This is getting old: New zero-day vulnerabilities found in latest versions of Java, including Java 7 Update 15

not_again

Still have Java installed on your computer or enabled in your browser? Then you should know new vulnerabilities have been discovered in the latest versions of Java. Again.

The current latest version of Java is Java 7 Update 15, which includes the most recent patch Oracle issues on February 19. According to Security Explorations, a Poland-based security company that has been discovering Java vulnerabilities faster than Oracle can patch them, Java 7 Update 15 has two previously undiscovered vulnerabilities that, once combined together and exploited, allows scumbags to bypass Java’s security sandbox and take control of and/or infect computers.

These two vulnerabilities, identified as Issue 54 and Issue 55, affect not only the latest version but all of Java 7. However, it doesn’t appear to affect earlier versions of Java. It is unknown if these vulnerabilities are Windows-only or affect Mac OS X and Linux, too.

The next regular Java update by Oracle that could potentially fix these issues is scheduled for April 16. So unless Oracle issues another irregular patch (which will only happen if these vulnerabilities are discovered in in-the-wild attacks), these vulnerabilities are going to stay unpatched for over a month.This is particularly worrisome when considering recent hacks of major corporations, e.g. Facebook, Apple, and Microsoft, were conducted by exploiting Java.

If you still have Java installed/enabled, this may be a good time to either uninstall Java completely or at least disable it in your browser.

[via Softpedia, Security Explorations, image via Justin Kraemer]

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

50 comments

  1. santuccie

    @Bub:

    Re-reading your last post, you got it part right. The only problem is that you’re counting PoC exploits as statistics. Just for the record, PoCs are used regularly; this is how researchers prove the existence of a vulnerability to the developers (the only time there might not be a PoC exploit is if the developers themselves discovered the flaw, and are publicly announcing and/or patching it). So yes, if you’re trying to argue that “zero-day” almost always indicates the existence of an exploit, then you would be right. However, by your rationale, the very term, “vulnerability” would itself indicate the existence of an exploit; at least a PoC exploit.

    The reason you are having such a hard time finding a definition for “zero-day vulnerability” is because it is so rarely used. The public doesn’t usually read about a vulnerability until after there is either a patch available, or an In-the-Wild exploit; and this is usually more than 24 hours after the vulnerability is discovered. Another term you may not have heard is “zero-day warez”, which refers to software that is cracked the same day it is released. It does not refer to a crack that is less than one day old, nor does it refer to a crack that will execute arbitrary code and compromise your system. This term is also rare, because warez do not usually come out the same day as the licensed releases.

    “Zero-day exploit/attack” refers to an ItW (not PoC) exploit whose outbreak is the same day a vulnerability is discovered or, more frequently, before the developers were ever aware of the vulnerability. The day of the outbreak in either case is day zero, as the vulnerability has been known to the developers for less than 24 hours. PoCs do not count as active exploits, even if they are released to the public. There is no threat to you or me until the bad guys pick up on it and release an exploit designed to do their dirty deeds. Not to be a smart-***, but it was you who proved my point.

    Sorry if failed to clarify this earlier, but I’m not guessing at this; I’m not “winging it.” ;) No hard feelings, just useful information. Cheers!

  2. Steve

    Unfortunately, Java is required to create an mhtml file from Firefox that can later be opened. (If Java is disabled, you can can still create an (invalid) mhtml file, but you won’t be able to open it.)

  3. DoktorThomas

    Oracle seems to be code content, take-it-or-leave-it. It is another sterling example of behemoth corporate haphazard commitment to individual users.

    Come on, Coders, the arena is devoid creativity…

    Besides, can the I-world not easily survive without Oracle’s java?

  4. Bub

    [@santuccie]
    Actually, as far as I can tell, your definitions are yours and yours alone. I cannot find any source that defines “zero-day” as “discovered within the last 24 hours”. As generally used, the term refers not to the time since discovery, but the time available to developers to fix the bug between time of discovery and time of working exploit. The only disagreement I found between definitions is whether for a “zero-day vulnerability” the working exploit had to be in the wild, or whether a working proof-of-concept would suffice.

