ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Java zero-day flaw under active attack

By | April 14, 2010, 9:19am PDT

Summary: Virus hunters have spotted the attacks on a popular song lyrics Web site. Any visitor to that Web site with the Java Plugin for Browsers installed (Internet Explorer or Firefox) will get infected with malware.

Just days after Google researcher Tavis Ormandy released details on a dangerous new Java vulnerability, malicious hackers have pounced and are exploiting the flaw in the wild to launch drive-by download attacks.

Virus hunters have spotted the attacks on a popular song lyrics Web site.  Any visitor to that Web site with the Java Plugin for Browsers installed (Internet Explorer or Firefox) will get infected with malware.

According to AVG’s Roger Thompson, the attacks are likely to spread because of the simplicity in launching a successful exploit:

The code involved is really simple, and that makes it easy to copy, so it’s not surprising that just five days later, we’re detecting that code at an attack server in Russia.

follow Ryan Naraine on twitter

The main lure so far seems to be a song lyrics publishing site, with Rihanna, Usher, Lady Gaga and Miley Cyrus being used, among others.

As of 12:00 noon EST today (Wednesday April 14), the song lyrics site was still launching the drive-by downloads.

I have confirmed the infective site is also launching exploits targeting at least three Adobe Reader vulnerabilities.

[ SEE: Sun Java flaw exposes Windows users to dangerous Web attacks ]

The appearance of in-the-wild attacks will hopefully force Oracle Sun to issue an emergency patch to fix this critical issue.  When Google’s Ormandy reported the issue and warned of the severity, Sun declined to issue a prompt fix.

Ormandy (right) laments:

Sun has been informed about this vulnerability, however, they informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle.

For various reasons, I explained that I did did not agree, and intended to publish advice to temporarily disable the affected control until a solution is available.

“The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor,” Ormandy explaned.

The flaw, which was also discovered independently by Ruben Santamarta, occurs because the Java-Plugin Browser is running “javaws.exe” without validating command-line parameters.

“These parameters can be controlled by attackers via specially crafted embed HTML tags within a Web page,” Santamarta warned.

The issue affects all versions since Java SE 6 update 10 for Microsoft Windows. Disabling the Java plugin is not sufficient to prevent exploitation, as the toolkit is installed independently.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Zero-day Bug, Attack, Programming Languages, Java, Software Development, Software/Web Development, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
161
Comments
Add Your Opinion

Join the conversation!

0 Votes
+ -
"...all versions since Java SE 6 update 10 for Microsoft Windows." Hmm...
Great Kahuna 14th Apr 2010
Why is it that windows must always have a say in most, if not all, active successful attacks?
0 Votes
+ -
Why Microsoft Windows...
wizard57m@... 14th Apr 2010
yeah, it's aggravating, BUT, you have to
consider that over 90% market is a rather BIG
target...if the miscreants are "creative",
there could be other platforms affected at
some point. Sheesh...back to DOS, hehe!
0 Votes
+ -
Your math doesn't add up. Let's put it other way:
Great Kahuna 14th Apr 2010
For the sake of argument let us assume that desktop Linux has a 1% market share. Then to be on par with the rest of the market it should account for 1% of all desktop vulnerabilities.

But it does not, it accounts for only an infinitesimal percentage of all vulnerabilities. The ratio of Linux market share to vulnerabilities is a very big number while that of windows is roughly 0.9!

How do you explain that?
0 Votes
+ -
Nothing to explain...
wizard57m@... 14th Apr 2010
let's say your a bored Russian teen, and
you've been approached by someone to grab
a few hundred thousand credit/debit card
numbers. You look at the potential targets,
you see Windows, Macintosh, Linux, BeOS,
AIX, Solaris, etc. You've also read the
stats, and there is no end to published
exploits and example codes available for
1 or 2 platforms...who do you aim at?
Aiming for Linux...crapshoot at best with
all the different distributions...AIX,
those servers are "usually" well administered,
BeOS, Solaris ditto. Macintosh...possible
target...but those Windows machines, so
many...if you "shotgun" your malware at say
100,000 machines, and get a 1% "success"
ratio, that's how many? 1,000 compromised.
That's a lot for minimal effort.
If Linux has 1% of the "marketplace", and you
might get a 1% return...minimal return for
a lot more work.
0 Votes
+ -
Still it does not add up.
Great Kahuna 14th Apr 2010
Attacks are carried through the Web, where the OS is pretty much irrelevant. When you prepare to launch an attack you select a vulnerability to exploit not a target OS.

