Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: Java is still exploitable and is likely going to remain so. - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Java is still exploitable and is likely going to remain so.

We haven't had an unpatched Java vulnerability in a while (a month?). To make up for this lack of Java exploitability, the creators of the Blackhole and Nuclear exploit pack included an exploit for a new, unpatched, Java vulnerability in their latest release [1]. The exploit has been seen on various compromissed sites serving up the exploit kit. The latest version of Java 7 is vulnerable [2].

Leave Java disabled (I am not going to recommend to disable it. If you still have it enabled, you probably have an urgent business need for it and can't disable it)

If you have any business critical applications that require Java: try to find a replacement. I don't think this will be the last flaw, and the focus on Java from people behind exploit kits like blackhole is likely going to lead to additional exploits down the road.

[1] https://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
[2] http://malware.dontneedcoffee.com

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS Munich July 2019

Johannes

3537 Posts
ISC Handler
So funny you're posting at this particular moment. As I was going through my feeds I came across this article only moments before coming here:

New Java 0-day exploited in the wild
https://net-security.org/secworld.php?id=14216
Anonymous
Amazing! A new Java 0-day to go with the release of this month's OUCH describing Java problems. What are the odds of that? Given the number of Java 0-days, ...
John

88 Posts
Now, is this primarily significant for browser applets, or in general? "Dilbert's" link is about attacks on the browser, where a "replace all the Java apps" scenario might be a much larger issue if required. Server-side apps aren't relying on a sandbox, for instance, so other controls are expected to be in place, without running untrusted code.
Tim

5 Posts
I really like the JVM but I do agree with the sentiment. I true language that I can respect is Scala. Here is a little write up for those not familiar.

https://www.lucidchart.com/blog/2012/12/18/using-scala-exponential-growth-at-a-startup/
Tim
1 Posts

Sign Up for Free or Log In to start participating in the conversation!