    In fact, your response really proves my point. If the term is so poorly understood that some readers interpret it as inaccurately as you do, then it is not conducive to effective communication.

  5. J.L.

    “Ignorant has nothing to do with ignoring. Clearly, you are ignorant to the meaning of the word. Ignorance means lack of knowledge or education. Stupidity means dullness of mind. And ignoring means not paying attention. Ignorant does NOT mean a state of being one who ignores things. Speaking of “ignoring what I actually said and only relying on your own interpretation,” you just made a fool of yourself for the umpteenth time. Thanks for the laugh. This one will follow you until the end of our conversation.”
    Must have been my dictionary, but it’s just like you to be overblown.

    “When WAS the words in the same place? Learn grammar. That said, you told me that IE blocks plugin-based content by default, but ActiveX filtering is what causes the blocking (ActiveX is IE’s counterpart to plugins). Again, you don’t know enough about computers to know when your foot is in your mouth.”
    I thought it did, but it appeared to be my settings. Java isn’t executed without your permission in virtually all cases though.

    “A drive-by download delivered by a Java exploit. The same stuff exists for Windows (e.g. rogue AV), and we’ve been over that. Don’t get me wrong; not all Java pop-ups are drive-by downloads. Some rely on at least one click, others do not. The point is that plugin-based content in pop-ups that circumvent ASLR present a real threat, and one that can be greatly reduced by either enabling click to play, or by enabling ActiveX filtering in the event that IE is your preferred browser.”
    I’d like to see a true drive-by example, but valid point.

    “You should have read my latest responses through to the end before firing back. They are NOT mainly JavaScript; in fact, the pop-up itself may be completely devoid of JS. NO pop-up is comprised entirely of JavaScript, period. It’s either HTML by itself, or HTML with JS and/or some plugin-based content (such as Java content). JS is not the building block of Web pages; it’s simply a code that can be embedded into HTML to provide enhanced functionality. HTML is not dependent on JS, and JS does not stand on its own. Get it?”
    Obviously you don’t respect me enough to constantly post security 101, web 101, etc. Maybe you should search my name and find out yourself how knowledgeable I am. Please give me an example of a pure HTML popup.

    “Here’s your problem: you only recently learned that JS is responsible for launching a pop-up, which you probably got in a Google search while trying to cross swords with someone who has decades of experience to prepare him for the likes of you. This is like reading the wikipedia about thrusting and parrying while you’re in the middle of a fencing match with Albert Axelrod (exaggeration, of course; I am by no means a revered authority). This is strike 5, and the most conspicuous of all the blunders you’ve made so far. I told you that the longer you continue for the sake of your pride, the more ammo you give me to blow your cover and stomp that pride flat. You’re a regular glutton for punishment! Want some more?”
    Looks like all civility might’ve be lost if Ashraf didn’t step in.

    @santuccie:
    I won’t deny that you know the topic at hand, but nobody is perfect and one is not above others.

  6. Ashraf
    Author/Mr. Boss

    [@santuccie] [@J.L.] LMAO are you two still at it?

    In all seriousness, I love the discussion and the back-and-forth — very informative and educating. However, let’s be adults about it, puhleez. Personal insults/attacks don’t add any weight to a point and only lower the quality of the discussion. Of course that doesn’t mean you can’t be uber defensive but do it respectfully.

    Thanks!

  7. santuccie

    [@J.L.]
    “I say ignorant, because you clearly ignore what I actually said and only rely on your own interpretation.”
    - Ignorant has nothing to do with ignoring. Clearly, you are ignorant to the meaning of the word. Ignorance means lack of knowledge or education. Stupidity means dullness of mind. And ignoring means not paying attention. Ignorant does NOT mean a state of being one who ignores things. Speaking of “ignoring what I actually said and only relying on your own interpretation,” you just made a fool of yourself for the umpteenth time. Thanks for the laugh. This one will follow you until the end of our conversation.

    “Learn Ctrl+F. When was the words “Default” and “ActiveX Filtering” ever in the same place?”
    - When WAS the words in the same place? Learn grammar. That said, you told me that IE blocks plugin-based content by default, but ActiveX filtering is what causes the blocking (ActiveX is IE’s counterpart to plugins). Again, you don’t know enough about computers to know when your foot is in your mouth.