Yes, there's published Linux vulnerabilities but when attackers try to use them in an exploit they find so many hurdles in their way that they quit because they will never be able to make it work in a real situation.

Then they choose an easier exploit which, surprise, will work just fine in windows.
0 Votes
+ -
Bad assumption on your part
Old Techie 14th Apr 2010
I explain that by saying you've made bad assumptions.

Assumption #1: there is a direct 1:1 correlation of OS market share to vulnerability count. Are folks trying as hard to break Linux as they are Windows, and are there proportionally as many of them?

Assumption #2: Sun, a Unix stalwart, by virtue of providing Java for Windows inherits Windows' propensity for vulnerabilities. Are you kidding?

Assumption #3: Linux has few vulnerabilities based on an unknown truth that there are actually few vulnerabilities. How could you prove that? How many could be lurking because no one is working hard to find them?

Nothing against Linux - I use it everyday as well as Windows. And I'll tell you that Linux, in and of itself, is not as user friendly as Windows, hence I assume Linux developers are much less talented as Windows developers in providing usable products and interface.

How do you explain that?
0 Votes
+ -
User friendliness depends on the user
Great Kahuna 14th Apr 2010
I don't see windows as user friendly at all, quite the contrary.

I hate Windows because when I used it it kept getting in my way of doing things constantly imposing its own ways on me. Not friendly at all, windows had no respect for me, not friendly at all.

Now Linux is what I call a user friendly OS because it lets me customize it to my heart's content. It accepts my choices and respects them.

That what I need in a friend: respect!!!
0 Votes
+ -
WHY!!!
Richard Turpin 14th Apr 2010
More like a trick cyclist than respect old boy..my my we are full of ourselves tonight is it your bedtime yet?
0 Votes
+ -
Some of us value freedom of choice
Great Kahuna 15th Apr 2010
Apparently some of you don't.
0 Votes
+ -
User friendliness..
Dave32265 Updated - 15th Apr 2010
is in the eye of the end user. Many of my Linux clients (who used to be windows users, btw) would wholeheartedly disagree with you. System maintenance is one huge issue with so called "user friendliness". Look at what you have to deal with in windows; keeping the registry clean, running anti-virus and spyware scanners constantly, constantly rebooting after updates, defragging etc. Sure these are typically automated, however the average user (mom and pop computer user) has not a clue on how to even set this mess up to start with. Most barely know how to turn their computers on.

I did an experiment not too long ago with a few older folks who rarely ever use a computer and put Mepis and PCLinuxOS on their machines. These folks ran it for a month then ran windows for a month. Guess what? Linux was less of a hassle for them.

My point is, it depends on what the computer is being used for, (in Linux) the type of distro, the savvy of the end user, etc. Blanket statements like "Linux, in and of itself, is not as user friendly as Windows" just doesn't fly. The right tool for the right job.
0 Votes
+ -
Hackers target the big guy
gwthornt 14th Apr 2010
The big guy will also be the target. If it were the other way around and Linux had a 90% market share, then hackers would be targeting Linux. BTW, Great Kahuna, I guess you have a lot of time to monitor these groups and spout your linux propaganda since your are running an OS that can't run 99% of the software out there.
0 Votes
+ -
Your reasoning is seriously flawed, looks like you need a firmware upgrade.
Great Kahuna 14th Apr 2010
Too bad neurosurgery has not yet reached that level of sophistication.
0 Votes
+ -
Actually it's your reasoning that's flawed...
PollyProteus 14th Apr 2010
Windows is a much larger target, so the point of "more bang for the buck" being a target for this particular vulnerability is dead on.

Period.

You, however, seem to have a serious grudge against Windows with a touch of that good old fashioned Linux inferiority complex.

I'm not saying that Linux is inferior, I'm saying that folks who rally the Linux banner at every turn FEEL inferior (or perhaps like red-headed bastard step-children) and so have to scream and shout Linux off the rooftops at everyone, regardless of who's koolaid they've already consumed.

You, sadly, appear to fall into that very same category. Except that your particular twist on that is "why isn't Linux good enough for virus writers?"

If the day comes that Linux has more than a microscopic amount of desktops, hell, if Linux ever attains the percentage of Macs in the desktop space, I'm sure that the virus writers will turn around and start attacking Linux.

As for attacking Mac owners, what's the point? They've already spent all their money on Mac equipment, so they're broke.
0 Votes
+ -
Boy, Are you deluded?
Great Kahuna 14th Apr 2010
Feeling inferior, huh?

