0-day exploit : Java Glossary

*0-9ABCDEFGHIJKLMNOPQRSTUVWXYZ (all)

0-day exploit

Hackers found a way to write an unsigned Applet that can write over your hard disk. They have published how to do it and vandals were actively using the vulnerability. To be in danger, you had to run one of the specially constructed Trojan Applets. Reputable applets would not harm you. This was not a virus that infected reputable code. Oracle has since up with a fix, just install the latest version of the JDK/JRE version 1.7.0_51 or later. It only affcted Applets which are rarely used. Java applications, Servlets and Java Web Start was unaffected.

The irony is other languages have similar sandboxes and exe files hav no security sandbox at all. Java had a minor leak in its. The media never once mentioned that even with the secuity leak, Java was thousands of times more secure than the competition. Incompetence or malice? PCPitstop put out some of the most malicious and erroneous proaganda.

If the problem recurs, to protect yourself either turn off Java Applets entirely in your browser or turn off running unsigned Applets without permission (the current default) and run only those you trust. Stick to reputable websites. You could always run reputable Applets safely in the Appletviewer or as hybrids. To put this is in perspective, Java has had three such vulnerabilities. Windows has had tens of thousands.

Java’s competitors are having a field day with this, grossly exaggerating the problem and suggesting drastic remedies that are not needed and ignoring the fact the problem has been fixed. This is unfair, but let’s hope it will make Oracle take pains to ensure this never happens again. Media are promoting it as if it were the Y2K doomsday, with as little understanding.

Ironically this problem is a sign of Java’s increasing popularity. Vandals only bother to attack the most popular platforms. They have so far left Apple and Linux alone.

However, this was the most serious security breach ever in Java. It was not just theoretical.

JDK (Java Development Kit) 1.7.0_51 fixes only the reflection vulnerability but not JMX (Java Management extensions) MBean (Managed Bean) vulnerability. So for the time being it is best to disable Java Applets.


This page is posted
on the web at:

http://mindprod.com/jgloss/0dayexploit.html

Optional Replicator mirror
of mindprod.com
on local hard disk J:

J:\mindprod\jgloss\0dayexploit.html
Canadian Mind Products
Please the feedback from other visitors, or your own feedback about the site.
Contact Roedy. Please feel free to link to this page without explicit permission.

IP:[65.110.21.43]
Your face IP:[3.144.41.200]
You are visitor number