    “What does FlashBack Trojan have to do with Internet Explorer on Windows?”
    - A drive-by download delivered by a Java exploit. The same stuff exists for Windows (e.g. rogue AV), and we’ve been over that. Don’t get me wrong; not all Java pop-ups are drive-by downloads. Some rely on at least one click, others do not. The point is that plugin-based content in pop-ups that circumvent ASLR present a real threat, and one that can be greatly reduced by either enabling click to play, or by enabling ActiveX filtering in the event that IE is your preferred browser.

    “What pop-ups? I only said rogue pop-ups are mainly JavaScript.”
    - You should have read my latest responses through to the end before firing back. They are NOT mainly JavaScript; in fact, the pop-up itself may be completely devoid of JS. NO pop-up is comprised entirely of JavaScript, period. It’s either HTML by itself, or HTML with JS and/or some plugin-based content (such as Java content). JS is not the building block of Web pages; it’s simply a code that can be embedded into HTML to provide enhanced functionality. HTML is not dependent on JS, and JS does not stand on its own. Get it?

    Here’s your problem: you only recently learned that JS is responsible for launching a pop-up, which you probably got in a Google search while trying to cross swords with someone who has decades of experience to prepare him for the likes of you. This is like reading the wikipedia about thrusting and parrying while you’re in the middle of a fencing match with Albert Axelrod (exaggeration, of course; I am by no means a revered authority). This is strike 5, and the most conspicuous of all the blunders you’ve made so far. I told you that the longer you continue for the sake of your pride, the more ammo you give me to blow your cover and stomp that pride flat. You’re a regular glutton for punishment! Want some more?

  8. J.L.

    [@santuccie] I’ve yet to see a “HTML pop-up” that doesn’t rely on JavaScript.

    The example you gave me was not FlashBack Trojan.

    The fact is, Internet Explorer gives a security prompt whenever a Java applet is run (not to mention the possible UAC prompt). Although there may be bypasses of that, I doubt it’s as widespread as you think. The fact is, Internet Explorer 9+ has ActiveX Filtering, which is basically click to play. I should have mentioned that earlier. The fact is, you have insulted me in every way you can, and I’m sick of it.

  9. J.L.

    [@santuccie] “I’m surprised you’re still here. Clearly, you don’t know enough about computers to even realize that you were down for the count a few posts back already. So here you are again, flogging a dead horse. Suit yourself…”
    I don’t know what kind of flagrant hubris you have looking down on me, but it’s not going to work.

    “What are you talking about? This was in response to your remark about the effectiveness of pop-up blockers! Are you still trying to claim that there are no Java-based pop-ups? Okay, you just keep on saying that; it’ll be a short trip back here with a screenshot the very next time I run across a Java pop-up. Then you can tell all your friends how you sure told me (just hope they don’t actually find this thread).”
    Can you understand the word most?

    “Changing stories, are we? You said it has it BY DEFAULT.”
    When I said default in my first post there was no mention of ActiveX Filtering. It only meant the Internet Explorer security prompt when you run a Java applet.

    “That’s funny, coming from you. Do you know what “ignorant” means? It doesn’t mean stupid, if you were trying to find a sophisticated way to call me that. And if you actually knew that ignorant means inexperienced – which I doubt – then you would know that describes the person who has been consistently getting schooled… you. Either way, you’re not describing me. Nice try, though.”
    I say ignorant, because you clearly ignore what I actually said and only rely on your own interpretation.

    “So what? I thought it took you all that time because you “have a life.” How old are you, kid? I should be grateful that some wannabe is trying to pretend that he is some kind of guru, belittling his better, and repeatedly asserting that he is stating “facts” after being struck down again and again for misinformation? So, posting on an assumption, jumping from one foot to the next as you get knocked back, and all the while thumbing up your nose at my experience is charity from you to me? Great, you’re blind as a bat AND audacious. You’ll make some girl a fine partner one day.”
    If you cannot see the facts, then there’s no helping it.