You're reading it all wrong, you urgently need to acquire some basic social skills.
0 Votes
+ -
RE:Hackers target the big guy
richdave 14th Apr 2010
I really hate seeing terms misused!

From Wikipedia:

The terms "hack" and "hacking" are also used to refer to a modification of a program or device to give the user access to features that were otherwise unavailable, such as by circuit bending. It is from this usage that the term "hacking" is often incorrectly used to refer to more nefarious criminal uses such as identity theft, credit card fraud or other actions categorized as computer crime; there being a distinction between security breaking and hacking, a better term for security breaking would be "cracking".[1]

Also from Wikipedia:

The term achieved widespread use in the 1960s and its meaning then evolved to a quick, elaborate and/or bodged solution students devised for a technical obstacle; it was used with hacker, meaning one who discovers and implements a hack.

It is truly terrible what some people do to the English language. Decimate to describe something being almost totally wiped out, for example, instead of being reduced by 10%. Or, my personal favorite, "pride goes before a fall" instead of the correct "pride goes before destruction and a haughty spirit before a fall"... Just drives me nuts.
0 Votes
+ -
Get over it
ITSecurityGuy 14th Apr 2010
Language is a living thing. It morphs with its usage. The general public, and even many nerds, geeks, etc. have long since stopped caring about the distinction between hacking and cracking.

BTW, the most often heard phrase is "pride goeth before a fall".

I hope, by decimating your point, I haven't driven you nuts, but then you must be there already.
0 Votes
+ -
RE:Get over it
richdave 14th Apr 2010
...BTW, the most often heard phrase is "pride goeth before a fall"....

That may be the phrase but it is not the way it was written. Unless it is a spelling issue. Depends on which version of the Bible you read it in. Kind of curious as to how you think you reduced my point by 10%, though. Anyway, if your posting on a tech forum and don't know the difference between hacking and cracking and don't care to know the difference it says something about you. Of course. given the level of discourse in these forums. one learns a lot more about posters than one cares to, don't you think?
0 Votes
+ -
Your premise fails
ITSecurityGuy 14th Apr 2010
Please explain the logic supporting your premise that there would/should be a 1:1 correlation between malware and market share.

I would be amazed if .0001% of criminals would be stupid enough to expend the same effort to exploit an OS with even 5% market share, as they would to exploit the OS with over 90% market share. Where is the ROI in that?
0 Votes
+ -
By that logic Rolex should be out of business---
Great Kahuna 14th Apr 2010
since they are targeting a very small market.

Hint: Niche marketing can be a very lucrative business, just ask Steve Jobs.
0 Votes
+ -
More flawed logic; doesn't anyone think b4 posting
ITSecurityGuy 14th Apr 2010
Rolex is in business because they have identified a niche that is willing to pay more than most for their watches.

Apple is in business because users were willing to pay more for more hand-holding.

As someone has already mentioned, he likes Linux because it lets him configure his OS to his liking.

Side note: therefore Linux and Apple are niches at opposite ends of the spectrum.

By your logic, there would have to be much more value to steal from a typical Linux user (vs the typical Windows user) to justify the effort of pursuing victims in this niche market.

That logic fails. My question still stands.

Where is the ROI for spending even the same amount of effort to setup an exploit, when so few of the visitors to your site will become victims (regardless of how securely they did or did not setup their mini-market-share OS)?
0 Votes
+ -
Ahhhh.now I get it. Malware writers found their market in windows....
Great Kahuna 14th Apr 2010
a market that's willing to pay more for their creations. That makes all sense.

You wrote: "Rolex is in business because they have identified a niche that is willing to pay more than most for their watches. "
0 Votes
+ -
Must we explain everything to this troll (Great Kahuna)
ITSecurityGuy 14th Apr 2010
Niche markets are call that because they are very small and only exist when the price is high enough to show a ROI in spite of the low volume.

90% of the PC market is hardly considered a small "low volume" niche market.

Quit now; you're only embarrassing yourself by repeatedly posting the rantings of a 12-year-old with an inferiority complex. (without any forethought, insight or the slightest understanding of these concepts)
  • Flagged
0 Votes
+ -
Ahhhh. No, you still don't get it
ITSecurityGuy Updated - 14th Apr 2010
GK said:

"Ahhhh.now I get it. Malware writers found their market in windows...."

Yeah, because it's the really big market!

---------------------------------------------
And GK said:

"A market that's willing to pay more for their creations."

Nope, among the niche markets, that would be Apple, now wouldn't it?

