Java software said to put computers in peril

Jan 11, 2013
People use their laptop computers at a starbucks in Washington, DC, on May 9, 2012. The US Department of Homeland Security warned Thursday that a flaw in Java software is so dangerous that people should stop using it.

The US Department of Homeland Security warned Thursday that a flaw in Java software is so dangerous that people should stop using it.

"This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits," the department's Computer Emergency Readiness Team said in a notice on its website.

"We are currently unaware of a practical solution to this problem."

The recommended solution was to disable Java, which typically runs as a plug-in program in web browsers.

Java is distributed by business software powerhouse Oracle and is popular because it lets developers create websites in code that can be accessed regardless of a computer's operating system.

Java was created by , which was purchased by Northern California-based Oracle.

Hackers who get people to visit booby-trapped websites can exploit the Java vulnerability to execute code on computers, according to security firms that have backed up CERT's warning.

Explore further: Technology to help people with disabilities to learn and communicate

More information: www.securelist.com/en/blog/208… Exploit_Distribution

add to favorites email to friend print save as pdf

Related Stories

Latest Java poison romps on as ok.XXX4.net

Aug 28, 2012

(Phys.org)—Yet another Java-related computer threat, cross-platform, has been nailed by security researchers. An exploit was seen by FireEye researchers on Sunday, being hosted on a domain ok.XXX4.net. ...

Google asks court to dismiss Oracle patent suit

Oct 05, 2010

Google has asked a California court to throw out a lawsuit filed by Oracle that accuses the Internet search giant of violating patents held by the US business software company.

Recommended for you

BPG image format judged awesome versus JPEG

Dec 17, 2014

If these three letters could talk, BPG, they would say something like "Farewell, JPEG." Better Portable Graphics (BPG) is a new image format based on HEVC and supported by browsers with a small Javascript ...

Atari's 'E.T.' game joins Smithsonian collection

Dec 15, 2014

One of the "E.T." Atari game cartridges unearthed this year from a heap of garbage buried deep in the New Mexico desert has been added to the video game history collection at the Smithsonian.

User comments : 24

Adjust slider to filter visible comments by rank

Display comments: newest first

dogbert
2 / 5 (14) Jan 11, 2013
Java is in just about everything. I wonder, does this vulnerability extend to smart phones, pads, etc.?
VendicarD
2.1 / 5 (19) Jan 11, 2013
Java is a good concept that has been incompetently designed, and horribly implemented by the Unix/Linux community.

Pretty much on par with everything else they do.
chardo137
1.3 / 5 (16) Jan 11, 2013
It could be true, I guess. However, I am not aware of any group of people in the world who are more paranoid than Homeland Security. I suppose there just aren't very many credible threats left, so they have to have something to fight. It's too bad we can't put smart people in charge of something as important as security. But, sadly, it is the paranoid people who make these decisions, and they seem to want to be surrounded by their own kind.
Anda
2.1 / 5 (7) Jan 11, 2013
Seems that unix/linux community doesn't agree with vendicar.
I do, as Quite always
HeloMenelo
1.6 / 5 (14) Jan 11, 2013
Java sux long time, i've been using pc's for ove 15 years, it is what brings up all the BS marketing into you very own personal computer not to mention all the bandwidth it takes for loading all this crap, and webpages, i ALWAYS disable java in opera, but some sites do not like it.
El_Nose
4.1 / 5 (9) Jan 11, 2013
@Vendicar

The Unix/Linux community is probably the most dedicated and thorough bunch of folks around at code implementation. They are now bogged down in bureaucracy and that is slowing things down such as a few needed changes, but even those are up for debate.

Why troll on Linux devs? you made no point except to try to blast a language that started with the noblest of intentions and was so widely accepted by the CS community it was the first to supplant C which was around for over a decade and a half. It's only rival in popularity is Python and C. And that is for a very good reason.

If this hole is as bad as reported, it will either be fixed, or discontinued. Everyone already realizes this.
zslewis
4.4 / 5 (5) Jan 11, 2013
@Vendicar

very disappointed, I often agree with your opinion and perspectives. but it seems this time around you have forgotten to think before you typed. a little research will go along way.
A2G
1.4 / 5 (10) Jan 11, 2013
Homeland Security. Now there is a name you can trust. or not.
El_Nose
not rated yet Jan 11, 2013
just reread my comment and where i put C i meant C and C plus plus
sirchick
not rated yet Jan 11, 2013
Java is in just about everything. I wonder, does this vulnerability extend to smart phones, pads, etc.?


Smart Phones are not built with Java, maybe some apps are but generally java has long been replaced for C
PieRSquare
1.1 / 5 (7) Jan 11, 2013
The DHS recommendation seems at odds with the last paragraph of the linked document.
One of the best statements that I have seen in regards to the fairly impractical "just uninstall it" approach was presented by one of the handlers at the ISC Storm Center in today's issue of SANS NewsBites: "Editor's Note ([Mat] Honan): It seems each time a zero day exploit is found in software, be that Java or otherwise, the industry pundits recommend that people stop using that software. New vulnerabilities will always be discovered in the software we use. If our best defence to a threat is to cause a denial-of-service on ourselves then this in the long term is a no-win strategy for us as an industry.
Phil DePayne
1.3 / 5 (12) Jan 11, 2013
Some statistics from the financial express:

Java today is driving more than $100 billion of
business annually.
Java mobile game market is estimated to be around $3
billion.
Seven out of 10 wireless applications currently under
constructions will use Java technology runtime environment.
On the
enterprise side, $2.2 billion in Java application server and $110
billion in related IT spendings are happening, .
Today, globally over 4.5 million software developers work on
Java.
Along with that, 100 carrier deployments and 579 million phones
are on this platform.
Around 750 million Java cards have been
deployed globally.