    “First, you’re not bullying anybody; I don’t take orders from you. Second, you put “default” in your own mouth. Just look back at your previous posts. They’re not going anywhere; they’ll be there for all the world to see after you’ve dug yourself a hole so deep that you can never climb out, and I won’t even have to bother saying I told you so.”
    Learn Ctrl+F. When was the words “Default” and “ActiveX Filtering” ever in the same place?

    “Oh, really? Going on a hunch again, are we? Just FYI, we’re talking about pop-ups that come not only from dodgy Web sites, but also from legitimate pages that have been compromised by a third party. If they don’t install automatically, as some actually do, then one can only be rid of them by terminating the process or rebooting; not something the average user would know (you didn’t even know until I told you). Furthermore, I’ve already told you flat-out that the Flashback Trojan was a drive-by download; the only difference between providing the admin password and not doing so was whether it installed only to one user account, or system-wide. Strike 4.”
    What does FlashBack Trojan have to do with Internet Explorer on Windows?

    “And lastly, are you backing out of your denial that these pop-ups are indeed Java-based? Wise choice, but a little too late to save face here. And trying to dismiss it as a poor example (a drive-by download is a worse example than you thought?) is yet another cop-out for the record books. On the bright side, you can always create a new username, LOL.”
    What pop-ups? I only said rogue pop-ups are mainly JavaScript.

  10. santuccie

    P.S.: Reading back over our previous posts, I can see that my own wording would seem to position a screenshot for a Java pop-up (which I will still provide for you when I have one), since I had addressed your inability to provide concrete evidence in the same paragraph. What I was thinking and what came out were two different things, sorry. I knew what I meant.

  11. santuccie

    [@J.L.]
    While I was reading about the Flashback Trojan, it occurred to me that what may have confused you is that you may have recently read about JavaScript being what causes a pop-up to load. And when you made your rebuttal that the pop-up in my screenshot was a JS pop-up, now I realize that you’re thinking the content in the page itself is JS. Is that it? Because most of the content in the pop-up you see is neither Java nor JS, but HTML (except for Java pop-ups, which would likely include some HTML as well).

    Understand that JS is not what the Flashback Trojan used to infect over 600,000 Macs, although JS is what opened the pop-up; it was a Java exploit. Sorry to confuse you, but I didn’t realize you’d gotten even the JS bit itself from a Google search while you were already trying to engage me in a debate, LOL. Oh, well; live and learn.

  12. santuccie

    [@Bub]
    I’m with Ashraf. If you actually did see two misnomers out of the first three sites you looked at, understand that not all bloggers are created equal.

    Not to be rude, but you appear to be alone in your contention. And you can’t please everybody; just because one reader interprets the word “vulnerability” to mean “exploit” whenever “zero-day” is coupled with it, doesn’t make the author wrong for failing to read minds and word things accordingly.

    “Zero-day” means something that was discovered less than 24 hours ago, “zero-hour” means something that was discovered less than 60 minutes ago, and “vulnerability” means weakness. If exploits are exploits, and vulnerabilities are exploits, then what would be your word choice to describe a vulnerability that was discovered today by the good guys, and not the bad guys?

  13. Bub

    [@Ashraf]
    Interestingly, a bit of research has shown the question to be less cut-and-dry than I thought. I found three definitions of “zero day vulnerability,” two of which imply active exploits being in the wild, whereas the third one does not.

    What is clear, though, is that the term “zero-day vulnerability” is far less frequently used (and defined) than the similar term “zero-day attack,” which everyone agrees does imply an active exploit.

    At the end of the day, it doesn’t matter which definition of “zero-day vulnerability” you personally adopt; what matters is what the term means to your readers. Between the fact that – in my admittedly small sample of definitions – the active exploit is implied more often than not, and the similarity to the more commonly used term “zero-day attack”, I strongly suspect that the majority of your readers, if going by the headline alone, would believe the headline to imply an active exploit. You may not intend for them to come away with such a false impression, and you may hope that they read the full article for clarification, but I do believe that hyping the story with this language does the community a disservice.