Just as the Linux market is for cheap people with so much time on their hands, they would rather piece together one of several unique and not quite compatible versions of an obscure OS, than buy one already assembled, easy to use, with a far greater selection of apps and compatible with 90% of the others being used, which won't change in my lifetime.

So why would criminals go after a paltry number of cheap people for monetary gain?

I buy my OS just as I buy my autos, fully assembled. I quit playing with Tinker Toys and Legos as a child.

Today, I draw the line at building my own browser (Firefox) with extensions, so I can escape Microsoft's foolishly intertwined OS/IE/ActiveX. Tweaking Firefox is a lot quicker and easier than building a flavor of Linux to my satisfaction, and it's becoming the mainstream much faster than the Linux desktop, isn't it?

Of course, it helps that there's only one Firefox, not Firebuntu, Firedora, Firesuse, Firebian, Firedriva, Firemint, PCFireOS, Fireware, Firentoo, Firentos, and FireBSD, and that's just the top 10. Oh, wait, DistroWatch must be counting in Base11.

Need I go on?
0 Votes
+ -
Not true at all...
Peter Perry 14th Apr 2010
Your math would only work if this were linear but seeing that Pwn2own shows proof of concept every year on OS X (in record time might I add) this clearly is a case of where the attacks are targeted!

You see, it's like this... If the USA wanted to attack the Russia they wouldn't aim at Monaco now would they?!?!? Thus if you want to attack the big Dog you don't start with puppies (yes Linux and OS X are just puppies compared to Windows at this point).

Don't worry though because Jobs will certainly make enough people dislike him that they'll go after his baby before you know it.
0 Votes
+ -
linux is safe
Linux Geek 14th Apr 2010
it's a windoze only vulnerability.
0 Votes
+ -
So are condoms...just not 100 percent (NT)
wizard57m@... 14th Apr 2010
nt
0 Votes
+ -
...Why is it that windows must always have a say in most, if not all ...
pacsguy 14th Apr 2010
Great Kahuna -

I'm coming to believe that you aren't a
fellow linux advocate at all. You are a mole
implanted by Microsoft, whose mission is turning
as many users as possible away from linux by
being
the biggest azz**** you can be. Every story
posted here does *not* need to turn into a
Microsoft bashing session.

Please, for the love of god, stop helping us!
0 Votes
+ -
I like sarcasm but you seem to be overdoing it
Great Kahuna Updated - 14th Apr 2010
You should never overdo sarcasm, you risk rendering it ineffective.
  • Flagged
0 Votes
+ -
Great Kahuna is a troll that has come back with a new nic to spam the site.
xuniL_z 14th Apr 2010
Just go away. Your incessant MS bashing is so old and stupid nobody wants to hear it anymore, can't you understand that.

You are just polluting this site with your worthless garbage.
  • Flagged
0 Votes
+ -
Is that your contribution the the discussion?
Great Kahuna 14th Apr 2010
Well... it's underwhelming.
0 Votes
+ -
The 'o backwards one, speaks...
still not nice 16th Apr 2010
And your reading of things right to left is also spam polluting this site.

Time to stop whining and being hypocritical, don't ya think? wink
0 Votes
+ -
So this is for ANY Windows browser that uses the Java plugin
Michael Kelly 14th Apr 2010
and not just IE and Firefox, since all other browsers use the either the IE or Firefox plugin. Correct?
0 Votes
+ -
Not sure of all Windows browsers...
wizard57m@... Updated - 14th Apr 2010
last week when I tried the "demonstration"
page, it didn't run on Opera 9.64...I also
do not have the particular dll in my plugins.
(npdeploytk.dll)
0 Votes
+ -
Opera with the latest browser.js mitigates this vulnerability
nilotpal_c 14th Apr 2010
Use Opera to go here and see if you have the browser.js dated the 12th of April(the latest one). Browser.js is updated automatically, and so in all probability, you should have a quick and dirty mitigation against this zero day. If not, follow the instructions to update the browser.js
Actually, it is really, really cool that such a vulnerability could be mitigated by browser.js. Opera deserves serious appreciation for protecting its users by thinking out of the box, and it is a great reflection on their security process.
0 Votes
+ -
Workarounds?
ac2_z 14th Apr 2010
Any killbits, Java settings, or other workarounds to disable the toolkit attack vector? If so, is there a reliable guide to the process that can be forwarded to users, or need to create my own once documentation?
0 Votes
+ -
Workaround...
wizard57m@... Updated - 14th Apr 2010
from the previous posting, try this...maybe
Ormandy suggests the following mitigation advice:
Internet Explorer users can be protected by temporarily setting the killbit on CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA. To the best of my knowledge, the deployment toolkit is not in widespread usage and is unlikely to impact end users.
Mozilla Firefox and other NPAPI based browser users can be protected using File System ACLs to prevent access to npdeploytk.dll. These ACLs can also be managed via GPO.

