January 16, 2013

Less than 24 hours after Oracle patched a dangerous security hole in its Java software that was being used to seize control over Windows PCs, miscreants in the Underweb were already selling an exploit for a different and apparently still-unpatched zero-day vulnerability in Java, KrebsOnSecurity has learned.

javared

Update, Apr. 2, 2:57 p.m. ET: This sales thread turned out to be an elaborate hoax designed by a cybercrime forum administrator to learn the screen name I was using to browse exclusive sections of his forum. See this story for more information on that.

Original story:

On Sunday, Oracle rushed out a fix for a critical bug in Java that had been folded into exploit kits, crimeware made to automate the exploitation of computers via Web browser vulnerabilities. On Monday, an administrator of an exclusive cybercrime forum posted a message saying he was selling a new Java 0day to a lucky two buyers. The cost: starting at $5,000 each.

The hacker forum admin’s message, portions of which are excerpted below, promised weaponized and source code versions of the exploit. This seller also said his Java 0day — in the latest version of Java (Java 7 Update 11) — was not yet part of any exploit kits, including the Cool Exploit Kit I wrote about last week that rents for $10,000 per month. From his sales pitch:

“New Java 0day, selling to 2 people, 5k$ per person

And you thought Java had epically failed when the last 0day came out. I lol’d. The best part is even-though java has failed once again and let users get compromised… guess what? I think you know what I’m going to say… there is yet another vulnerability in the latest version of java 7. I will not go into any details except with seriously interested buyers.

Code will be sold twice (it has been sold once already). It is not present in any known exploit pack including that very private version of [Blackhole] going for 10$k/month. I will accepting counter bids if you wish to outbid the competition. What you get? Unencrypted source files to the exploit (so you can have recrypted as necessary, I would warn you to be cautious who you allow to encrypt… they might try to steal a copy) Encrypted, weaponized version, simply modify the url in the php page that calls up the jar to your own executable url and you are set. You may pm me.”

The seller must have found a second buyer for the exploit, because the thread has since been deleted from the crime forum. To my mind, this should disspel any illusions that people may harbor about the safety and security of having Java installed on an end-user PC without taking careful steps to isolate the program. I should note that this same thing happened not long after Oracle released a Java update in October; a few weeks later, a Java 0day was being sold to a few private users on this same Underweb forum.

Yes, there are still sites that require Java, but most users can — and should — get by without it. For tips on how to keep Java without exposing your computer to a constant stream of zero-day exploits, see my Java Q&A from this past weekend.

I got into a bit of a Twitter fight yesterday with several readers on this point, but I feel strongly that Oracle is an enterprise software company that — through its acquisition of Sun Microsystems in 2010 — suddenly found itself on hundreds of millions of consumer systems. Much of the advice on how to lock down Java on consumer PCs simply doesn’t scale in the enterprise, and vice-versa. Oracle’s unprecedented four-day turnaround on a patch for the last zero-day flaw notwithstanding, the company lacks any kind of outward sign of awareness that its software is so broadly installed on consumer systems. Oracle seems to be sending a message that it doesn’t want hundreds of millions of consumer users; those users should listen and respond accordingly.


77 thoughts on “New Java Exploit Fetches $5,000 Per Buyer

  1. Guitar Bob

    Technically, you haven’t verified there is an exploit though, Brian. What you have is some post(s) on some web site frequented/used by hackers. Could this be a case of a scammer scamming the scammers?

    Regards,

    1. BrianKrebs Post author

      Yes, you’re right, Bob, I haven’t proven anything. I don’t have the exploit or the source code or anything. That said, this was a sales thread posted by an administrator of this exclusive crime forum. It would be somewhat rare and ill-advised for a person in such a position to try to scam forum members, especially for just $5k.

        1. Me

          If you really need Java, it’s probably the JRE (Java Runtime Environment). The JDK is the Java Development Kit.

  2. ViRii

    will be nice to know if this exploit run on older version of java or introduced by new upgrade 7.11

  3. Tony

    While it hasn’t been verified, it is hardly unbelievable.
    Java is so pervasive in computers and equipment it is most definitely a major target, and Oracle has NOT been taking their responsibility seriously. The last exploit was fixed quickly, but that is not par for the course for Oracle. Previous vulns were wild for months before patching.
    I see them as just slapping band-aids on Sun’s code, and not taking any steps to create or properly fix anything.
    At this stage, if you are running Java at all, you are taking a big risk.
    It’s long past the time when we abandoned Java for newer tech, too bad so many “web developers” are stuck on using it, instead of learning new tools.

    1. Bryan

      We should replace it with – what?

      The only other supported web-client runtime of any popularity with support I know of is silverlight, which is great if your target is a MS box. But what do you use for anything else?

      There has to be a place for web-started, downloaded, rich applications with full OS supported APIs. I write programs that have to do things you just cannot do with HTML – 5 or otherwise.

      1. bob

        Really? Even if you off-load intensive processing to remote servers?

        I suppose if you’re talking to specialist equipment hanging off the PC it’s still tricky… unless you can mock the thing up to work with one or more of the Geolocation, Orientation, WebGL or Web Audio APIs.

      2. Jeffrey Haun

        How about DOT.NET? Yes, I know it’s Windows only.(GNU.NET and MONO are partial implimentations. ) But it seem to have a better security track record compaired to Java.

    2. john

      The only reason why Oracle fixed the last 0 day so quickly is because it made national news and they wanted to look like they care about such things.

    3. Rajeeve

      Tony
      January 16, 2013 at 11:24 am

      @
      It’s long past the time when we abandoned Java for newer tech, too bad so many “web developers” are stuck on using it, instead of learning new tools.@

      What the tools, lol?

  4. Jawn

    Your Java install numbers are conservative. On the Oracle website they boast that Java is installed on more than 800,000 PCs and billions of computers, including mobile and entertainment devices.