Good luck with that you are all doomed!
migbasher
not rated yet Jan 11, 2013
Sigh...
jonnyboy
1.3 / 5 (12) Jan 11, 2013
@Vendicar

very disappointed, I often agree with your opinion and perspectives. but it seems this time around you have forgotten to think before you typed. a little research will go along way.


he is a troll and you should think twic....thirty times before you ever agree with any comment he posts
Eikka
1 / 5 (5) Jan 11, 2013
Smart Phones are not built with Java, maybe some apps are but generally java has long been replaced for C


All Android apps are made with Java. You may write them in some other language, but it all ends up being translated into Java bytecode that is run through the Dalvik Java virtual machine.

The point is not having to deal with the incompatibilities of the different implementations and versions of the underlying operating system itself on different phones using different hardware.
kochevnik
2.1 / 5 (7) Jan 11, 2013
Java isn't a native part of *NIX it is a proprietary product formerly of Sun Microsystems. Blaming the *NIX community is naive, for it is Sun which has refused to release source code. Festering bugs hide, cloaked in Sun's secrecy. In contrast the *NIX community has engineered open-source openjava as a replacement for the bug-ridden binaries from Sun. Anyone can scrutinize the code in openjava and help improve the community.

Java ideas are spreading into new generation compilers like clang and lvmm. High level languages are compiled into opcode which is then translated into optimized assembly for the particular hardware. The cross-platform attribute of Java is a great idea. Only the language itself sucks. But with twenty different languages available to make the same bytecode it's not an impasse for future operating systems
Osiris1
1.4 / 5 (10) Jan 12, 2013
Sounds like microsoft spreading propaganda and vicious rumors by using of all folks, 'Homeland [IN]Security'. Of course the government would not like Linux inasmuch as so many officials had been bribed by microsoft to accept window$$ into defense critical systems. They KNOW that window$ already had run aground one of our most modern destroyers, and KNOW the Chinese have had ALL the source code to Window$$ for over ten years. That source code was the twenty pieces of silver so Microsoft could continue to sell Window$$ in China. These officials know that they swallowed the windows and all its secret, known only to microsoft poison pills, years ago and are deathly afraid that microsoft might just in cahoots with its Chinese masters trigger one or more of them and sink a navy capital ship..or two. Of course the evidence would erase itself long before the useless hulk hit the floor of the ocean, carrying all its loyal American sailors to death by a corporate traitor.
alfie_null
not rated yet Jan 12, 2013
The exploit happens when one browses to a page, loading a new applet. Thus, servlets are unlikely to be affected. Neither are the many non-browsing Java apps that live on smart phones and tablets.

Regarding V's comments on Java and Unix/Linux, I'm puzzled at where where he sees the link between the two - there isn't one. And with his disparagement. Who is this monolithic "Unix/Linux" that writes such bad software, and to what exemplar is he comparing it?

Newbeak
not rated yet Jan 12, 2013
I run my browser and other apps in Sandboxie all the time.Let the bad code rage in the sandbox all it wants.When I delete the sandbox,all the baddies go with it.
verkle
1.4 / 5 (11) Jan 12, 2013
Why troll on Linux devs? you made no point except to try to blast a language that started with the noblest of intentions and was so widely accepted by the CS community it was the first to supplant C which was around for over a decade and a half. It's only rival in popularity is Python and C. And that is for a very good reason.


Linux and C are different. Linux is an Operating System. C is a Programming Language. Do not confuse the two. They work side by side, and are not mutually exclusive.

xen_uno
1 / 5 (8) Jan 13, 2013
Doing the opposite of whatever the DHS suggests is how to be a true american patriot. I can only hope that someday the haze of paranoia fostered by this agency clears around our moronic politician's heads, and the rogue is dismantled. Fat chance under Obama tho, as it would make high unemployment numbers look far worse.
BSD
1 / 5 (9) Jan 13, 2013
Java is a good concept that has been incompetently designed, and horribly implemented by the Unix/Linux community.

Pretty much on par with everything else they do.


Windows was a bad concept, incompetently designed and horribly implemented.
Pretty much on par with everything else they do.
El_Nose
not rated yet Jan 15, 2013
@BSD

Windows was initally an awesome design, unfortunately it was not made for the office environment. Almost all of the issue windows faced was that of the transistion from a PC, personal computer with only home access, to being used in an environment where multiple users can access the same machine.

Windows was made for just one person to use it, then when over 50% of its sales were office based, tuning the OS to a place it was never designed for caused a horrible product to come to the market.

But if you think writing an OS as robust as windows is easy, that works with any hardware, then I challenge you to make a better one. Apple refuses to even try to make an OS that is compatible with a lot of hardware -- because it is a non trivial exercise.
dogbert
1 / 5 (9) Jan 16, 2013
El Nose,
Apple refuses to even try to make an OS that is compatible with a lot of hardware -- because it is a non trivial exercise.


Apple actually makes a lot more money controlling both hardware and software. They don't consider opening their products to third parties because they make more money with closed products.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.