Comments on: New Java Exploit Fetches $5,000 Per Buyer http://krebsonsecurity.com/2013/01/new-java-exploit-fetches-5000-per-buyer/ In-depth security news and investigation Thu, 28 Aug 2014 12:57:43 +0000 hourly 1 http://wordpress.org/?v=3.9.2 By: Ben http://krebsonsecurity.com/2013/01/new-java-exploit-fetches-5000-per-buyer/comment-page-1/#comment-153118 Tue, 12 Feb 2013 16:05:41 +0000 http://krebsonsecurity.com/?p=18509#comment-153118 I’m the sys admin for a commercial real estate company. As soon as I was hired a year ago I disabled Java on every computer in the company due to the many Java security issues in the past and the fact that over the years I’ve noticed a steep decline in the relevance of Java-based applications. Since then, I’ve run into ONE instance where it was necessary – I tried to run Eclipse PDT. I removed Eclipse, chose one of the other dozens of non-Java php IDEs available and never looked back.

In the twelve years I’ve been running computer systems for hundreds of companies, I’ve only seen a handful of people using it, and in almost every case it was incredibly picky about version because the app was only able to use some outdated, obscure version of Java because the dev team couldn’t or wouldn’t be bothered to rewrite their application. Almost every machine I’m introduced to that has Java installed has a usually years-out-of-date version that has never been used.

In the real world, we/users don’t have time to scour security forums to make sure there’s not ANOTHER Java exploit, updating dozens of computers or training end users to figure out if the Java update is a real update or some sort of fake spyware scam. I have gone out of my way to uninstall Java as soon as possible on any machine I am in charge of (as well as advise others to do the same), and the number of systems that need it are small and quickly, quickly dwindling. It’s really the simplest, fastest way to help secure a machine without fuss or requiring a lot more maintenance to keep installed.

]]>
By: shipra http://krebsonsecurity.com/2013/01/new-java-exploit-fetches-5000-per-buyer/comment-page-1/#comment-148833 Fri, 01 Feb 2013 08:39:01 +0000 http://krebsonsecurity.com/?p=18509#comment-148833 I am not a programmer but I have this C language subject this session and have to prepare for it. What all topics should be covered in it?
And has anyone studied from this course http://www.wiziq.com/course/2118-learn-how-to-program-in-c-language of C tutorial online?? or tell me any other guidance…
would really appreciate help

]]>
By: John http://krebsonsecurity.com/2013/01/new-java-exploit-fetches-5000-per-buyer/comment-page-1/#comment-146704 Sun, 27 Jan 2013 18:45:59 +0000 http://krebsonsecurity.com/?p=18509#comment-146704 [SE-2012-01] An issue with new Java SE 7 security features

http://seclists.org/fulldisclosure/2013/Jan/241

]]>
By: John http://krebsonsecurity.com/2013/01/new-java-exploit-fetches-5000-per-buyer/comment-page-1/#comment-146703 Sun, 27 Jan 2013 18:45:32 +0000 http://krebsonsecurity.com/?p=18509#comment-146703 [SE-2012-01] An issue with new Java SE 7 security features
http://seclists.org/fulldisclosure/2013/Jan/241

]]>
By: Jeffrey Haun http://krebsonsecurity.com/2013/01/new-java-exploit-fetches-5000-per-buyer/comment-page-1/#comment-145144 Thu, 24 Jan 2013 13:47:23 +0000 http://krebsonsecurity.com/?p=18509#comment-145144 How about DOT.NET? Yes, I know it’s Windows only.(GNU.NET and MONO are partial implimentations. ) But it seem to have a better security track record compaired to Java.

]]>
By: Vee http://krebsonsecurity.com/2013/01/new-java-exploit-fetches-5000-per-buyer/comment-page-1/#comment-144836 Wed, 23 Jan 2013 20:12:32 +0000 http://krebsonsecurity.com/?p=18509#comment-144836 >>”I just expected a lot more competence from experts in the field… I’m a regular email subscriber on several tech forums for over a decade now. And in the last few weeks, I’ve been listening to all this ” disable java” tantrums…Advising to disable java is like cutting off one head of the mythical Hydra. Ensuring 100% security compliance at the browser level is putting the hydra down for good… ”

Thing is, Krebs regularly suggests things like Noscript/Notscript and keeping plugins updated rather than disabled -even including Java at one time. Plugins are a luxury rather than a necessity, if one can personally do without them, why shouldn’t they?

Using that analogy, disabling Java in your browser disables the Java spewing browser exploit Hydra head permanently. Yeah, there’s still the multiple Adobe heads and the Javascript head, countless others. And you know what most security experts would say? That ideally, ALL plugins should be disabled and cookies and Java should be watched with things like Firefox’s Noscript/CookieMonster. Seriously go download a Tails LiveCD from the TorProject and check out it’s browser plugins. Sure it’s meant for privacy, but it’s probably one of the safest things I’ve ever seen to browse the web in general. And then since it’s a LiveCD, even if you are hit with something, which would be very hard with it’s lineup of settings and software, doesn’t really matter cause everything is only stored in ram.