    Windows is installed on about 400,000. Java is too big a target for hackers to ignore.

    Expect to keep chasing patches or retool in C++.

    1. BrianKrebs Post author

      Actually, I think Oracle’s official number are orders of magnitude higher. Oracle says 850 million personal computers and more than 3 billion devices.

  5. Zsolt Sandor

    Hello guys, as a senior java developer with 10+ years of java development I can say, that current almost nobody is writing Java Applets. Java works nicely on server side, works nicely in client applications, but almost every java developer tries to avoid the usage of applets. I understand also Oracle’s position: they bought huge amount of code with Sun, and quickly they got millions of new customers, they have to care about. What they need – and probably are working on it – is a code review, and this takes time. Until the code review is finished it is to be expected to have the same kind of exploits. A solution for this could be that firefox/chrome/etc. would have a whitelist, and the browser simply would not allow the execution of any applets which are not on the whitelist.

    This would solve the 99.9% of the cases until the code review is made, and fixes are done.

    If you are a system admin, you can configure your proxy not to allow access to any jar or class file, until someone explicitly asks for one.

    The exploit in short is the following: a java applets runs in a so called sandbox. This sandbox prevents the code to execute any kind of program which is locally installed on the computer. With some clever tricks the hacker is able to by-pass the protection, and execute a binary code, which then can contain a virus, or anything. All the exploits i have seen till now are using pretty much the same trick.

    1. a sox

      I agree totally that whitelisting applets is the way to go. However it is not true that no one writes applets. But we can definitely agree that we desperately need the browser to limit applet execution (including jnlp) strictly
      to known good domains. Secondly we need to limit our exposure. Suppose an entity requires running applets from certain of their domains. The ideal thing would be for the entity to decide what browser was the best, and it might be firefox or chrome and not IE, and then we need the jre plugin to be controllable and NOT install into every browser on the machine as is what happens now on windows.

    2. Dass

      Agreed, with all of this Java bashing people often fail to point out that what they are talking about it actually Java running as an applet inside a web browser, which is only a tiny proportion of the Java code that is actually running.
      This leads to people slating Java as a whole and a “Java = bad” message, even though these security issues are only really relevant in a small and fairly insignificant subset of Java applications (applets). Personally I would always steer well clear of implementing web functionality as a Java applet however there are many application domains where Java is a good choice.

    3. Mike

      The author of the Firefox Add-On “NoScript” claims it blocks Java and Flash, in addition to Java Script. Is this not correct? I’ve been using it for years to whitelist code execution from known/trusted websites.

  6. Yuhong Bao

    Even Oracle itself has set the security level to “High” by default in this update, meaning that all applets will be click to run by default.

  7. Jay Wocky

    The only time I enable Java is to do a Secunia online scan, which requires a Java applet. I wish that Secunia would make this scan possible without Java.

    I once tried the free Secunia PSI program, but–for reasons I cannot recall–it did not work on my system and I uninstalled it.

    1. JimV

      I use Secunia without Java (uninstalled it completely early last year) and it seems to work okay, but I still use v2.0.0.4003 — I didn’t care for v3 when I tried it, and almost immediately uninstalled it and re-installed the latest v2 variant which they still support.

      1. JimV

        I should clarify I’m not running the online scan as you indicated, but the resident version which runs the manual and automatic scans just fine on all my computers running XP Pro SP3, Vista Home Premium, Vista Ultimate, and Win7 Pro x64 (all the others are x86).

      2. Din5dale

        Same here except v2.0.0.3003 with Java 7 u11 installed but disabled in browser. Works fine. I also didn’t care for the “dumbed down” ver 3 and uninstalled it after 1 scan.

  8. David

    Virtually all the high end bookkeeping software my wife uses in business uses java, as do the sites governments offer for filing business reports and tax forms.
    If Oracle won’t do it, it is highly unlikely the thousands of accounting offices and bookkeeping services which also use these programs can protect client data.

  9. Mark Walker

    While your rationale for Oracle’s generally lame response to Java security vulnerabilites is plausible, you give the company entirely too much consideration in why their response to security issues continues to be lacking.

    They, like nearly every other major software company, go thru phases on security. Oracle is still in the pre-comtemplative stage where they take actions when required (forced by the market?), but still don’t see it as their responsibility to lead on security. I still get a distinct “not our problem” vibe from their public behavior. I’m sure we all recall when Microsoft made the transition to taking responsibility for these issues in their software.

    Who out there thinks Java can ever become robust in the face of security attacks?

  10. Stratocaster

    Now that Oracle has absorbed the Sun enterprise server business, time to spin off the Java subsidiary?

  11. saucymugwump

    I have two questions, with the second being off-topic, for Brian.

    Why would someone sell only two copies of such an exploit? If it is really yet another defect in Java’s armor, why not sell lots of them? $10,000 is good money, but it is not great.

    Many posts have been written on the subject of alternatives for Adobe Reader, with two of the most common being Foxit Reader and SumatraPDF. However, Foxit’s CEO and Sr. VP of Sales and Marketing are native Chinese. Given the suspicions over the loyalty of Huawei, isn’t Foxit also questionable? I use SumatraPDF for this reason.

    1. na

      Who here said both copies were sold for only $5000 a piece? I would direct your attention to : “I will accepting counter bids if you wish to outbid the competition. ” (from post on underground forum)

      For all you know there may have been a private bidding war and it was sold for upward of $30,000….

      And why only two people? Well… it would become patched, and useless quickly if too many people got it. The Explit is far more useful to the people who purchase it if it remains a 0day for as long as possible. Which I might add is further incentive to offer to pay far more than only $5,000.