OR...maybe uninstall that latest Java, and
go back to Verson 5
0 Votes
+ -
May be a simpler one
Earthling2 14th Apr 2010
Unfortunately, everyone who uses OpenOffice has Java runtime installed on their machines, even if they don't use Java applets in the browser.

This does not require changing the registry or admin rights to the system.

IE8:
Goto Tools, Manage Add-ons.
Select Show: All Add-ons (instead of Currently loaded Add-ons).
Scroll down to Sun Microsystems Inc.
Select Deployment Toolkit.
Click Disable button.

Firefox:
Goto Tools, Options.
Click Manage Add-ons.
Select Plugins "tab" at the top.
Scroll down to Java Deployment Toolkit.
Click Disable button.

OK, if you're bored, open a command prompt with admin privileges and run the following (copy from here, then select Edit, Paste from the command prompt system menu). The second line should be used for 64-bit systems.

reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}" /v "Compatibility Flags" /t REG_DWORD /d 1024

reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}" /v "Compatibility Flags" /t REG_DWORD /d 1024

(Use at your own risk)
0 Votes
+ -
Doesn't work for FIrefox.
wkulecz 14th Apr 2010
I don't use IE, but for Firefox 3.6.3 the Java Deployment Toolkit "Disable" button doesn't stick

I also run NoScript.
0 Votes
+ -
For Firefox and Chrome
Earthling2 14th Apr 2010
Rename or deny execute permission to all files named "npdeploytk.dll". One that Firefox loads appears to be in "C:\Program Files\Java\jre6\bin\new_plugin", but there is also one in C:\Program Files\Java\jre6\bin".

For 64-bit systems it will be Program Files (x86).

You can also use icacls (from an admin command line):

cd "c:\program files\java"
icacls "npdeploytk.dll" /deny everyone:(x) /t

I wish the original person who disclosed the vulnerability added more detailed instructions to his post. That would have been truly responsible for many non-technical users, including those who use OpenOffice.
0 Votes
+ -
Yeah, like that'll be really secure....
ITSecurityGuy 14th Apr 2010
"OR...maybe uninstall that latest Java, and
go back to Verson 5"

http://secunia.com/advisories/product/4228/

Unpatched 10% (3 of 30 Secunia advisories)

Although:
The most severe unpatched Secunia advisory affecting Sun Java JRE 1.5.x / 5.x, with all vendor patches applied, is rated
*Less critical*

However, how many sites no longer support v5?
0 Votes
+ -
this is not a java flaw so there is no workaround
Linux Geek Updated - 15th Apr 2010
Folks, the flaw is not in java but in the plug in for IExplorer that does not validate the parameters passed to java.
The real culprit here is M$ who refuses to fix IE and blames Java in order to attack one of its great features.
I'm just calling out the evil spreading FUD about the competition.
0 Votes
+ -
Think before you speak
Earthling2 Updated - 16th Apr 2010
Are you sure? Here are the facts.

Firefox is vulnerable, too. It doesn't use ActiveX. Chrome uses the Firefox plugin as well and is vulnerable. Both the ActiveX control and the plugin are implemented by Sun, and they managed work around IE and Chrome sandboxes to make it more convenient for the user to have "a near desktop experience".

The ActiveX uses a clever GUID that starts with CAFEEFAC-..., same as the rest of GUIDs used by Java.

The FF plugin is in the C:\Program Files\Java\jre6\bin\new_plugin. The plugin binary, npdeploytk.dll, is signed by Sun Microsystems, Inc. (here goes your GPG keyring, Dietrich).

