Java allows 'open hunting season' for hackers, experts find

Java allows 'open hunting season' for hackers, experts find

Summary: Is Java a serious enough concern for you to disable it altogether?

SHARE:
TOPICS: PCs, Security
60
java open season consumer hackers security recommendation disable oracle

Security professionals urge disabling Java on your PC, saying that the computer language has created an "open hunting season on consumers" for hackers.

Talking to Reuters, Jaime Blasco, Labs Manager with security firm AlienVault Labs recommended that consumers begin to disable Oracle's Java software after the recent discovery of yet another security flaw which allows hackers to exploit computers. Blasco said:

"Java is a mess. It's not secure. You have to disable it."

The computer language is widely installed on over 850 million PCs around the world. First released by Sun Microsystems in 1995, the computing platform is backbone technology which allows consumers using Microsoft's Windows PCs or Apple's MACs to run a number of processes including online games and Internet browsing. Java runs through plugins and modules on Internet browsers including Internet Explorer and Firefox.

However, it is not just Blasco who has concerns over the software's security. HD Moore, Rapid7's chief security officer -- a firm which assists businesses in identifying vulnerable elements in their infrastructure -- believes that Java has made a number of devices, including anything running on Mac OS X, Linux or Windows, vulnerable to attack.

Moore compared Oracle's Java to "open hunting season on consumers," who are being targeted more often by a host of cyberattacks, including malware and phishing scams. A number of toolkits, freely released on the web, are also of concern -- as many include software which can be used to exploit such security flaws. Therefore, if you have not already done so, you are advised to disable any modules in your browser which relate to the software.

Recently, another zero-day vulnerability was discovered in Java 7 Update 10, which is simply the latest security flaw to be exposed within the computer language. The exploit, verified by AlienVault labs, is currently in the wild and continues to be exploited.

We have reached out to Oracle and will update if we hear back.

Topics: PCs, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

60 comments
Log in or register to join the discussion
  • Peanut Allergy?

    Not having Java may make you safer, but also severely limits the useful, and if you deal with certain banks and stores, necessary web sites you can use. This is analogous to being allergic to peanuts, wheat, etc. You spend lots of time avoiding the wrong foods, and cannot eat some at all because they are made with your particular allergen. If some activist group wants to start a grass roots "get rid of Java" campaign, perhaps after several years of suffering, the customers of ONE bank (to be chosen by the activist group) will be able to access their accounts by a "hypo-Javallergenic" version of its web site.
    jallan32
    • You're think of Javascript, not JAva

      Javascript is used by many, many (all?) websites these days. Not Java. Javascript is needed. Java is not. The names are similar but they have absolutely nothing to do with each other.
      dfp@...
      • also...

        its just java 7, java 6 doesn't have the same vulnerability, and most computers still aren't running 7.

        "If some activist group wants to start a grass roots "get rid of Java" campaign," ... you mean the government officials?
        judderwocky
    • Here is a novel idea....

      Stop doing things on your computer or your cell phone (most especially) that create a personal risk for you. e.g. Use your telephone for phone calls, not transactions. Use direct deposit, have a paper copy of your statement mailed to you and (OMG!) balance your checkbook. Don't pay bills on line. Buy stamps. It costs more for a company to maintain a web based payment plan that it does to mail paper bills; servers, server security and personnel are not cheap. The most important thing you should restrict yourself from is this: Do not save credit card/banking info at any website. You have no control over their security measures. All of these traditional methods of doing business are the best defense against hacking.
      Rebecca Hatcher
      • novel idea?

        you are an idiot. Yes, go back to the stone age for all your transactions. Run around in your fossil fuel burner and pay all your monthly utility bills in cash. Stand in lines at each utility office too. Get that paper receipt before you leave the counter. And finally, why not retreat to your doomsday bunker while you're at it. I hear there are black helicopters about.
        cooleyo
      • what

        you are paranoid about security and you use a checkbook?
        possibly the least secure financial instrument invented by mankind.
        warboat
      • Security

        1. I don't know what this particular flaw in Java is, but know pretty much, in particular about security.
        2. If you use the GSM network (e.g. use a phone that also work abroad) your bank probably offer SMS based services. SMS here is not like Yahoo IM, SMS on the mobile is made according to military security specifications, and unlike DES, it cannot be intercepted except for 3 places: your phone, at the carrier's main switch ("HLR") and at the receiver - the bank.
        3. The mobile phones frequently use Java, and your bank can encrypt their "mobile banking app" with information carried by SMS messages.

        You suggest using paper-letter to the bank. You are now cautioned that intercepting this letter, faking your signature, and alter your instruction is vastly easier than using the faulty Java. What you should do is to apply some common sense. Nothing more. Call your bank and ask for advice and if they say it is ok, they have approved of your use.
        knuthf
  • Peanut Allergy?

    Not having Java may make you safer, but also severely limits the useful, and if you deal with certain banks and stores, necessary web sites you can use. This is analogous to being allergic to peanuts, wheat, etc. You spend lots of time avoiding the wrong foods, and cannot eat some at all because they are made with your particular allergen. If some activist group wants to start a grass roots "get rid of Java" campaign, perhaps after several years of suffering, the customers of ONE bank (to be chosen by the activist group) will be able to access their accounts by a "hypo-Javallergenic" version of its web site.
    jallan32
    • Java has security issues, but you will still use it for your banking ??