>>”As at the year 2005 most web browser software in the market, had security settings available to prompt users before any software is downloaded, and create exceptions for trusted websites.. It’s 2013 boss, and this same browsers are still operating in the default mode of not prompting users when software is about to be downloaded.”

I’ve actually noticed the opposite of Firefox and even Internet Explorer for file downloads, unless you mean plugins that load stuff. Then again, that’s why I use Noscript. I can agree with that though, I do remember a time around 10 years ago when I was asked if I wanted to download a simple cookie. I’m guessing they did away with that with having so many sites using a multitude of cookies/plugin required stuff like flash that you’d have go through around 15 dialog boxes per page. So basically, yeah, they did away with it for convenience and that’s probably why Noscript doesn’t come included with Firefox even though it should. I agree with ya there, it would be nice to see some things force users into security habits, if that’s what you’re saying.

>>”And yes, there are medical doctors who fix their own computers?”

As far as their work computers, no. They really haven’t the time to playing Tech Support and if they have to then that really says a lot for the lack of Tech Support they must have. In that sense, what would you say if a doctor came up to someone in tech support and said: “Hey buddy, I’m doing open heart surgery in a minute. Got any tips?” Sadly a lot of Tech Support is so bad that people probably would think nothing of a doctor in a hospital playing tech on the side, but no way could they hold responsibility over all their office computers security wise. That’s why if you’re suggesting they’re responsible for maintaining their work computers which aren’t used for surfing the web mind you, it’s just laughable.

>>”Basically, this current java scenario is over hyped… And dangers lie in this kind of sensationalism… I read the reports boss, and this so-called java reflection/class-loader vulnerability is a failsafe/high redundancy mechanism for enterprise java but with an insecure browser it is a vulnerability for applets. With a secure browser it is not a vulnerability. So what are you really talking about?”

What dangers are there in alerting people in yet another Java exploit and suggesting a solution? I said it before and I’ll say it again, no one hardly maintains computers like most us here do, us that either do it for a living or are enthusiast. And even then, it’s still a lot easier and safer to just disable the plugin then keep up with the maintenance for something most of us don’t use. You criticize the advice of disabling the PLUGIN in fear that it will generate malicious Java removal tools and put enough fear in enterprise to stop using Java altogether. Yet you seemingly recognize that most of these exploits are browser based attacks. Finally you also seem to think these same security experts don’t recommend the removal (if possible) of OTHER browser security risks.

Tell me, what settings prevent watering hole attacks? The one area Java doesn’t need to be, the one area that disabling it WOULD keep it out of the “propaganda news stories” because there wouldn’t be any to report and yet you keep your stance that they shouldn’t recommend disabling it? What about Shockwave, another plugin that most argue is a dying/rare thing to use online -when is the last time you needed Shockwave that wasn’t for a game? I myself have both Shockwave and Java installed yet disabled for my browsers and even then I only use either for games personally.

]]>
By: Din5dale http://krebsonsecurity.com/2013/01/new-java-exploit-fetches-5000-per-buyer/comment-page-1/#comment-144692 Wed, 23 Jan 2013 11:44:17 +0000 http://krebsonsecurity.com/?p=18509#comment-144692 LOL Project much? You’re a funny little person, thx for the guffaws. Be that as it may, I’ve grown quite tired of your infantile foot-stomping-”I’m right! You’re all wrong! I am! I am! I am! La-la I can’t hear you!”- and am exiting this thread.

]]>
By: psionski http://krebsonsecurity.com/2013/01/new-java-exploit-fetches-5000-per-buyer/comment-page-1/#comment-144629 Wed, 23 Jan 2013 08:19:50 +0000 http://krebsonsecurity.com/?p=18509#comment-144629 You seem to be missing a critical aspect of computer security – attack surface reduction. It’s not an attack against Java, it’s an attack against any installed software that you don’t really use or need. Java just happens to be one of the programs that are not needed (by most people), or, at least, not needed in the browser, but are still widely deployed and offer a huge attack surface (because it’s a pretty complicated piece of software, after all). When you look at it this way, disabling Java is a no-brainer.

]]>
By: Yomade http://krebsonsecurity.com/2013/01/new-java-exploit-fetches-5000-per-buyer/comment-page-1/#comment-144530 Wed, 23 Jan 2013 00:16:02 +0000 http://krebsonsecurity.com/?p=18509#comment-144530 I would like to offer my unreserved apologies to everyone on this blog, especially @Brian for my terrible choice of language in expressing my opinions…

I may have made some salient points but it was also wrong to over-emphasize my opinions… Once again my sincere apologies…

]]>
By: Phoenix http://krebsonsecurity.com/2013/01/new-java-exploit-fetches-5000-per-buyer/comment-page-1/#comment-144054 Mon, 21 Jan 2013 21:34:19 +0000 http://krebsonsecurity.com/?p=18509#comment-144054 Has civility gone to hell here?

]]>