  12. mooltittle

    Brian –
    On my Win7 x64 system, I run as a limited user, DEP is turned on for everything – not just Windows, and I have the Software Restriction Policy default security level set to “disallowed”. Basically, the user cannot run anything that isn’t already in the Program Files or Windows folders, and the user cannot write to those folders. What, if anything, could a hacker do to my system using a java exploit? Does java run under the System account, or does it run with the same privileges as the current user?

    1. Zsolt Sandor

      Hello, if you copy a standard executable into your home folder (c:\documents and settings\username\…) is the user able to run it? If not, then maybe if you try to start the program with cmd, can you do that? If the answer is yes, then sorry, the applet is able to save an executable into your local directory, or the temporary directory, and start it. This mean, if the executable then is able to crash through the windows protection (os level protection, virus scanner, etc.) then theoretically you can get a virus/trojan. The applet runs i think with the same user which started thee browser. If you want protection, disable the java plugin in your browser, and use a separate browser with enabled java plugin only for accessing corporate/government pages, which are not likely to be infected.

      1. Tom Manteuffel

        You missed that he’s using Software Restriction Policies, and therefore halting all executables not explicitly whitelisted. This is an underused but quite handy feature of all recent Windows OSs. Protects reasonably well against 0-days. The later version of SRP known as Applocker (Windows 7 and WinSVR2008R2 and later) is even better.

    2. psionski

      It is possible to attach code to an existing process, effectively defeating this protection, although I don’t know how you could jumpstart the dll injection without saving an .exe somewhere… Maybe if the exploit made JVM itself execute the commands to inject the .dll… About ASLR/DEP, most modern exploits should be able to bypass them.

            1. psionski

              Hmmm… I may have misread the second one… This is doing something else.

          1. Din5dale

            Actually psionski took the words right out of my mouth:
            “I’m a noob, maybe that’s why I find it interesting…”

  13. Lewis Cowles

    There seem to be a raft of these so-called “exploits”, that “breach security”, but the bit I worry about is that people are so emotive over something as simple to fix as Java. Many Linux clients use a non-oracle JDK by default, and most of Java’s figures for deployments focus on raw installs of which I have four, just on a single box for testing 32-bit JRE, 32-bit JDK, 64-bit JRE, 64-bit JDK, and that is if I don’t have to build for a client that requires OpenJDK (because the two are still not 100% compatible)…

  14. Alex

    I am simply surfing as a guest user. -> End of exploit story.
    Or I am surfing inside a “Sandboxie”-Sandbox. -> End of exploit story.
    Is this so difficult to learn?

    1. psionski

      Guest user -> Local Privilege Escalation -> NT AUTHORITY/SYSTEM user
      Sandboxie -> Sandboxie breakout -> No Sandboxie…

      I hope you see where this is going. The only way to be safe is to turn off your computer and never turn it on again.

      1. Din5dale

        Apparently this is difficult for some to learn. 🙂

  15. Din5dale

    “The exploit in short is the following: a java applets runs in a so called sandbox. This sandbox prevents the code to execute any kind of program which is locally installed on the computer. With some clever tricks the hacker is able to by-pass the protection, and execute a binary code, which then can contain a virus, or anything. All the exploits i have seen till now are using pretty much the same trick.”

  16. mgmechanics

    I’m a freelancer who spends part of his spare time to develop Open Source software running on Java http://www.mgmechanics.de. It’s such a pain for me to watch how Oracle destroys my business.

    The only thing to fix this mess is to remove
    1. the Java Browser PlugIn
    2. the Java Web Start
    from the OpenJDK installer !!! Could someone build a new installer without these things or rip off the existing one?

    Both, Java Browser PlugIn and Java Web Start, seems to be used only in some companies intranets but not in the internet at all. No home user should need it.

    Linux does not install the Java Browser PlugIn when you install the OpenJDK (but Java Web Start – this should end). I proved it for Xubuntu 12.10 recently.

    Just setting the security level to “high” so that it need to be signed is not enough! There were many security issues related to it and even issues with certificates too. And why take the risk? Almost nobody needs these plugins, at least in the internet.

    Requiring user action before running an applet or start a software via JNLP isn’t enough also. Users who opens documents from email attachments (“Red October”) will also click “OK” here.

    By the way: In Linux (Debian-based distros) are the said plugins packaged as
    1. icedtea-X-plugin
    2. icedtea-netx and icedtea-netx-common
    I make sure to remove them both, esp. icedtea-X-plugin, after setup a machine before connecting to the internet.

  17. BillC

    All these comments are very interesting, but I’m guessing that 99% of average users won’t be inclined to jump through hoops to maintain a “risk free” semblance of Java functionality. My solution: uninstall Java and don’t do business with sites that require it. (I recognize this won’t work for the 1% who really need it). Added benefit — although Brian’s site is high value — I don’t need to keep up with the perpetual Java drama.

  18. Ken Pelkman

    I posted the following at one other site but on reflection this site is likely the more influential.

    In most enterprise settings, java is absolutely required to run in the browser. Many non-business users require Java – many bank websites require it, as do remote control websites and many cloud applications. Java as a technology is still an excellent idea.

    Throwing out the baby with the bath water is an analogy that comes to mind. regarding the advice we are seeing in the media.

    As with anything regarding security – risk determination, mitigation vs convenience is the mantra.

    Given the premise that one needs Java to run some applications – ie. trusted applications on trusted internet sites – the goal is to ensure that Java cannot be used for sites not yet trusted. The Internet security zone in Internet Explorer is used for this purpose – collection of browser settings for sites not yet trusted. Therefore the goal is to disable Java in the Internet zone.

    I am not sure why we are not seeing the following instructions anywhere in the media – to prevent java from being used in the Internet zone and leave it enabled for the Intranet zone and Trusted Sites zone.

    For most – where IE is the only browser – this one mitigation reduces risk to an acceptable level. The cost – a small amount of configuration, end user training and lack of convenience when a site must be trusted.

