Doomster Posted April 16, 2010 Share Posted April 16, 2010 http://blogs.zdnet.com/security/?p=6186&tag=nl.e540 In a sudden about-face, Sun has rushed out a Java update to fix a drive-by download vulnerability that exposed Windows users to in-the-wild malware attacks. Java 6 Update 20 does not specifically mention this fix, but it does fix the issue. Link to comment Share on other sites More sharing options...
darksonic45 Posted April 16, 2010 Share Posted April 16, 2010 Thanks for the heads up. Downloading the fix now. Link to comment Share on other sites More sharing options...
Solartide Posted April 16, 2010 Share Posted April 16, 2010 Can't help but wonder what if one day, the people at Sun, Google, Microsoft, etc, decide to turn rogue. They release this sensational story of a huge vulnerability and a patch that all users must immediately download to save their computers. Little does the user know that the "patch" they downloaded is the malware itself, paving a path for world domination by the three companies. Link to comment Share on other sites More sharing options...
anonymouse_ Posted April 16, 2010 Share Posted April 16, 2010 Good stuff :thumbup: Link to comment Share on other sites More sharing options...
Solartide Posted April 16, 2010 Share Posted April 16, 2010 Also: This is why you turn Java off, or use NoScript. Link to comment Share on other sites More sharing options...
sees_all1 Posted April 17, 2010 Share Posted April 17, 2010 Can't help but wonder what if one day, the people at Sun, Google, Microsoft, etc, decide to turn rogue. They release this sensational story of a huge vulnerability and a patch that all users must immediately download to save their computers. Little does the user know that the "patch" they downloaded is the malware itself, paving a path for world domination by the three companies.Well, you don't have to worry about sun anymore. You need to worry about oracle. :D 99 dungeoneering achieved, thanks to everyone that celebrated with me! ♪♪ Don't interrupt me as I struggle to complete this thoughtHave some respect for someone more forgetful than yourself ♪♪♪♪ And I'm not doneAnd I won't be till my head falls off ♪♪ Link to comment Share on other sites More sharing options...
nightshade53 Posted April 17, 2010 Share Posted April 17, 2010 mac ftw Link to comment Share on other sites More sharing options...
Jard_Y_Dooku Posted April 17, 2010 Share Posted April 17, 2010 Also: This is why you turn Java off, or use NoScript. This is why you turn your computer off. [hide]There's vulnerabilities in the operating system, too...[/hide] mac ftw There could just as easily be a vulnerability in the Mac version of Java. Never trust anyone. You are always alone, and betrayal is inevitable.Nothing is safe from the jaws of the decompiler. Link to comment Share on other sites More sharing options...
Ronan Posted April 17, 2010 Share Posted April 17, 2010 I would boast about Linux at this point, but one of the white-hats mentioned that although they couldn't exploit linux-versions of Java with this exact vulnerability, it may just require a different approach :-Although Linux contains vulnerable code, I was unable to exploit it in the same manner. It likely can be exploited by using the proper sequence of command-line arguments, but the sudden release didn't allow me to research into this issue.I was focused on Windows at the moment of the disclosure. There could just as easily be a vulnerability in the Mac version of Java.Interestingly enough, according to the 0day-related page linked to from the article (here), MacOSX isn't actually vulnerable, yet Windows and Linux are. Glad they changed their mind on the update though! :) Link to comment Share on other sites More sharing options...
Louisc111 Posted April 17, 2010 Share Posted April 17, 2010 I'd already updated my Java by coincidence, but Norton 360 took care of this problem (blocked the test page) before it even loaded, so Norton users should also be ok. Thanks for the info though. All skills 70+ again 16/06/2010 Link to comment Share on other sites More sharing options...
paul191600 Posted April 17, 2010 Share Posted April 17, 2010 So what exactly was the bad page? The sour dough of the epitmous pie hungers for another's sweet lips to be dulled into a state of most irreverant humblenessTUBULAR BELLS! Link to comment Share on other sites More sharing options...
Ronan Posted April 17, 2010 Share Posted April 17, 2010 So what exactly was the bad page?It seems the proof-of-concept page simply opened up the Calculator application on windows by launching a java web-start application to show the vulnerability. I'm not certain if the vulnerability actually was utilised for harm but a lot of it seems to have just been emphasis on the vulnerability being present rather than being used by anyone - I'm quite sure we could well have seen it being used for worse if they hadn't released an update. Link to comment Share on other sites More sharing options...
pulli23 Posted April 17, 2010 Share Posted April 17, 2010 Lol these kind of vulnerabilities come like... weekly.You really don't have to get dramatic over it, it more or less normal to have nowadays. First they came to fishingand I didn't speak out because I wasn't fishing Then they came to the yewsand I didn't speak out because I didn't cut yews Then they came for the oresand I didn't speak out because I didn't collect ores Then they came for meand there was no one left to speak out for me. Link to comment Share on other sites More sharing options...
DeeKay Posted April 17, 2010 Share Posted April 17, 2010 No biggie. It's not that http://runescape.com was any security threat, and if you go to fishy websites you're at risk regardless of Java. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now