  14. santuccie

    “One last note, stop putting words like “default” in my mouth.”
    - First, you’re not bullying anybody; I don’t take orders from you. Second, you put “default” in your own mouth. Just look back at your previous posts. They’re not going anywhere; they’ll be there for all the world to see after you’ve dug yourself a hole so deep that you can never climb out, and I won’t even have to bother saying I told you so.

    “Your example is worse than I thought, it doesn’t exploit anything other than user stupidity, you have to download and run it.”
    - Oh, really? Going on a hunch again, are we? Just FYI, we’re talking about pop-ups that come not only from dodgy Web sites, but also from legitimate pages that have been compromised by a third party. If they don’t install automatically, as some actually do, then one can only be rid of them by terminating the process or rebooting; not something the average user would know (you didn’t even know until I told you). Furthermore, I’ve already told you flat-out that the Flashback Trojan was a drive-by download; the only difference between providing the admin password and not doing so was whether it installed only to one user account, or system-wide. Strike 4.

    And lastly, are you backing out of your denial that these pop-ups are indeed Java-based? Wise choice, but a little too late to save face here. And trying to dismiss it as a poor example (a drive-by download is a worse example than you thought?) is yet another cop-out for the record books. On the bright side, you can always create a new username, LOL.

  15. santuccie

    [@J.L.]
    I’m surprised you’re still here. Clearly, you don’t know enough about computers to even realize that you were down for the count a few posts back already. So here you are again, flogging a dead horse. Suit yourself…

    “Wow, epic fail. There’s not even the slightest bit of java in flash-player-update.com. There’s a JavaScript popup though.”
    - What are you talking about? This was in response to your remark about the effectiveness of pop-up blockers! Are you still trying to claim that there are no Java-based pop-ups? Okay, you just keep on saying that; it’ll be a short trip back here with a screenshot the very next time I run across a Java pop-up. Then you can tell all your friends how you sure told me (just hope they don’t actually find this thread).

    “I stated Internet Explorer has that as well. ActiveX Filtering is in IE 9 too.”
    - Changing stories, are we? You said it has it BY DEFAULT.

    “You’re one of the most ignorant people I’ve ever met. Apparently anything you only consider yourself as the bearer of all facts.”
    - That’s funny, coming from you. Do you know what “ignorant” means? It doesn’t mean stupid, if you were trying to find a sophisticated way to call me that. And if you actually knew that ignorant means inexperienced – which I doubt – then you would know that describes the person who has been consistently getting schooled… you. Either way, you’re not describing me. Nice try, though.

    “So what if I spent more time? You should be grateful that someone is trying to research and state the facts.”
    - So what? I thought it took you all that time because you “have a life.” How old are you, kid? I should be grateful that some wannabe is trying to pretend that he is some kind of guru, belittling his better, and repeatedly asserting that he is stating “facts” after being struck down again and again for misinformation? So, posting on an assumption, jumping from one foot to the next as you get knocked back, and all the while thumbing up your nose at my experience is charity from you to me? Great, you’re blind as a bat AND audacious. You’ll make some girl a fine partner one day.

  16. J.L.

    *accidentally pressed post*
    stated: “Thanks to click to play, all my pop-ups display harmless placeholders, just like all other plugin-based content.” I stated Internet Explorer has that as well. ActiveX Filtering is in IE 9 too.

    You’re one of the most ignorant people I’ve ever met. Apparently anything you only consider yourself as the bearer of all facts.

    So what if I spent more time? You should be grateful that someone is trying to research and state the facts.

  17. santuccie

    [@J.L.]
    “And I showed you 2 sites that it appeared on.”
    - Can’t link to a specific page? If you intend to prove a point, you don’t tell the other party to “go fish.” But since you want to try and turn the tables on me, here you go:

    http://s1033.beta.photobucket.com/user/santuccie/media/sshot-2.png.html

    Cakewalk. Now, it’s your turn.

    “That’s because you mentioned rogue pop-ups, and continued talking about it. Now you’re changing the subject to rogue AV.”
    - Clever. I mentioned rogue AV because it’s one of the most prevalent types of rogue software. You also have rogue reg cleaners and, more recently, rogue disk utilities. But I brought up a pandemic I thought you might have heard about, because EVERYONE is hearing about rogue AV.

