Researcher uncovers new Java exploit, 1 billion Macs and PCs at risk

Shawn Knight

Shawn Knight

Posts: 15,288   +192
Staff member

Security researcher Adam Gowdiak has uncovered a new zero-day vulnerability in Oracle’s Java software. The bug is said to be present in currently-supported versions including Java 5, Java 6 and Java 7 and has the potential to allow attackers to install malware on nearly 1 billion systems (based on installation numbers from Oracle).

The exploit affects Macs and PCs equally which means that any system running Java could be at risk. The good news, at least for now, is that it poses little danger to the general public. Gowdiak, who’s known for finding similar chinks in Java’s armor, said he isn’t aware of any active attacks that exploit this particular vulnerability.

He reportedly discovered it last week and spent this past weekend testing a proof-of-concept before revealing it to Oracle yesterday. The software company has since confirmed the vulnerability with Gowdiak and said it will be patched in a future security update. They didn’t mention when exactly this would occur but the next scheduled update on Oracle’s calendar is October 16.

The security researcher said he decided to go public with his findings, short of detailing exactly how to exploit the vulnerability, in the hope that it would put pressure on Oracle to patch it sooner rather than later. He’s hoping the software company will be able to get the work done in time for next month’s patch update before hackers can discover it on their own.

Permalink to story.

https://www.techspot.com/news/50314-researcher-uncovers-new-java-exploit-1-billion-macs-and-pcs-at-risk.html

 
My Java is acting up in chrome, says its blocked because its out of date but once updated it does the same thing.
 
I haven't found a program that I use that needs Java, so I have had no problems since I uninstalled it a while ago.
 
Adam Gowdiak has uncovered a potential bug in Java.

He isn’t aware of any active attacks that exploit this particular vulnerability

So he,

Spent a week testing a proof-of-concept before revealing it to Oracle yesterday.

The software company has since confirmed it will be patched in a future security update.

What does Gowdiak do?

before hackers can discover it on their own. Gowdiak decided to go public with his findings :confused:
 
Guest said:
Adam Gowdiak has uncovered a potential bug in Java.

He isn?t aware of any active attacks that exploit this particular vulnerability

So he,

Spent a week testing a proof-of-concept before revealing it to Oracle yesterday.

The software company has since confirmed it will be patched in a future security update.

What does Gowdiak do?

before hackers can discover it on their own. Gowdiak decided to go public with his findings :confused:
Click to expand...

Has he actually publicly disclosed the vulnerability attack vector? Or just it's existence?
 
Java has always seemed to have security problems how about they let you click a check box only install month old updates.
 
I love how nobody commenting even knows what Java is, yet are all too eager to jump on the Java bashing bandwagon.
 
Wagan8r said:
I love how nobody commenting even knows what Java is, yet are all too eager to jump on the Java bashing bandwagon.
Click to expand...
Seems to me they know what Java is and most are right that Java has been full of holes and bugs for a long time, rivaling Flash in that regard. Now unless you have some info on why you think people commenting don't know what Java is I will assume you are confusing it with JavaScript and are really the one in error.
 
There exists other unpatched holes in Java and has for a couple of weeks now.
They are already part of the Blackhole exploit kit so it's out there and being actively exploited.
I'd advise to either disable Java in all your browsers (Easier on some than others)
Or just uninstalling Java
 
Can someone correct me if I'm mistaken?

I've always assumed Java was the base code which allows Java-script to run. And even if Java was uninstalled the browser is still capable of the most basic elements of Java.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
I am not a programmer and will never fully understand how applications are coded or how updates are implemented. I am forced to trust others to do programming that I require for my applications. I think I can speak for over half the worlds population and say they don't either. I know I don't keep up with the latest and greatest updates, which might leave my machine at risk the greatest amount of time. It's not that I don't want my PC updated to be the most secure, I just don't spend time checking for updates. Even when an update is presented, I may even ignore them because there are so many applications that want to update regularly.

I know I might stir up a stink with this comment.
Maybe applications with potential for security holes should disable themselves or at least the code with the security issue, if there has been an update for over 30 days. Since I'm already dependent on programmers that offer the application, I see no reason why I shouldn't be required to keep the application updated if I plan to continue using it. I would be more apt to stay updated, if what I'm trying to do requires an update before processing. I think this would hold true for more people than just myself.

Out of all the PC's being compromised, the only way to decrease these numbers is to decrease the potential for these PC's to be compromised.

I will leave with a final thought.
Out of all the PC's contributing to bot-nets without the users knowledge, I wonder if some of them could have been protected by applications automatically disabling outdated code.
 
Camikazi said:
Wagan8r said:
I love how nobody commenting even knows what Java is, yet are all too eager to jump on the Java bashing bandwagon.
Click to expand...
Seems to me they know what Java is and most are right that Java has been full of holes and bugs for a long time, rivaling Flash in that regard. Now unless you have some info on why you think people commenting don't know what Java is I will assume you are confusing it with JavaScript and are really the one in error.
Click to expand...
Yeah, no. Java and JavaScript are two entirely unrelated technologies. Do you really want me to go through each comment and point out how each one only signifies having heard of Java before?

No software is free from bugs. Something that is installed on a ridiculous amount of devices is going to be hit harder than those which are not, and vulnerabilities WILL be found no matter what the product is. Ever since Oracle bought out Sun, Java has been put on the back burner, so I blame Oracle for not fixing things, and not some fundamental problem with Java.

cliffordcooley said:
Can someone correct me if I'm mistaken?

I've always assumed Java was the base code which allows Java-script to run. And even if Java was uninstalled the browser is still capable of the most basic elements of Java.
Click to expand...
No, Java and JavaScript have nothing in common. JavaScript is a scripting language that is used in a lot of webpages to execute conditional/algorithmic logic as HTML can only represent a page's layout.

Java is a collection of technologies, but is foremost a programming language. However, Java is also designed to be able to run on any platform (Windows, Linux, OSX, AIX, Solaris, etc.) without any code modifications spawning the "write once, run anywhere" (WORA) mantra. To do this however, there has to be a layer between the code that a programmer writes and the OS. This layer transforms the standard Java operations into understandable commands for the particular OS, and is therefore called the Java Virtual Machine (JVM). The JVM must be present on a computer for Java code to execute, so that is why you need to install the Java Runtime Environment (JRE) also known as "installing Java". Now, what might be confusing you in regard to JavaScript is that with Java, you can also embed little Java programs WITHIN a webpage. These programs are called applets (tiny apps). The image used in this article is a screenshot of an applet loading on a webpage. If Java is uninstalled, applets will no longer work within your browser, but JavaScript will still execute because it is not part of the Java platform.
 
  • Like
Reactions: TJGeezer and cliffordcooley
Wagan8r said:
No, Java and JavaScript have nothing in common. JavaScript is a scripting language that is used in a lot of webpages to execute conditional/algorithmic logic as HTML can only represent a page's layout.

Java is a collection of technologies, but is foremost a programming language.-----.
Click to expand...
Well said :) Wagan8r knows.

@Camikazi: I haven't found a program that I use that needs Java, so I have had no problems
Click to expand...
Great - - life is easy for you. Personally I have a PGP tool that runs on a JRE layer. As it is well written,
it does not rely upon the commonly installed instance like the browser does. In fact, it is still a Java 5.x JRE (Wagan8r: watch'm carp on that stmt.) installed within the application install area. Runs great, is secure and is reliable. Java is cool when it is handled correctly
 
@Wagan8r - Thanks for the clearest explanation I've seen, not only of the difference between Java and Java Script, but how Java works and the function of the JRE.
 
You must log in or register to reply here.

Similar threads

A
Ransomware operations made more than $1 billion in 2023
Replies
1
Views
139
brucek
brucek
midian182
Security researcher charged with defrauding Apple out of $2.5 million, company thanks...
Replies
5
Views
219
WhoCaresAnymore
WhoCaresAnymore
Daniel Sims
Unpatchable Apple Silicon vulnerability could leak encryption keys
Replies
15
Views
270
Dreadcthulhu
D

Latest posts

Back