      "and if you deal with certain banks and stores"

      so there is a security issue (or several security issues) with java but you don't want to get rid of it because you use it for your banking !!!!!!!

      Geez I would have though the alarm bells would be ringing, the last thing you want to do with java if it has known issues is rely on it for your secure banking and dealing with stores !.
      '
      I have turned off java years ago, because years ago it had issues, still does, SNAFU.

      I can do my banking and everything and I have not been asked to install java for anything I do.

      Just how it should be.
      Aussie_Troll
      • Java removal

        So how do I know what runs on Java. I use Google Chrome.
        sasyphras
  • Hah hah hah hee hee heee no more java wanted by meeee.

    I have been java-free since 2009 when the new group of PCs arrived here. If requires Java, it is something I don't need. Simple, trouble free crossing of the 13th baktun.
    CrowdedCranium
  • Not an option

    Half of our corporate intranet and some of our financial applications are all Java based. It makes more sense to secure the enterprise in other means, just like it's more practical to get a better lock for the front door rather than putting chastity belts on your gaggle of horny daughters.
    jvitous
    • If I were you I would make it an option and quick.

      You've just been told java is full of holes, and oh BTW it's been full of holes for years, and you want to keep it on your business critical systems ??

      I hope you are not employed as your network's security officer, because an attitude like that will (or should) get you fired.
      Aussie_Troll
      • Really?

        Windows and IE have been riddled with security holes over the last two decades, but I don't see anyone screaming for their removal. In this case the usage/infrastructure investment out weights the perceived security risk. This is mostly FUD, though I have no doubt their are holes in the releases of the JVM that need fix. The task isn't to trash your software based based on a security guy who makes his living out of making us fear our own shadows, but to make sure which releases we use are patched to fix these problems. This is all a lot of hype by a security analyst looking to make a buck and a name for themselves.
        dcalvin
        • so if other software is insecure you feel that justifies you !!

          So if other software is also insecure, you feel that is an excuse to use the software you presently use that is also (and probably more so) insecure !

          I like that logic !!!

          So it is all a conspiracy this software security thing, it's just a trick so security experts can rip you off ?? what's your companies IP address again ??

          have you heard of the most recent trick hackers are doing they do not steal anything, they just break into your computer and encrypt all your files, and then ask you nicely for some money for them to provide you with the key.

          But you think those security people are just making this stuff up and it does not really happen in the real world... Guess what, it might to happening to your company right now !!.
          Aussie_Troll
          • Yeah I heard that's affecting millions of people where I live

            Actually I've never heard of it but I don't drink too much or dabble in drugs. Better keep the backups updated though just in case.
            johnmckay
          • It's good logic.

            If the lock on my front door is not functioning, I'm not going to freak out about putting bars on my windows, am I?
            jgm@...
        • Insecure Windows

          @dcalvin If you haven't heard anyone screaming that Windows is insecure, then you lead a very sheltered life. The Linux fanboys have been pointing this out for years - sometimes loudly. As for IE's holes, even government departments - US and German, for a kick-off - have occasionally issued warnings to everyone to stop using IE because of its security issues. IE has, I'm told, improved considerably as a result. I still don't use it.
          pvsutton
          • Tell them what is insecure!

            Microsoft has never implemented the full TCP/IP stack - just what suits them.

            They wanted a way to access every computer to see what you had installed and could charge you should you violate their licensing agreement. Sounds reasonable but then everyone else can do the same: Access a Windows PC.

            The main issue is that all connections that come from a Windows computer, and to a Windows computer will be around and available after your session is over. It is neat in that it also allows you to reconnect the next morning to your company LAN.

            Those who wants to read the design discussion related to this see Unix SVID - "Sockets()" - the difference between version 4.2 and 4.3. In particular: SO_DONTLINGER. This should be set, to take down a connection when it is "Closed()" - unless SO_REUSEADDR is set. Windows use TCP/IP version 4.2 that can "Bind" and "Connect" and be reused. The Linux TCP/IP is full, and has these "options", so in theory, it is just for Microsoft to compile this library. It is also to caution every organisation that needs secure networks to halt the use of Windows - and do "setsockoption(SO_DONTLINGER,TRUE,&socket);". That Microsoft wants to pursue "Commercial interests" let them learn what is commercially viable. Hurt their wallet, Steve Ballmer understands that.
            knuthf
      • Changing your back end infrastructure is not that easy

        I work for a large (fortune 500) financials firm, and we use JAVA for a number of mission critical public facing websites that serve our customers. You can;'t just up and change that on the drop of hat. For us it is comparable, if a little smaller in scale to the kinds of investments and effort we made for Y2K- we are talking in the MILLIONS of dollars not to mention the man hours. Besides even if we re-tasked are outsourced army of Indians to convert us to .Net or Silverlight (other Runtime Frameworks that we use- Hell I dont think out IT dept saw a Dev kit they didn't like) It still could;'t be done in a reasonable amonut of time. Like it or not we are at the Mercy of Oracle to fix this.

        As far as Windows and IE are concerned sure they have issues but as someone who reads the CERT Bulletins when they come in my mail I can assure your that they are in the minorty of the the vulnerablilty reports that are published. and guess what we work with them and our other Vendors to get stuff fixed or get some kind of mitigation. This is new terrirtory for Oracle and like MS and now Apple its going to take them awhile to find their Secuirt "Sea-Legs"
        Threv