    “No, that’s the case means your click to play statement.”
    - What are you talking about? When you say, “that’s the case by default as well on Internet Explorer,” you could be meaning that click to play is a default feature in IE, or both in IE and alterative browsers, neither of which is true. Only in IE10, which is used by approximately 1.29% of Web surfers.

    “Why should I leave when you’re messing with my facts? At least I’m trying to improve myself by learning.”
    - First, you’re trying to fake it until you make it. Second, what facts? You’ve already struck out, kiddo.

    “Lastly, I took 2 hours, because I have a life outside of arguing with a stranger on this site. Not to mention I had to restart to reset Internet Explorer’s settings, install Flash and Java on my XP virtual machine, and download/install Windows 7 on VirtualBox.”
    - LOL, nice contradiction there. You’ve spent a lot more time on this than I have, just FYI; it doesn’t take long for me to squash your latest, feeble attempt to save face.

  18. J.L.

    Speaking of “burden of proof”, where’s yours for this statement: Like I said in my first response to you, legitimate pages will trigger the prompt, illegitimate ones will not; cybercriminals don’t follow the rules.

  19. J.L.

    [@santuccie] And I showed you 2 sites that it appeared on.

    That’s because you mentioned rogue pop-ups, and continued talking about it. Now you’re changing the subject to rogue AV.

    No, that’s the case means your click to play statement.

    Really, says the one who made a big deal out of it. Why should I leave when you’re messing with my facts? At least I’m trying to improve myself by learning.

    Lastly, I took 2 hours, because I have a life outside of arguing with a stranger on this site. Not to mention I had to restart to reset Internet Explorer’s settings, install Flash and Java on my XP virtual machine, and download/install Windows 7 on VirtualBox.

  20. santuccie

    [@J.L.]
    Oh, don’t cop out on me now. Haven’t you heard the term, “burden of proof?” These are your words: “There’s a prompt whenever a site needs Java.” You made the claim, not I.

    Now, you’re changing the subject to pop-up blocking. Problem with that theory is, all browsers have that enabled by default. Why then do you think people are getting infected with rogue antivirus products right and left? And besides, you can turn pop-up blocking in IE all the way up, and you’ll still have problems.

    Is ActiveX filtering enabled by default? Because you said, “that’s the case by default as well on Internet Explorer.” Strike 3.

    Who’s wasting whose time? You came after me, remember? And I told you that you could leave at any time. But you still seem to think you can win this debate by learning on the fly.

  21. J.L.

    [@santuccie] One is Flash, which there’s no alert. You never visited the Java games site, so I provided an easier example. Prove to me that illegitimate one will not trigger those prompts.

    I never said anything about pop-up ads showing prompts, but all browsers block most pop-ups by default so there’s a a notification. Now I have to show you something that’s obvious? I thought you knew enough to not need such examples, so stop wasting my time.

    ActiveX Filtering blocks all plugins, research more.

  22. santuccie

    [@J.L.]
    What happened to the other two sites? And I know about the security warning pop-up. Like I said in my first response to you, legitimate pages will trigger the prompt, but illegitimate ones will not; cybercriminals don’t follow the rules.

    At least to you? This and Oracle’s own Java test page are the comebacks that took you two hours to hit me with? Sorry, but show me a pop-up ad that triggers a prompt. And then, show me some JS pop-up ads.

    As far as ActiveX goes, that is IE only; other browsers don’t have it. And more importantly, ActiveX is subject to ASLR. Java and Flash are not, which is why more exploits are being written for them these days. That, and the fact that they are cross-platform.

  23. J.L.

    [@santuccie] After some extensive testing, I’ve found out that the prompt does not appear for Flash by default. As for Java, there is a “This website wants to run the following add-on:” and a Security Warning pop-up. That is the case for Internet Explorer 8 and 10 on both XP and 7. Just go to: http://www.java.com/en/download/testjava.jsp

    I did mean just IE, because I remember it working in 8 and 9. Most of the time rogue popups means JavaScript (at least to me), because they always appear in websites full of ads. Sure I’ll keep going, thanks to ActiveX Filtering that’s the case for Internet Explorer as well.