    It is relatively easy to disable java in the Internet zone – by using normal configuration methods – manual settings, group policy, registry imports, etc. No special permissions are required as IE looks at both the Machine (LOCAL_MACHINE) and User (CURRENT_USER) versions of the settings.

    Two settings in the Custom Settings dialog are required to disable Java usage in the Internet zone.

    Unfortunately the “Custom Settings” dialog is missing one important GUI element in order to manually make a setting – although the underlying registry setting is there and obeyed. To add the GUI element in the dialog, follow the instructions from a msdn blog

    http://blogs.msdn.com/b/ieinternals/archive/2011/05/15/controlling-java-in-internet-explorer.aspx

    To implement via registry settings, look for the link on the blog for the file SimpleJVMSwitch.reg These registry values enhance the dialog to show the required GUI element. The registry values work for LOCAL_MACHINE or CURRENT_USER.

    These registry settings add the GUI interface:

    JAVA VM – JAVA Applet Tags – options Disable or High Security (Disable is what we want to Disable Java).

    The other setting to Disable Java is:

    Scripting – Scripting of Java applets – Disable

    The actual registry settings (if you are importing settings in your logon script) are:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

    DWORD “1C00” = 0x00000000 (this corresponds to the JAVA VM setting)

    DWORD “1402” = 0x00000003 (this corresponds to the Scripting setting)

    Change to LOCAL_MACHINE if you want the settings to apply to all users.

    Unfortunately the blog did not provide a ADMX policy template file for those that might want to deploy this functionality by group policy. The “Script” setting will be there in the Group Pollicy Editor but the JAVA VM setting will not.

    Once these settings are done, you get the error message “”the addon for this website failed to run” when using the Java test function at

    http://www.java.com/en/download/testjava.jsp – click on “test the currently installed version of Java”. Adding java.com to the Trusted sites enables the test applet to run.

    So maybe we don’t need to throw out the baby with the bath water after all.

    There are caveats to this mitigation – multi-browser usage, the auditing of sites that were trusted by users and poorly implemented applications which redirect to different domain names hidden to the user. The risk reduction achieved is worth it.

    When you need to run Java applications and you want to stay to a single browser, there really is no other choice. It is pretty clear that Java will be exploitable for some time to come – fully patched or not.

    1. Vee

      Very well written and thought-out.

      Thing is, I still see it on every computer I come across, and I really mean every computer – Java that hasn’t been updated since it was installed years ago. I mean, they don’t even have to buy zero days for most people. I think it’s about time Microsoft starts including old plugins to remove in their Malicious Software Removal Tool, but who am I kidding? Again most computers I see are hardly ever updated. For these people there is only one option, to remove it. They’re just never going to keep up with this stuff or bother and for the most part they really don’t need it (or know the difference between Java and Javascript or what either are). Or if they do need it it’s only for something like Frostwire in which they’ve probably already been infected through a malicious download anyway.

      For everything and everyone else, the reason why Java is installed on “3 Billion devices” is that it requires an interpreter, compared to many other languages which arguably could do the same thing but without needing an interpreter. It is it’s own downfall, like Adobe’s stuff. The more people have it installed the more it’s going to be focused on exploiting just because there’s a higher chance of the victim having it. So again, less people have it, less it’ll be focused on. No reason not to remove it from that view point too. But again, who am I kidding? I just don’t see it ever changing.

      Going with your analogy, little highneeds baby java ain’t for most people.

  19. Yomade

    This is a very irritating topic… I will have to presume either that you have very limited knowledge of computer programming language systems, or just a plain old-fashioned tech politician with a serious aversion for the paradigmatic, and dynamic learning curve as well as the programming possibilities that java presents.

    First, more than 90% of java code written in the last 5years are not this so-called browser based applets.

    Two, you also acknowledged that this exploit is via known browser vulnerabilities…. Except you plagiarized your information from somewhere else.

    And lastly what are this vulnerabilities? Phishing and other ridiculous, social engineering techniques plain and simple… But here you are screaming, java, java, java…

    Oracle is rushing to get a fix, what about the web browsers and the operating systems? Or anti-viruses and the millions of dollars spent on them annually? Or is the java system so intimidating that an indirect exploit on the least functional aspect of the system, should be a cause for so much noise and misinformation?

    Disable java… What a joke!! You should also stop driving cars, and disable your cellphone.

    The DHT’s comment on java, has seriously dampened my personal admiration for American scientific affairs at the moment… And that’s the current that’s driving the wave you are riding on…

    Or why don’t you advocate some webcontent control software since grown-up adults can be so easily socially engineered, that they should supervision need while browsing the internet??? Because this what yours and the rest of this java tantrums indicates…

    My apologies for the harsh words… But you should get your facts right… Java is more than just oracle… And misinforming people will only lead to more problems…

    I can bet you that all an entrprising hacker needs to do is setup a fake java removal exploit that will trigger this exploit… And millions of people are already baited… And that’s back to square-one again… Even more vulnerable than ever…

    1. BrianKrebs Post author

      To whom are you addressing your comments, Yomade? Also, accusing an author of plagiarism is about the strongest accusation you can make. Care to explain your accusation in more detail?

      1. Yomade

        @Brian… I said and I quote;
        “Two, you also acknowledged that this exploit is via known browser vulnerabilities…. Except you plagiarized your information from somewhere else.”.

        I meant, that you made a comment that this exploit is via known browser vulnerabilties. Assuming you are fully aware and knowledgeable of what this statement connotes. Then you should also know that this java issue is also a result of the various browser security vulnerabilties and the internet itself as a whole.

        And then conditionally, if you don’t understand this comment you made then of course you plagiarized the information you commented on.

