciate help… and Also i would like to thank for all the information you are providing on java concepts.

By: meh

meh — Fri, 30 Nov 2012 19:35:30 +0000

Didn’t google get in trouble for trying to sidestep it? Our patent laws and tangled partnerships make it hard for a more secure replacement to replace it.

By: Rabid Howler Monkey

Rabid Howler Monkey — Fri, 30 Nov 2012 18:49:01 +0000

Remember that this article is warning about a Java zero-day exploit that is for sale. In this particular case, everyone with Java installed on their PCs is running a vulnerable Java version.

With regard to Java exploits for vulnerabilities that have been patched, remember that there are many computer users that fail to update their Java. For these users, their installed Java version is likely further behind than that on the current LPS LiveCD.

A CD-R won’t allow infections to persist on reboot. Thus, running as root really isn’t a problem for limited LiveCD sessions. One can enable the NoScript add-on for Firefox (included in the LPS iso) and control the web sites where the Java plug-in is allowed. Financial web sites have been hacked (e.g., Bank of India) with users redirected to malicious sites serving malware.

More on LiveCD usage from another of Brian’s excellent articles here:

http://krebsonsecurity.com/2012/07/banking-on-a-live-cd/

For individuals that don’t need Java installed on their PCs to run Java applications locally, but DO need the Java plug-in to access certain web site(s) with their browser, the LPS LiveCD provides a reasonably safe option. And as I stated in a previous post, one can sign up to be notified when a new version of LPS is released.

By: Jonathan

Jonathan — Fri, 30 Nov 2012 14:47:38 +0000

You don’t need java to activate Webex; you can download the webex client yourself and install it manually.

By: rpw

rpw — Fri, 30 Nov 2012 10:10:30 +0000

I heard LPS runs the browser as root and has an outdated Java…

By: rb

rb — Thu, 29 Nov 2012 13:37:59 +0000

Interesting – it was still giving me the forbidden error message this morning. I reconfigured my browser to bypass our proxy and I got right in.

By: Rabid Howler Monkey

Rabid Howler Monkey — Wed, 28 Nov 2012 22:57:02 +0000

Just tried the U.S. Air Force Lightweight Portable Security (LPS) site with both Firefox and Opera and it was working:

http://www.spi.dod.mil/lipose.htm

P.S. One can optionally sign up to be notified when a new version of LPS is released.

By: rb

rb — Wed, 28 Nov 2012 21:31:09 +0000

As an aside, I am not able to access the LPS website. It displays a “Forbidden” error message.

By: Shinki-itten

Shinki-itten — Wed, 28 Nov 2012 19:57:40 +0000

I had the experience today that I had to activate JAVA in my browser in order to load a webinar that used WebEx technology. WebEx is used extensively for webinars hosted by law firms and other education providers. Activation (in Firefox) was bothersome, requiring a few steps — more than I expected.