Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Bug Java Oracle

First Java 0-Day In 2 Years Exploited By Pawn Storm Hackers 122

An anonymous reader writes with Help Net Security's report that a new zero-day vulnerability in Java is being exploited, quoting from which: The flaw was spotted by Trend Micro researchers, who are closely monitoring a targeted attack campaign mounted by the economic and political cyber-espionage operation Pawn Storm. The existence of the flaw was discovered by finding suspicious URLs that hosted the exploit. The exploit allows attackers to execute arbitrary code on target systems with default Java settings. Until a patch is made, disabling Java is the recommended course of action.
This discussion has been archived. No new comments can be posted.

First Java 0-Day In 2 Years Exploited By Pawn Storm Hackers

Comments Filter:
  • by Anonymous Coward on Monday July 13, 2015 @06:30AM (#50097201)

    There hasn't been a zero day for Java in two years?

    If that's true, that sounds like the real news here.

  • Here we go again. (Score:5, Insightful)

    by sproketboy ( 608031 ) on Monday July 13, 2015 @06:30AM (#50097205)

    It's an exploit in the Java Plugin - not Java itself but whatever - let's get the Oracle hate going.

    • by Anonymous Coward

      Well, Oracle hating is well justified. Java on the other hand not.

    • by Big Hairy Ian ( 1155547 ) on Monday July 13, 2015 @07:01AM (#50097303)
      I was just going to suggest everyone just change their brand of coffee! Problem solved
    • Re: (Score:3, Insightful)

      Comment removed based on user account deletion
      • Well, yeah, Oracle hate is totally justified, so let's do it! (Besides, who wrote the plugin?)

        But yes, Java hate is OTT. It's a decent language/concept. Microsoft did it better with .NET/C#, but beyond the painful programming patterns Java's frameworks enforce on everyone, it's not a bad system.

        The plugin needs to go though.

        I hate Java as much as anyone. But I need Java every day; a lot of servers I manage around the world can only be accessed by Java based KVM consoles. Theres tons of hardware out there thats built with control interfaces that need Java.

        Its sad but its true.

        • by Rob Y. ( 110975 )

          So enable the plugin for your KVM console's URL only. If that's not possible, there should be a browser extension that makes it possible.

    • It's an exploit in the Java Plugin - not Java itself but whatever - let's get the Oracle hate going.

      The Java plugin thats disabled by default in the latest Chrome and will soon be completely unusable in Chrome thereby forcing sysadmins to use a different browser to administer hardware that needs Java in order to manage it, like IPMI, KVM, SAN's etc etc. That Java plugin?

  • Java is the recommended course of action.

    FTFY. No need to include a timeframe.

  • if it wasnt for Minecraft, no end user would be left with java.

    And in the office world, all the scared of MS tards led us down the java path. Thanks guys!

  • "Until a patch is made, disabling Java is the recommended course of action."

    Nope, it's _ALWAYS_ the recommended course of action

  • FTFY

    Always disabling Java is the recommended course of action.

    Java and Flash on the web are technologies that have come and gone. Now that HTML5 video is prevalent, I'm much more likely to get pwn3d by a zero day than I am to find anything in either Java or Flash that I'd actually miss.

  • The warning should be "Disabling Java in your preferred browser is the recommended course of action".

    But even that might be more than you need. My FireFox always asks if I want to allow Flash or Java to run on any new site.. Another dialog comes up to display the code signing details. This seems pretty safe.

    That said, the code signing and sandboxing situation for Java IS a holy mess.

  • "The existence of the flaw was discovered by finding suspicious URLs that hosted the exploit"

    Is it possible to design a browser that can't be compromised by navigating to a 'suspicious URLs'?
    • In theory, a server should never be able to compromise a browser (no matter what URL the server is hosted at *eye roll*), so yes, it's possible. Is it *practical*? Probably not. Modern browsers are complex beasts, with tons of attack surface and a constant push towards better performance.

  • Firefox and other browsers (and Flash) had 0-day security exploids like forever, but nobody recomends to just stop using the Internet. Also, you can chose to run the Java Applet in a sandbox. There are tons of very useful Japa Apples still there, why should I deactivate Java and stop using them now? How is that 0-day exploid going to affect me in any way? It isn't and it won't, especially because Java Apps ask for permission to be run.

    https://sites.google.com/site/... [google.com]

  • From TFA: "downgrading Java to one of the older versions is not a good idea because they are vulnerable to other attacks"

    well, which attacks, and are they not patched?

Avoid strange women and temporary variables.

Working...