        Maybe plagiarism is a litle too heavy to use, but that’s the closest word I could conjure if the latter condition was true. All in all.. It is a conditional statement… And not a direct accusation…

        I indicated it in my comments that my words are harsh… because the media has been awash with this issue for a while, and the American DHT also issued an advisory on this matter.

        However, I’m of a firm opinion that this java issue is being over-sensationalized. And advicing the average user to disable java from their computers is very poorly conceived.

        Providing incomplete information and advice on this issue… Holds the potential for even more dangerous consequences, way beyond java’s so-called vulnerability and I can prove it with hard facts..

        1. brian krebs

          All of the comments I’ve seen criticizing advice to unplug Java from the browser seem to be more emotional than anything. If I had to guess I’d say that most of the comments deriding the advice to disable Java in the browser is coming from those who are somehow invested in it, i.e., Java developers or those responsible for maintaining/defending enterprise systems that depend on Java to some degree.

          It’s not like people are being advised to disable Flash or Javascript completely; that would break the Web for most users. This is not the same thing. Java is nowhere near as prevalent as it used to be on the Web, yet it is still far too prevalent on end-user systems.

          I have been consistent in my advice over the past three years to disable or remove software that you no longer use or need. Reducing the attack surface of any system is a basic, fundamental tenet of information security.

          Also, this is not a knee-jerk recommendation to a specific threat: running Java plugged into the browser is a major security risk for most users because, as I hope this article illustrates, its broad deployment makes it a constant target of attackers, and there seems to be a constant stream of zero-day vulnerabilities available for it.

          1. Yomade

            @Brian… I do agree with you I’m a lil’ bit emo on this issue… But emo not because of my investments but what the tech environment is morphing into…

            And yes I do have investments in java, but as well as C, C++, various assembly languages, web scripting languages and every other programming language I can get my hands on…

            And please I hope don’t sound like I’m on a high-horse… This just a little of what I do…

            However, what I’m seeing is a more complicated picture, than meets the ordinary eye… There’s a mix of business politics, poor information, hyper-sensationalism and emotional java-haters…

            Regarding this current java vulnerability or any other web-based java vulnerability in the future… java is not the weakest link.

            I’m a technically competent observer and most of the commentary I have read, regarding this java vulnerability( not just yours), are very misleading. Personally, I don’t care if the whole galaxy disables or uninstalls java… Or if the java project ceases completely…

            What I’m worried about is the incompetence, misinformation and deception I have seen lately, and in open display, regarding this issue…

            I mean, how does disabling java improve a user’s computer and internet security? For a java vulnerability which can only be exposed via an insecure web browser or browsing environment ??? Or is this not what this vulnerability is about, in summary?

            And really, think about it? If java poses such a threat, why advice “disable java”, why not advice “uninstall java completely”??? And provide the tools to do it… End of story, move on to the next topic, (lolxx… Disable people from going into shopping malls, cause they’ll steal)…

            The DHT is an authorithy that is highly regarded both in the states and around the world, so there’s a lot of high expectations from such an authority … Ok, DHT got advised by CERT. but if you are technically competent enough you will see that the CERT advisory is vague and subjective…

            It refers to a malicious java applet, taking advanatage of the java restricted classes… And this java applet does not automatically find itself on your computer. It requires a user to download the applet to a computer. And before anything can be downloaded to a computer or a web browser, (what year are we in??? ok 2013.. Lol) should be able to inform the user of this intended action by default And where do you get this applet from? From a malicious website…

            In comparison, what about malicious software like viruses, trojans e.t.c, that don’t need java to execute, and that are installed and downloaded in their thousands daily. Thus this issue is totally ridiculous..

            I can bet you that a very high percentage of American internet users alone that have java installed, are not directly vulnerable to this exploit due to either their expertise, the security configurations on their computers or browsers and browsing habits. now or in the near future..

            However, the hysteria and sensationalism created regarding this issue can expose a lot of people to more internet vulnerabilities that may or may not be java based…

            There’s tons of jargons being written and said everyday regarding this java issue.. And this is very misleading and cause more problems ( and not just for the java investors like me.. lolxx). My apologies again, but your 5K java exploit for sale, is just a big part of this charade…

            From the viewpoint of objective journalism you have written a very splendid article… But the semantics of this issue are of a highly technical nature that defeats the objectives you are trying to acheive.

            And I can assure that the DHT’s advisory is based on on the same circumstance.

            As a final example, a java applet cannot even be compared to adobe flashscript. Youtube uses flashscript, where content is downloaded automatically and played in the flash player by default.
            However, for the java applet, the default is to prompt the user before loading(or downloading) the applet.

            So really, if even the DHT and CERT can be mislead to lend credence to this java issue… It translates to someone somewhere not doing their homework properly, or just manipulating less informed people…

            Oracle is rushing to create fixes, and even have a website to help people detect java and uninstall it from their computers..

            Ok here’s another, angle(A conspiracy theory for now).. Oracle only acquired the management of java from Sun microsystems a few years ago.. And they spent months in litigation against google over the use of java in android… Which google narrowly escaped from..

            What if oracle is trying to kill the java brand, so that it can transform the java system into a monolithic structure, that can be monoploized and used as a tool for litigation more effectively?

            Or( another conspiracy theory) competitors like microsoft and it’s .net system, using government muscle to force java developers( or investors.. Lol) into the .net system… For your information, the .net system, is almost a clone of the java system almost 80% of the way, even down to the C# programming language it uses…. As a result, java developers can easily transition to the .net platform..

            Finally, it would be more reasonable to expect that the DHT mandates the browser software to enforce default security by notifying users whenever software is about to be downloaded via the internet upon navigation to any URL.. but this is not the case… ..

