2012
08.30

I hate Java.  There, I said it.  Any IT pro who has had to support multiple versions of this malware breeding ground knows that Java is a complete nightmare.  I detested dealing with Java when I was an administrator/engineer.  Well, the chickens have come home to roost for Oracle.

A commercially available attack hacker toolkit called Blackhole includes the ability to attack the latest version of Oracle Java on all platforms, including Windows, Mac OS, and Linux.  Attacks are already in the wild.  These drive-by attacks silently attack the Java VM when a user browses the web site, leaving the machine vulnerable to being taken over.

If you want to find out if your version of Java is vulnerable to any security flaws then you can check it on this website.  I can save you a mouse click: your Java is vulnerable because … all versions of Java are vulnerable:

“Oracle knew about zero-day Java vulnerabilities for months, researcher says” according to Computerworld.  I read on The Register that claims Oracle has known about the vulnerabilities since April.  Oracle are sticking silently to their patching schedule, and won’t patch the vulnerabilities until mid October.  That’s responsible of Oracle, eh? Not!

So with no patch to secure Java (there’s an impossibility!), security experts are recommending that you disable Java in your browser.  I’d go one step further: uninstall the sh1te and find alternative applications/banks that understand the need for security.  Anyone who continues to recommend or sell Java based apps should be ignored, fired, thrown off of a cliff (joking about the last action … I think).

Edit#1

For your Java fans, why don’t you read this and this:

“The most commonly observed types of exploits in 1H11 were those targeting vulnerabilities in the Oracle (formerly Sun) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK). Java exploits were responsible for between one-third and one-half of all exploits observed in each of the four most recent quarters” – A report in 2011.

As for Microsoft software having vulnerabilities; yes – any large software does, including Linux, Andoid and Mac OS.  You’re a naive moron if you think otherwise.  Where Microsoft rises above the competition is that they deal with the issues as they arise, release patches, and scream from the mountain tops to get you to patch.  They even give you simple free, and enterprise tools to automate this.  But naive morons don’t want to listen because they have their heads up their asses:

  • 23/09/2008: Microsoft released a security patch that would have prevented Conficker
  • 24/11/2008: Conficker is first discovered 1 month after Microsoft released the patch
  • Mid-2011: Conficker is still the #1 malware present on domain-joined (business) PCs, thanks to the naive, professionally negligent, morons who think they know better

Check yourself and your facts before you fire out stupid comments about Microsoft just cos you’ve gotten into bed with a malware breeding ground like Java.

EDIT#2

Oracle has since released an update.  I don’t have Java on my machines so I can’t tell you anything more about it.  I believe the Java updater only looks for updates once per month.

Technorati Tags:

4 comments so far

Add Your Comment
  1. could be fun to lock down a machine with applocker and see if the exploits would still work , in denmark you need java to logon to goverment sites and netbanking

    Its very very hard to get around , you even need it for UAG :)

    • “Banks and government” … that says it all :) Same here.

  2. Most of my switches want Java to let you manage them. So totally dropping Java isn’t really an option for Me. I’ll just have to disable the plug-in until I need to do that part of my job.

  3. Heads up Again. It’s so sad.

    Oracle’s Java Security Woes Mount As Researchers Spot A Bug In Its Critical Bug Fix
    http://www.forbes.com/sites/andygreenberg/2012/08/31/oracles-java-security-woes-mount-as-researchers-spot-a-bug-in-its-critical-bug-fix/

    Java is the worst application I have ever seen. Lotus Notes is not even close compared with this crapware

Get Adobe Flash player