Java Zero-Day exploit.

RoguetadhgRoguetadhg Member Posts: 2,489 ■■■■■■■■□□
in Off-Topic
It appears that the flaw allows the Blackhole exploit kit to target the Java system using a Pre.jar file that lets it install malware, in this case a banking [FONT=inherit !important][FONT=inherit !important]Trojan[/FONT][/FONT], onto users machines through a variety of methods.

"This morning we started getting the first indication of a large scale attack. So far we have observed over a dozen domains actively attacking systems with this exploit, and the count is increasing rapidly," reads Fireeye's blog post.
via.pngThe Inquirer (Java zero day flaw puts millions of users at risk - The Inquirer)

I didn't see the post here, thought I should make a thread for ya'll.

Fraking Java. Always a thorn in my side. :\
In order to succeed, your desire for success should be greater than your fear of failure.
TE Threads: How to study for the CCENT/CCNA, Introduction to Cisco Exams

· Share on FacebookShare on Twitter

Comments

  • amcnowamcnow Member Posts: 215 ■■■■□□□□□□
    Sad thing is Oracle just released Java SE7 Update 6 a couple of weeks ago. I wonder whether or not the vulnerability was introduced with this update.
    WGU - Master of Science, Cybersecurity and Information Assurance
    Completed: JIT2, TFT2, VLT2, C701, C702, C706, C700, FXT2
    In Progress: C688
    Remaining: LQT2
    Aristotle wrote:
    For the things we have to learn before we can do them, we learn by doing them.
    · Share on FacebookShare on Twitter
  • RoguetadhgRoguetadhg Member Posts: 2,489 ■■■■■■■■□□
    Make that: Two Zero day exploits...

    "However, this time around, people with the latest version of Java were the ones most open to attack."

    Second Java zero-day exploit uncovered | Macworld

    "The bugs are in Java 7 and affect Windows, Mac OS X and Linux operating systems running a Web browser with a Java plugin enabled. The flaws were introduced with the release the platform in July 28, 2011, Guillardoy said in his analysis."
    In order to succeed, your desire for success should be greater than your fear of failure.
    TE Threads: How to study for the CCENT/CCNA, Introduction to Cisco Exams

    · Share on FacebookShare on Twitter
  • crrussell3crrussell3 Member Posts: 561
    I have already disabled Java use for Internet zones here at work. We unfortunately still require it for L.O.B. applications, so leaving it for Intranet/Trusted Zones will have to do.
    MCTS: Windows Vista, Configuration
    MCTS: Windows WS08 Active Directory, Configuration
    · Share on FacebookShare on Twitter
  • TackleTackle Member Posts: 534
    • Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security page > Internet Zone > Java Permissions. It’s counterintuitive, but you ENABLE the setting to make it apply, then choose DISABLE JAVA as the policy. Duplicate this setting in the Locked-Down Internet Zone as well.
    Incase anyone was wondering.
    · Share on FacebookShare on Twitter
  • boredgameladboredgamelad Member Posts: 365 ■■■■□□□□□□
    I was off yesterday and spent all day in bed with a migraine, so I wasn't aware of this. I was quite surprised to see a script pushed out to my machine as soon as I logged in this morning.

    UNINSTALLING JAVA 7, DO NOT CLOSE

    Then I saw the e-mail. Needless to say I was just a bit confused for a minute there.
    · Share on FacebookShare on Twitter
  • amcnowamcnow Member Posts: 215 ■■■■□□□□□□
    Roguetadhg wrote: »
    Make that: Two Zero day exploits...

    "However, this time around, people with the latest version of Java were the ones most open to attack."

    Second Java zero-day exploit uncovered | Macworld

    "The bugs are in Java 7 and affect Windows, Mac OS X and Linux operating systems running a Web browser with a Java plugin enabled. The flaws were introduced with the release the platform in July 28, 2011, Guillardoy said in his analysis."

    At least Oracle finally acknowledged the first zero-day exploit... crash.gif

    Now, let's see how long it takes them to fix these flaws.
    WGU - Master of Science, Cybersecurity and Information Assurance
    Completed: JIT2, TFT2, VLT2, C701, C702, C706, C700, FXT2
    In Progress: C688
    Remaining: LQT2
    Aristotle wrote:
    For the things we have to learn before we can do them, we learn by doing them.
    · Share on FacebookShare on Twitter
  • RoguetadhgRoguetadhg Member Posts: 2,489 ■■■■■■■■□□
    where at? i'm on Oracle's site.
    In order to succeed, your desire for success should be greater than your fear of failure.
    TE Threads: How to study for the CCENT/CCNA, Introduction to Cisco Exams

    · Share on FacebookShare on Twitter
  • cyberguyprcyberguypr Mod Posts: 6,928 Mod
    Patch has been released: Alert for CVE-2012-4681
    · Share on FacebookShare on Twitter
  • RoguetadhgRoguetadhg Member Posts: 2,489 ■■■■■■■■□□
    Alright.. Well. Thread Revival:

    Another critical Java vulnerability puts 1 billion users at risk | Computerworld Blogs

    Can I get an alternative for Java?
    In order to succeed, your desire for success should be greater than your fear of failure.
    TE Threads: How to study for the CCENT/CCNA, Introduction to Cisco Exams

    · Share on FacebookShare on Twitter
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    Roguetadhg wrote: »
    Can I get an alternative for Java?
    Is that a rhetorical question? icon_smile.gif

    This vulnerability appears to impact Oracle's implementation of the Java VM. There are actually other providers of Java VM's. Most of the other Java VM's are licensee's of Sun/Oracle but may not contain the vulnerabilities. But compatibility to the reference VM implementation from Sun/Oracle may be spotty and ill-supported icon_smile.gif

    A decent list of other Java VM providers here - List of Java virtual machines - Wikipedia, the free encyclopedia
    · Share on FacebookShare on Twitter
Sign In or Register to comment.