  24. santuccie

    [@J.L.]
    I visited the two sites you linked me to, with IE8 on default settings. I didn’t receive any prompts for Java. Of course, I didn’t go very far; I just played a video (which uses Flash, not Java).

    I mentioned IE10 earlier, and also that this is not yet the standard. And you didn’t say IE10; you said Internet Explorer. By the way, where did you read that rogue pop-ups are JS, rather than Java? I suggest you try again. Thanks to click to play, all my pop-ups display harmless placeholders, just like all other plugin-based content. That’s strike 3. You wanna keep going?

    As far as cockiness goes, this isn’t a discussion about personalities, or else we can get back to why you find it necessary to use profanity. This is about Web security. Let’s stay on-topic, at the very least.

  25. J.L.

    [@santuccie] It insinuates nothing of the sort, that’s all in your head.

    You skipped all the major details: 1) I specifically stated IE asks your permission when running plugins, I wasn’t talking about how Java does it. 2) If you want an example, try any website not trusted by Microsoft like killsometime.com and javagameplay.com. 3) You never noticed how you cocky you appear thinking you know the whole topic and what’s in the mind of others.

    Since Internet Explorer 10′s Flash whitelist. Rogue pop-ups are mainly JavaScript, which isn’t a plugin. If you mean what you mentioned about user level vs system-wide, please read the third sentence of my second paragraph of my second post.

    That is far from the only inaccuracy. Funny you mentioned forgetting, because that would only benefit you.

    Blow what? Just continue your nonsense, it’ll be my pleasure.

  26. santuccie

    [@J.L.]
    Once again, in reply to the first post you’ve seen from me, insinuates either that we’ve met before, or that you say it because you think it sounds good.

    Sounds like you’re in over your head. What technical contents are you referring to? Because examples hold a lot more weight than empty assertions. And speaking thus, here’s another…

    Since when does Microsoft whitelist Web sites for us? Because Microsoft doesn’t provide DNS services. And you’ve evaded the question as to why rogue pop-ups appear without a prompt.

    If there is one inaccuracy I’ve made, then it may be that of your original intent, which is debatable. Otherwise, we can talk about those that you would like for us to forget, such as prompts “whenever” a site needs Java, or Microsoft whitelisting YouTube.

    Keep it up. The longer you continue for the sake of your pride, the more ammo you give me to blow your cover.

  27. J.L.

    [@santuccie] Once again means your false assumptions of course.

    I’m not talking about how Java handles things, I’m talking about how Internet Explorer handles plugins in websites. Why do I have to state that again, can’t you read what others write?

    Instead of focusing on how correct you are and how challenging I am, how about taking a look at the technical contents of my post? Sorry if my expression of anger at your incompetent assessment of my thoughts offends you, but please learn from your inaccuracies.

  28. santuccie

    [@J.L.]
    Once again? Have we met? If not, then you’re quick as a whip with the cursing.

    As far as how Java handles things, you ought to realize that many rogue pop-ups are Java-based, and they don’t give you an alert; just the pop-up. And when that happens, you only have a few choices: terminate it via Ctrl + F4 or Task Manager, restart your system, or get infected. Because even if you click the red “X” button, you’re infected. If Java “handled” things so well, then nothing would escape the sandbox in the first place, and we wouldn’t be having this conversation.

    And as far as “leaving it at that,” you can leave any time you like. I’m here primarily to provide information, but I’m also a stickler for correctness of information. Forgive me if I misunderstood your intent but, apart from being inaccurate, your original post did sound rather challenging. And now you’re cursing, and talking like you have known me for awhile. Are you here for a personal vendetta, or for education?

  29. J.L.

    [@santuccie] That’s because YouTube is whitelisted by Microsoft. Try some other sites before insulting me.

    You’re the one assuming that. I’m talking about how Internet Explorer asks you to run the plugin for a website, not how Java handles things. Of course many things are user level, I never said anything against that.

    Once again, making false assumptions. You think you know so much about others, computers, and everything that’s ever touched your cocky ass.

    LOL, and let’s just leave it at that. You get the picture. And FYI, I wasn’t correcting you, it was a simple agreement with additional info until you blew it out of proportions.

