Beware of Java exploit

This is an archive of the mabination.com forums which were active from 2010 to 2018. You can not register, post or otherwise interact with the site other than browsing the content for historical purposes. The content is provided as-is, from the moment of the last backup taken of the database in 2019. Image and video embeds are disabled on purpose and represented textually since most of those links are dead.

To view other archive projects go to https://archives.mabination.com

Osayidan wrote on 2012-08-27 21:07

Not to be confused with javascript.

This is what we know so far about the vulnerability: there is an exploit in the wild, it works on the latest FireFox, and Chrome, and it targets Java 1.7 update 6, there is currently no patch available, the exploit has been integrated into the metasploit framework.

What this means: the potential hit rate for drive-by attacks is currently elevated. Since this is a java vulnerability, this may also affect more than just Windows platforms (multi-platform attacks currently unconfirmed, based on the multi-platform compatibility of java itself.)

The next patch cycle from Oracle isn't scheduled for another two months (October.)

What you can do: this places normal end-users in a pretty bad position, relying mostly upon disabling, or restricting java and hoping that AV catches the payload that gets installed. None of these are really good options. There is a 3rd-party developed patch that is said to exist, but it's not intended for end-users. My current recommendations are to disable java if you can (see Brian Kreb's handy guide here: http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/ ,) or use something like no-script to help control where you accept and execute java from.

Suggested reading on the topic:

http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html
http://krebsonsecurity.com/2012/08/attackers-pounce-on-zero-day-java-exploit/
http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html
Thanks to Kevin, and Ed for directing us to this.

http://isc.sans.edu/diary.html?n&storyid=13984
Yoorah wrote on 2012-08-27 21:43

There's always a Java exploit roaming around. That's why you don't install Java unless you really need it. It drives me crazy when people install Java for the hell of it AND don't bother applying updates.

Metasploit <3.
Kingofrunes wrote on 2012-08-27 21:50

What about if I play Minecraft or Runescape. Both are games that heavily rely on Java to run and that I play with from time to time. What risk do I have, running those games atm?
Chiyuri wrote on 2012-08-27 22:34

Quote from Kingofrunes;942535:
What about if I play Minecraft or Runescape. Both are games that heavily rely on Java to run and that I play with from time to time. What risk do I have, running those games atm?

hmm this is jsut a wild guess but.. I don't think Notch will use that exploit in his next version of minecraft. You just have to becareful of player made mods that may use said exploit.

As for runescape.. I doubt they can hack into the website and change the runescape client into a modified version that would attack your computer using the exploit
Yoorah wrote on 2012-08-27 23:15

Quote from Kingofrunes;942535:
What about if I play Minecraft or Runescape. Both are games that heavily rely on Java to run and that I play with from time to time. What risk do I have, running those games atm?

The risk isn't in running those games, but in other sites that could leave you with a nice Java drive-by. Disable the Java browser plugin when you don't need it, or get NoScript or some other extension that lets you enable/disable plugins based on an access list.
Kingofrunes wrote on 2012-08-28 12:46

Can you get noscript for Chrome? Or is that currently Firefox only?
Osayidan wrote on 2012-08-28 13:01

Quote from Kingofrunes;942892:
Can you get noscript for Chrome? Or is that currently Firefox only?

There is (or was) one for chrome but I never used it. Don't know if it's as good or if there's better alternatives.
Kingofrunes wrote on 2012-08-28 14:46

Quote from Osayidan;942899:
There is (or was) one for chrome but I never used it. Don't know if it's as good or if there's better alternatives.

Found it, seems there's some limitations when it comes to Google Chrome. It seems to work well (once you set the mandatory password that chrome apparently requires)

Does not seem like there are any alternatives due to the nature of Chrome. Which is a pity as Chrome is my favorite browser and is the one I use the most atm.
RebeccaBlack wrote on 2012-08-28 16:20

I just uninstalled Java, for now. I can't even think of anything I actively use that uses it, so it's no big deal.
Cucurbita wrote on 2012-08-28 16:35

I can't get Java to work on my laptop no matter how hard I try for some reason. Though I have it on my desktop so I can make hentai games for the android.
Kingofrunes wrote on 2012-08-28 17:27

Quote from Cucurbita;942955:
I can't get Java to work on my laptop no matter how hard I try for some reason. Though I have it on my desktop so I can make hentai games for the android.

:chin:

Hentai Games for the Android you say...how good are these games you are making?
Cucurbita wrote on 2012-08-28 17:55

Quote from Kingofrunes;942976:
:chin:

Hentai Games for the Android you say...how good are these games you are making?

Haven't made any, but pm me and we'll talk about it.
Osayidan wrote on 2012-08-28 18:29

From java exploit to developing mobile hentai games.
Only on Nation :thumb:
Claudia wrote on 2012-08-28 20:11

@king; use the RS client, runs much better and doesn't use java.

java can smd because it never fucking installs properly onto anything and lags like a mofo
Yoorah wrote on 2012-08-28 20:17

If Java doesn't install properly, it's because your system is messed up somehow. :( Java is actually pretty damn awesome--it's just unnecessary for home users these days.

1 2 Next › Last »