            Frankly, this java vulnerability is being advised to non-technical users as if java itself is a malicious software… And that’s what the java-haters and a few other $%#$$ seem to basking in currently… If you are not one of them @Brian, do a little more research and prove me wrong…

            1. psionski

              You seem to be missing a critical aspect of computer security – attack surface reduction. It’s not an attack against Java, it’s an attack against any installed software that you don’t really use or need. Java just happens to be one of the programs that are not needed (by most people), or, at least, not needed in the browser, but are still widely deployed and offer a huge attack surface (because it’s a pretty complicated piece of software, after all). When you look at it this way, disabling Java is a no-brainer.

            2. Ben

              I’m the sys admin for a commercial real estate company. As soon as I was hired a year ago I disabled Java on every computer in the company due to the many Java security issues in the past and the fact that over the years I’ve noticed a steep decline in the relevance of Java-based applications. Since then, I’ve run into ONE instance where it was necessary – I tried to run Eclipse PDT. I removed Eclipse, chose one of the other dozens of non-Java php IDEs available and never looked back.

              In the twelve years I’ve been running computer systems for hundreds of companies, I’ve only seen a handful of people using it, and in almost every case it was incredibly picky about version because the app was only able to use some outdated, obscure version of Java because the dev team couldn’t or wouldn’t be bothered to rewrite their application. Almost every machine I’m introduced to that has Java installed has a usually years-out-of-date version that has never been used.

              In the real world, we/users don’t have time to scour security forums to make sure there’s not ANOTHER Java exploit, updating dozens of computers or training end users to figure out if the Java update is a real update or some sort of fake spyware scam. I have gone out of my way to uninstall Java as soon as possible on any machine I am in charge of (as well as advise others to do the same), and the number of systems that need it are small and quickly, quickly dwindling. It’s really the simplest, fastest way to help secure a machine without fuss or requiring a lot more maintenance to keep installed.

    2. Vee

      I lost it at “Disable java… What a joke!! You should also stop driving cars, and disable your cellphone.”

      Which is funny, cause you contradict yourself with “more than 90% of java code written in the last 5years are not this so-called browser based applets.” yet you criticize disabling it in the web browser, which is what’s suggested.

      1. Vee

        To follow up on my point, Java probably can have a place in the world if that place is not the average user’s web browser.

      2. Yomade

        @Vee… Boss you shouldn’t get lost so easily… From a very technical perspective advicing users to disable java is equivalent to giving advice to stop driving cars because a given make of a car has faulty brakes and can cause accidents. Or disable your cellphone, because your phone can get hacked and your calls easdropped.

        The issue is being over-sensationalized and java is the fall guy…

        Curiously, for this 5K java exploit code, how does the transaction work out? The hacker will send you the code first or you pay first… Or why isn’t the hacker making zillions from the code already? Why does he have to sell it? I hope you can give answers to this questions?

        Sorry, Boss… I don’t mean there is no life without java what I’m saying is that this issue is being over-sensationalized. And very very few people have the competence to understand what’s going on.

        And this sensationalism can expose people to more dangers beyond java.. I can give you hundreds of ways enterprising criminals can use this sensationalism to cheat people.

        For example, imagine a simple mail in your inbox, with a header or title from a supposedly recognized authority or even the DHT itself saying, “Have you disabled java?”, Let’s do a check for you””, Authorized java disabler from the DHT.(Lolxxxx)… Click here to ensure you are 100% java safe…

        (Hook, Line and sinker)… One click and you are reeled in… That’s what this issue is about, not directly java. Java has only being included into the long list of software systems that can be used to execute such exploits. And it’s being on the list for a while..

        So why all the noise, now? How many medical doctors or architects can tell the difference between java and .net ? People should be given complete and accurate information over issues like this… Not quarter-baked truths…

        This java vulnerability basically requires users to download a malicious applet to their computers via the internet… So how come the DHT didn’t advice people about downloading malicious programs to their computers via web browsers or the internet but advices disabling java??? And that’s not another question…

        1. Din5dale

          Speaking of lost…you’re contradicting yourself… badly…again.

          But then again, I’m a n@@b… 🙂

          1. Yomade

            I don’t understand you… What is a n@@b? a noob? I don’t know what that means? Maybe I’m a n@@b too or a noob??

            Lolxxx… You don’t need a tent. What you need is to wait till you grow up? or get some adult supevision? And the link to the nintendo fan club is at the bottom right of this web page… Capisce?

            1. Din5dale

              LOL Project much? You’re a funny little person, thx for the guffaws. Be that as it may, I’ve grown quite tired of your infantile foot-stomping-“I’m right! You’re all wrong! I am! I am! I am! La-la I can’t hear you!”- and am exiting this thread.

        2. Vee

          >>”The issue is being over-sensationalized and java is the fall guy…Or why isn’t the hacker making zillions from the code already? Why does he have to sell it? I hope you can give answers to this questions?”

          It happens all the time, both Java being in the spotlight as having exploits and the selling of these exploits. It’s not over-sensationalized, it’s just a sad fact.

          >>”And very very few people have the competence to understand what’s going on. ”

          I can’t argue with that.

          >>”For example, imagine a simple mail in your inbox, with a header or title from a supposedly recognized authority or even the DHT itself saying, “Have you disabled java?”, Let’s do a check for you””, Authorized java disabler from the DHT.(Lolxxxx)… Click here to ensure you are 100% java safe…”

          Yeah, we have stuff like that already. Commonly deployed in rouge anti-virus. With that logic, let’s get rid of all legit anti virus so then people can spot fakes! Much like your plagiarism comments against Krebs, do you actually have anything to back anything up or are you just creating fantasy scenarios, making yourself obviously flawed simply to get replies? I guess in that case you’re the one that needs a patch. ha

          >>”So why all the noise, now? How many medical doctors or architects can tell the difference between java and .net ? People should be given complete and accurate information over issues like this… Not quarter-baked truths…”

          Doctors and architects aren’t tech guys and don’t maintain their own work computers. As far as their home computers then they fall under a good chance of not needing it. Again, people that can’t maintain it shouldn’t use it anyway. Java is VERY high needs security wise. If all they’re using it for at home is something like “youtube mp3 converter 6″ or the like, how does that justify them keeping it?