  30. santuccie

    [@J.L.]
    Ever watch a YouTube video? It plays automatically, doesn’t it? Now, try right-clicking on the video, and see that it uses Adobe Flash Player. Some may use HTML5, but that’s not the standard yet. It may be in IE10, but that’s because IE10 doesn’t support plugins at all.

    Legitimate sites show alerts for Java applets, but you’re assuming that the bad guys follow the rules, which they don’t. And furthermore, most rogue pop-ups will make changes only at user level, rather than system-wide. This does not trigger a UAC alert; if it did, then scareware wouldn’t be such a pandemic.

    A lot of Mac users think the way you do; that their administrator password is required for any badware to be installed. So, how did the Flashback Trojan install on over 600,000 Macs? That was a drive-by download.

    I would like to believe the world to be as harmless as you do, but I outgrew that naivety the first time I saw a limited user account pwned by SQL Slammer. Before you venture to try and correct someone who is trying to help, I suggest you make sure you know what you’re talking about.

  31. Ashraf
    Author/Mr. Boss

    [@Bub] Firstly, let’s agree that, when it comes to digital security, definition of terms is fungible.

    That said, you are wrong. A zero-day vulnerability is a previously unknown vulnerability regardless of if it is being exploited or not. A zero-day attack is an attack exploiting that zero-day vulnerability. There is no hyping here nor is the headline misleading.

    And I agree, a security firm regularly finding and reporting vulnerabilities is making Java more secure. However, that doesn’t mean Java is secure.

  32. Bub

    Please don’t overhype. This is an unpatched vulnerability. It’s not a zero-day vulnerability. Zero-day implies that it is being exploited in the wild. The name refers to the length of time developers have between discovering the vulnerability and the exploitations.

    The fact that Security Explorations appears to be discovering such vulnerabilities before the bad guys do ultimately makes Java more secure, not less.

    Of course, Java has had its share of zero-day vulnerabilities in recent times, as we all know. Its security as a browser plug-in certainly isn’t what we would want it to be, and I myself keep it disabled. But don’t overhype the situation with misleading headlines.

  33. santuccie

    [@Coyote]
    Practically all software has vulnerabilities in some form or another. Before Vista SP1 introduced Address Space Layout Randomization, most attacks didn’t depend on Java or Adobe Flash; they targeted browsers’ rendering engines and other facilities, especially Microsoft’s ActiveX. The biggest problem with Java and Flash is that these plugins are not subject to ASLR, so their vulnerabilities can provide a point of entry past its protection.

    I understand your frustration, but prefer to focus on the good news, rather than the bad news. And the good news is that we Windows users have more control than ever before over whether we get infected. Although there are far more attacks now than in the past, this is because of the increasing numbers of both Internet users and cybercriminals, not decreasing security.

    In other words, there are more bad guys, and they are trying harder. But security experts and authorities are trying harder as well, and making progress. I suspect that, one day, it will become so difficult to infect a computer that only the most elite of cybercrooks will be able to do so. And those who do will face greatly increased odds of being caught, as well as hefty penalties when they are.

  34. Coyote

    So with all these exploits why is Oracle still allowed to conduct business? If a bank were to be found leaking money out of every hole you’d think people would stop using them…. Oh wait totally forgot about the way economics work these days.

    Carry on Oracle.

  35. santuccie

    For now, I depend too much on plugins to completely disable them. However, I do use “click to play” functionality, which prevents plugin-based content from downloading and running unless I specifically click on a placeholder to run it.

    To my knowledge, this functionality is available natively in Firefox and Chrome. It is supposed to be natively available in Opera as well, though it is my understanding that the feature is crippled. For Safari, there is an add-in called ClickToPlugin to provide this functionality.

    Because of click to play, my pageloads are faster, I don’t have to deal with annoying ads with audio interrupting me, and I don’t have to go back and forth to enable/disable plugins as I need them. For more information:

    http://www.howtogeek.com/123986/how-to-enable-click-to-play-plugins-in-firefox/
    http://www.howtogeek.com/126284/how-to-enable-click-to-play-plugins-in-google-chrome/
    http://hoyois.github.com/safariextensions/clicktoplugin/

    Hope this helps!