Skip to main content

Java

Oracle: 'We Have to Fix Java'

posted onJanuary 30, 2013
by l33tdawg

Over the course of the last two years, Oracle's Java has been exploited time and again as hackers eviscerate the technology, seemingly at will.

As each exploit emerges against Java, Oracle typically responds within a short period of time with a security update, only to have the update exploited within days. While Oracle has pledged with its successive releases that it is improving Java security, the company has not publicly spoken out about the string of exploitation that has crippled confidence in Java in recent months. That is until now.

Adam Gowdiak: New bug makes moot Java's latest anti-exploit defenses

posted onJanuary 29, 2013
by l33tdawg

Java's new security settings, designed to block "drive-by" browser attacks, can be bypassed by hackers, a researcher announced Sunday.

The news came in the aftermath of several embarrassing "zero-day" vulnerabilities, and a recent commitment by the head of Java security that his team would fix bugs in the software.

Java Patch Didn't Fix Everything, New Exploit On Sale For $5,000

posted onJanuary 17, 2013
by l33tdawg

Microsoft and Oracle both released patches this week for zero-day exploits found in Internet Explorer 8 and Java. If you still use Internet Explorer 8 or below, you should probably download the fix available via Windows Update. As for Java, you should probably still keep that disabled.

Krebs on Security reports that a hacker has already found a hole in the Java fix that Oracle uploaded this week. This particular hacker relayed the news to others on a private Web forum, and began looking for buyers. Here’s the sales pitch:

Red October hackers also used Java exploit for spy campaign

posted onJanuary 17, 2013
by l33tdawg

Hackers behind the long-running espionage campaign dubbed Red October were also using an old Java exploit to capture targets from government agencies and embassies.

Earlier this week Russian security firm Kaspersky Lab announced the discovery of a targeted malware campaign aimed at high-profile diplomatic, military and government targets across 39 nations. The victims were primarily in Eastern Europe, however individuals in Western Europe and North America were also targeted.

Oracle updates Java, Adam Gowdiak says it still has bugs

posted onJanuary 14, 2013
by l33tdawg

Oracle Corp released an emergency update to its widely used Java software for surfing the Web on Sunday, days after the US government urged PC users to disable the program because of a bug it said made computers vulnerable to attack by hackers.

Java security expert Adam Gowdiak, who has discovered several bugs in the software over the past year, said that the update from Oracle leaves unfixed several critical security flaws. "We don't dare to tell users that it's safe to enable Java again," said Mr Gowdiak, a researcher with Poland's Security Explorations.

Java still has a crucial role to play—despite security risks

posted onOctober 30, 2012
by l33tdawg

Java has its security flaws, but it isn't going away any time soon—after all, many important applications run on the technology, especially in business settings. Still, numerous users are worried enough about vulnerabilities that they restrict Java's ability to run on their machines. That's what we heard from Ars readers when we asked Friday whether they let Java run on their computers, and why.

Adam Gowdiak patches Java 0-day that Oracle is too slow to fix

posted onOctober 23, 2012
by l33tdawg

Polish firm Security Explorations and its CEO Adam Gowdiak continue to be the a thorn in Oracle's side by repeatedly questioning the giant's decision not to issue an out-of-band patch for a critical Java flaw in Java SE (Standard Edition) 5, 6 and 7.

According to their research, the vulnerability could allow attackers to bypass the security sandbox in those three versions of Java, which are currently installed on nearly a billion of machines around the world.