          >>”This java vulnerability basically requires users to download a malicious applet to their computers via the internet… So how come the DHT didn’t advice people about downloading malicious programs to their computers via web browsers or the internet but advices disabling java???”

          Because it’s as simple as hitting a site that has the exploit and having the plugin enabled. That’s it. There is no “Do you want to download EXPLOIT.jar?” It just loads and you’re screwed. Keep in mind, a legit site can always house an exploit. I believe these are called “watering hole” attacks. Now there ARE recently added security settings in the latest Java that DO force a confirmation box. However on a legit site, a user wouldn’t think twice about enabling it. So again, watering hole attacks.

          The only legit argument anyone has for keeping Java is on enterprise where it actually would serve needs and removing it would break things, which is fine as long as it’s maintained and watched.

          1. Yomade

            @vee… Sorry to dissapoint you but I’m not soliciting replies.

            I just expected a lot more competence from experts in the field… I’m a regular email subscriber on several tech forums for over a decade now. And in the last few weeks, I’ve been listening to all this ” disable java” tantrums.

            The DHT is an authority with a lot of international reputation, so advisories from such an authority shouldn’t be taken lightly.

            However, in light of the computing science domain which the DHT has delved into regarding it’s disable java advisory. This is very controversial advisory. It is indisputable that the DHT definately has juridisction in giving computer related advisories, especially regarding cyber-security of American information technology infrastructure.

            However, if this advisory is short-sighted and can enable the potential for even more dangerous vulnerabilities then there is definately a cause for alarm.

            As at the year 2005 most web browser software in the market, had security settings available to prompt users before any software is downloaded, and create exceptions for trusted websites..

            It’s 2013 boss, and this same browsers are still operating in the default mode of not prompting users when software is about to be downloaded. Or providing users with evolved usability options.. (for the records Mozilla just patched in their click-to-play usability/security enhancement). And now rather than enforce browsers to provide higher security for end-users. Java like I said earlier, is the prefered scape goat.

            I was still in college the year that oracle acquired java, and soon after, my college introduced new courses exposing us to compiler development and new programming language paradigms. I even did yet another C++ refresher in my final year. This current java issue has provided important answers regarding my curiosty about my college’s sudden change of it’s academic curriculum for computer science.

            Now I realize that, someone, somewhere in my institution already knew that oracle’s java acquistion was going to lead to problems in the java system,(which was the prefered programming language of my college prior to this acquistion). (lolxx… I got letters of gratitude to write if you know what I mean)…

            And this does not imply that oracle does not have the technical capacity to manage the java system. It’s possibly a whole load of other factors, I’ll leave you to decipher…

            Apache also stopped their collaboration with the java project as well, after the Oracle acquistion.
            I was a little puzzled too then, but now the picture is clearer.

            Basically, this current java scenario is over hyped… And dangers lie in this kind of sensationalism… I read the reports boss, and this so-called java reflection/class-loader vulnerability is a failsafe/high redundancy mechanism for enterprise java but with an insecure browser it is a vulnerability for applets. With a secure browser it is not a vulnerability. So what are you really talking about?

            And I did not accuse @Brian of plagiarism, it was a conditional statement… I also used harsh words for @Brian, because I wanted him to do more research on this issue… Not because I want replies… If you can’t understand, then please stop reading at this point…

            And yes, there are medical doctors who fix their own computers? And can tell the difference between java and .net… Go figure…

            I commented that you, shouldn’t expect a medical doctor to distinguish between java and .net doesn’t imply that all medical doctors should or shouldn’t have this ability?

            (Here’s another one) There exists computer scientists who know a lot more about neuro-surgery than the average dentist? (Prove me wrong, lolxxx)

            Advising to disable java is like cutting off one head of the mythical Hydra. Ensuring 100% security compliance at the browser level is putting the hydra down for good…

            So if few people see this simple fact. There’s some incomplete information leading to ineffective strategy being propagated regarding this vulnerability. And plausibly a business, or emo-political developers motive for supporting such a short-sighted approach to securing end-users from malicious internet activities.

            Do the maths boss, because if you can’t understand the logic or technicality behind my comments then just remember one day… That here @Brians blog, just one tiny corner of the internet universe… Someone, at sometime had highlighted an over-sight on how some aspect of information technology security is being managed in the United States… And as a result, possibly in the rest of the world…

            1. Vee

              >>”I just expected a lot more competence from experts in the field… I’m a regular email subscriber on several tech forums for over a decade now. And in the last few weeks, I’ve been listening to all this ” disable java” tantrums…Advising to disable java is like cutting off one head of the mythical Hydra. Ensuring 100% security compliance at the browser level is putting the hydra down for good… ”

              Thing is, Krebs regularly suggests things like Noscript/Notscript and keeping plugins updated rather than disabled -even including Java at one time. Plugins are a luxury rather than a necessity, if one can personally do without them, why shouldn’t they?

              Using that analogy, disabling Java in your browser disables the Java spewing browser exploit Hydra head permanently. Yeah, there’s still the multiple Adobe heads and the Javascript head, countless others. And you know what most security experts would say? That ideally, ALL plugins should be disabled and cookies and Java should be watched with things like Firefox’s Noscript/CookieMonster. Seriously go download a Tails LiveCD from the TorProject and check out it’s browser plugins. Sure it’s meant for privacy, but it’s probably one of the safest things I’ve ever seen to browse the web in general. And then since it’s a LiveCD, even if you are hit with something, which would be very hard with it’s lineup of settings and software, doesn’t really matter cause everything is only stored in ram.