This is the fix for the ActiveX control, that enabled silent launch of apps, effectively disabling the IE default behavior of asking the user for each site before launching plugins:

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6405147

Here is Microsoft documentation that warns of consequences and makes design and testing suggestions for independent developers:

http://msdn.microsoft.com/en-us/library/Bb250471

Finally, the bug has been fixed by Oracle.
0 Votes
+ -
What is the workaround in English?
Legal_Beagle 14th Apr 2010
I know that this "stuff" is meant for propellerheads, but it would be helpful to lurkers like myself if the folks posting remedies would do so in less jargon-laden language.
0 Votes
+ -
Thank You
FRXL 14th Apr 2010
I couldn't have said that better myself. Between the flamers arguing over which boat has fewer holes in it and the techies speaking in binary, sometimes this is a tough site.
0 Votes
+ -
So you think insulting people will get results?
djchandler Updated - 14th Apr 2010
You are probably not the intended audience for this blog. Feel free to read it, but if your ignorance keeps you from understanding, you may need to hire a professional. Don't be condescending to or underestimate technicians. I'm sure wouldn't want to be treated that way. Like most things in life, it's a combination of knowledge, skill and talent that makes a good technician.

I've fixed the computers of too many people like you who have followed a "simplified" procedure without knowing what they are really doing. Over simplified step-by-step procedures generally cause more problems than they solve.

If you needed surgery, would you expect a blog to instruct you how to perform the procedure on yourself?

It's probably best if you wait for a solution from an anti-malware provider or wait for a fix from Oracle.

In the meantime, maybe using Google Chrome will keep you safe. It is sand-boxed besides using an entirely different means to interpret and display web pages. But it is a beta. Use at your own risk.
0 Votes
+ -
Maybe you should not be so arrogant!
nilotpal_c Updated - 14th Apr 2010
Many people may come to this blog via google wanting some help! I did not feel that the previous post was insulting. Your response is the same as the arrogant jerks who tell anyone to RTFM ( I know that many people have been turned away from my OS of choice, Linux, by this very attitude). An easy way to disable the add-ons exist, as put forward by Earthling2 a few posts ago.
Post edited: Since this is due to a flawed plugin which allows Java programs to be installed from the web, disabling Java will not help in this case(though it is a good idea to do it anyway, to protect against browser based Java exploits). Thanks again Earthling2, for pointing this out- a few posts down. I had made a mistake of thinking that disabling Java on the browser will mitigate this exploit.
Opera users , even though they are not affected by this particular flaw (further edit In response to the post below: Opera users who do not have or do not know whether they have the latest browser.js updates can just go to Help- Check for updates, and the vulnerability will be mitigated by a browser.js fix) can protect themselves from browser based Java vulnerabilities by going to Tools- Quick Preferences and untick "Enable Java".
Even though this exploit is Windows only, there is no reason why a modified version of other Java vulnerabilities should not work under Linux. It is safe practice to disable Java in browsers running on the Linux platform (and Mac platform) too.
0 Votes
+ -
Read the last line in the story again!!!!!!!!!!!!!!
ITSecurityGuy 14th Apr 2010
"Disabling the Java plugin is not sufficient to prevent exploitation, as the toolkit is installed independently."

Everything in your post after "Another option" is bad information. Disabling the plugin is useless. Opera users ARE affected by this. Where did you get the idea they're not?

The problem is not in the Java plugin; it's in the DEPLOYMENT KIT, which is installed separately.

Re-read the post from Earthling2, to which you refer. It says to disable the DEPLOYMENT KIT, not the Java plugin.

A post such as yours is exactly why non-techies should NOT go it alone, based upon information they find here, because they don't understand enough to know what makes sense and what is bad advice.

I have nine browsers installed and every one of them is listed as vulnerable to this flaw, according to Secunia PSI. I'll trust Secunia, before your advice, although I know Secunia is not always 100% correct either, and I have let them know when they got it wrong.
0 Votes
+ -
Well,
nilotpal_c 14th Apr 2010
In my defense, I can state that I HAD given a warning that my information may not be accurate because I am not a primary Windows or Firefox user. I had missed the last line- my bad. However, before pointing out the mistakes of others you should check whether all YOUR statements are accurate or not. Opera IS mitigated against the flaw due to changes in the browser.js. I know, I checked my browser.js just an hour ago.
0 Votes
+ -
Please explain how you checked it.
ITSecurityGuy 14th Apr 2010
Are you claiming to have visited a known compromised site without being attacked?

The problem is not in Java it's in the separately installed Java Deployment Kit, so what has that to do with the browser.js anyway?
0 Votes
+ -
So much for your looking down on "non-techies"
nilotpal_c 14th Apr 2010
Check out this
0 Votes
+ -
RE: Java zero-day flaw under active attack
myclub 1st Jul
ewet dedim ama neyse
http://www.bbgporn.com/
http://www.hmmtube.com/
dogru deme
http://www.erotiktube.org/
http://www.52tube.com/
http://www.wctube.com/
http://www.cameporn.com/
http://www.escortbayan9.com/
tamam dedim

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix