Page 2 of 2 FirstFirst 12
Results 11 to 13 of 13

Thread: Java

  1. #11
    Master Untangler
    Join Date
    Aug 2008


    And now there's a purported new zero day vulnerability being offered for sale on the net.

  2. #12
    Untangle Ninja YeOldeStonecat's Avatar
    Join Date
    Aug 2007


    The funny part is..this isn't a new thing. Those people experienced in IT have known for YEARS now...that "web players" have become the weak point for malware, and require frequent maintenance. By the term "web players"...I mean stuff like Java, PDF Reader, Flash, Shockwave, etc.....for those that couldn't guess.

    This is nothing new folks......Oracle had an equally alarming zero day exploit hit Java last August...and we all (at least those that paid attention) rushed around doing Java updates. Why the department of homelessland insecurity decided to put out a warning last week for this exploit is comical...they can't secure our freaking borders, why they decided to give the image that they're up on computer security is best.

    Most of us concerned with network security have been performing frequent Java and Flash and PDF Reader updates on a regular basis for years now.

    Nothing new really....the past several years of rogues/fake alerts have been exploiting Java and Flash like made...just another day in paradise.

    Seeing as 99% of our clients are SMB...there's no way I can run around disabling Java. Too many clients would have their day to day business applications come to a screeching halt....I may as well have unplugged their servers.

  3. #13
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    York, NE


    Imagine you're a security "researcher" who's in it to sell exploits for money. The tools and techniques of this kind of research tend to find exploits in batches. You don't find one flaw: you tend to find a family of flaws around an internal method, set of methods, or technique used in building the target product. What do you do? Do you release them all in a package for sale? Of course not! If you did that, all of your exploits would all come be exposed at about the same, and all get patched in the same cycle. You've limited the life-time of the exploit, and you've ruined your ability to re-sell the same find to the same set of customers.

    Instead, you sell your flaws one at a time. As soon as a patch is out for one, you put the next up for sale.

    I expect we'll see a cycle of several months to nearly a year where Java has a new 0-day out every within a day or two of the last patch. It won't take that many cycles to dry up the current well, but the trick will be how fast oracle can turn around on this. At least they're not committed to only one patch per month, as is Microsoft, but it's still gonna be a pain with all the updates in the interim.

    And I don't mean to call out Java here, either. I mean, it's not great, but the same forces at work for other platforms as well.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.5 to protect a 1Gbps fiber link for ~450 residential college students and associated staff and faculty

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

SEO by vBSEO 3.6.0 PL2