              >>”As at the year 2005 most web browser software in the market, had security settings available to prompt users before any software is downloaded, and create exceptions for trusted websites.. It’s 2013 boss, and this same browsers are still operating in the default mode of not prompting users when software is about to be downloaded.”

              I’ve actually noticed the opposite of Firefox and even Internet Explorer for file downloads, unless you mean plugins that load stuff. Then again, that’s why I use Noscript. I can agree with that though, I do remember a time around 10 years ago when I was asked if I wanted to download a simple cookie. I’m guessing they did away with that with having so many sites using a multitude of cookies/plugin required stuff like flash that you’d have go through around 15 dialog boxes per page. So basically, yeah, they did away with it for convenience and that’s probably why Noscript doesn’t come included with Firefox even though it should. I agree with ya there, it would be nice to see some things force users into security habits, if that’s what you’re saying.

              >>”And yes, there are medical doctors who fix their own computers?”

              As far as their work computers, no. They really haven’t the time to playing Tech Support and if they have to then that really says a lot for the lack of Tech Support they must have. In that sense, what would you say if a doctor came up to someone in tech support and said: “Hey buddy, I’m doing open heart surgery in a minute. Got any tips?” Sadly a lot of Tech Support is so bad that people probably would think nothing of a doctor in a hospital playing tech on the side, but no way could they hold responsibility over all their office computers security wise. That’s why if you’re suggesting they’re responsible for maintaining their work computers which aren’t used for surfing the web mind you, it’s just laughable.

              >>”Basically, this current java scenario is over hyped… And dangers lie in this kind of sensationalism… I read the reports boss, and this so-called java reflection/class-loader vulnerability is a failsafe/high redundancy mechanism for enterprise java but with an insecure browser it is a vulnerability for applets. With a secure browser it is not a vulnerability. So what are you really talking about?”

              What dangers are there in alerting people in yet another Java exploit and suggesting a solution? I said it before and I’ll say it again, no one hardly maintains computers like most us here do, us that either do it for a living or are enthusiast. And even then, it’s still a lot easier and safer to just disable the plugin then keep up with the maintenance for something most of us don’t use. You criticize the advice of disabling the PLUGIN in fear that it will generate malicious Java removal tools and put enough fear in enterprise to stop using Java altogether. Yet you seemingly recognize that most of these exploits are browser based attacks. Finally you also seem to think these same security experts don’t recommend the removal (if possible) of OTHER browser security risks.

              Tell me, what settings prevent watering hole attacks? The one area Java doesn’t need to be, the one area that disabling it WOULD keep it out of the “propaganda news stories” because there wouldn’t be any to report and yet you keep your stance that they shouldn’t recommend disabling it? What about Shockwave, another plugin that most argue is a dying/rare thing to use online -when is the last time you needed Shockwave that wasn’t for a game? I myself have both Shockwave and Java installed yet disabled for my browsers and even then I only use either for games personally.

    3. Ken Pelkman

      tis true – there are many other exploit vectors (or components to exploit) and many ways to convince users to reduce their security.

      I am focusing on just this one topic – the Sun/Oracle Java JVM/JRE. I’m completely ignoring other technologies such as javascript, vpscript, active-x, other addin’s – which all have their own multitudes of problems.

      I am basically stating that it may be unrealistic for many people and enterprises to uninstall the Java VM or to disable it in the browser. If someone can live without the Java VM then they should uninstall it, given that Java will be under attack for the foreseeable future. I suspect that there are more websites than people realize that have implemented java applet functionality. Untold numbers of unmanaged (or self-managed) SMB machines are doing B2B over the internet. For many, these will be their personal machines. What is the definition of an average user? That would create quite a discussion.

      I am primarily coming at this from an enterprise view – managed machines using many browser based applications – internal and in the cloud. I have a personal perspective as well as I do use websites that have implemented Java applications (not javascript).

      So there is no getting around it – Java applets need to function – in the enterprise and personally – and therefore a mitigation is required to reduce the risk.

      The mitigation I described reduces the risk by stopping java applets from running for most internet sites (the Internet zone in IE) and letting them run for sites which users have deemed to be trusted (the Trusted Zone in IE).

      This mitigation is only one of many that must be used to protect machines.

      I tried to avoid the “which browser to use” discussion – but now mentioned – in the enterprise there is only one answer for us. We need active-X to work for enterprise applications and we are not about to support other browsers. Personally I use Firefox but to do so for our fleet would introduce much unnecessary work and I think would actually increase our risk if not managed correctly.

      1. Vee

        I think there is a difference between “average user” of home computer and someone maintaining some enterprise but only by a level of tech knowledge. The advice of removing Java being directed at people who can’t maintain it, period, which I could arguably say home user and enterprise. Honestly I’d agree that’s probably the best place for Java, behind the scenes IF there’s someone to keep a leash on it like using some of the methods you’ve mentioned. I really love Zsolt Sandor’s comment above of using a whitelist.

        I can’t say I’ve seen everything, but knowing how people are, what’s your bet there’s more sloppy maintained unpatched Java used in enterprise than there’s not? What’s your bet most home users and enterprise users won’t get a safe environment without say Oracle FORCING Java into whitelisting on install?

        So I’m with Mark Walker’s comment above with saying “They, like nearly every other major software company, go thru phases on security.” Either Oracle will have to keep a leash on Java with heavy security settings on install, users will get feed up and try to do as much as they can without it or it’ll just continue on like it has been for years.

  20. Yomade

    I would like to offer my unreserved apologies to everyone on this blog, especially @Brian for my terrible choice of language in expressing my opinions…

    I may have made some salient points but it was also wrong to over-emphasize my opinions… Once again my sincere apologies…

Comments are closed.