So what's the deal with the warnings about JAVA ???

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
So where can I get my hands on the POC code and test to see if my
hypothesis (that Win-98 running JAVA 6 is not vulnerable to this current
world-wide threat) is correct?

Re: So what's the deal with the warnings about JAVA ???

On Friday, January 11, 2013 9:14:00 PM UTC-5, Virus Guy wrote:
Quoted text here. Click to load it

that's rather shortsighted.

even if you found an exploit of this new 0-day it's doubtful the payload th=
at the exploit launches would be compatible with such an old version of win=
dows. the thing is, exploits aren't limited to any particular payload, the =
same exploit could be paired with a completely different payload that might=
 work on your machine.

the fact is that researchers just aren't writing exploits to show you how v=
ulnerable your ancient configuration is anymore, whether it is vulnerable o=
r not. the only people who might bother with your box now are the people wh=
o want to pwn it.

Re: So what's the deal with the warnings about JAVA ???

kurt wismer wrote:
 
Quoted text here. Click to load it

Is it still a "zero-day" exploit today?

What about next week (in 7 days)?

Will it still be a "zero day" exploit in 7 days?

Why are we still using such a stupid-ass term like "zero day" to
describe these things?

Quoted text here. Click to load it

You're assuming that the exploit itself does exist and is operable in
the same way on a win-9x/me system as it is on an NT system.  Many
exploits are not workable across platforms like that.  And unless the
exploit is "leverageable" against win-9x/me, then it doesn't matter if
your payload will run on those systems.  It's quite common for these
exploits to just crash a win-9x/me system in unpredictable ways instead
of being able to reliably, consistently leverage them.

Quoted text here. Click to load it

Back during the time when Win-9x/me were still in very common use (2000
- 2005) the number of exploits and vulnerabilities for win-98/me were
extremely low compared to the number of exploits being listed for win-2k
and XP.

Go to secunia.org and look them up.  I've posted the numbers before, and
it's very embarassing for XP.

So your argument that "nobody writes exploits for win-98 today" doesn't
wash when you wind the clock back to a time when they where the dominant
OS being used in the home and SOHO.  The truth is that win-98/me were
(by an order of magnitude) less vulnerable to remote exploitation and
control as NT-based OS's continue to be.

Win-9x/me was NEVER vunlerable to network worms, for example, while
NT-based Windows has been hit by at least 6 different worms over the
years.

Many of the IE-based exploits discovered and patched between 2001 and
2006 were never found to be operable against win-98/me systems, and
Micro$haft's own KB bulletins at the time failed to mention win-98/me as
applicable or subject to the bulletins.

Re: So what's the deal with the warnings about JAVA ???

Virus Guy presented the following explanation :
Quoted text here. Click to load it

Just because *you* do not understand something, does not mean it is
stupid.
Quoted text here. Click to load it

Think Java!!

Quoted text here. Click to load it

You still neglect that the so-called count includes privilege
escalation exploits which are meaningless to Win9x because it *has no
security* to begin with.
Quoted text here. Click to load it

Hogwash!!
Quoted text here. Click to load it

More of the same!!
Quoted text here. Click to load it

You still don't get it, they weren't written for that ageing OS. An
exploit can be successful even if the payload isn't able to run.



Re: So what's the deal with the warnings about JAVA ???

FromTheRafters wrote:

Quoted text here. Click to load it
<bigga-bigga-snip>
Quoted text here. Click to load it

Hey FromTheRafters, we should all give poor Virus Guy a break. He's so
happy with his 15-year-old operating system, and his last-millennium
thinking that we should let him be happy with his thoughts.

On the other hand, it's when he tries (like in this thread) to convince
*others* to regress to the stone age that it gets my attention. Then,
someone needs to step in and let 'im have it. Nobody else save him gives a
shit about Windows 98.

--
   -bts

Re: So what's the deal with the warnings about JAVA ???

On Saturday, January 12, 2013 9:26:44 AM UTC-5, Virus Guy wrote:
Quoted text here. Click to load it

perhaps because it's become entrenched and we don't have anything better.

Quoted text here. Click to load it

i guess the fact that *JAVA* (rather than windows) is the platform is lost =
on you. the exploit doesn't have to be workable across platforms because wi=
ndows is not the platform. the exploit runs inside java. the OS running jav=
a only enters into the picture when running the payload or if the vulnerabi=
lity happens to be in the interface layer between the OS and the JVM.

Quoted text here. Click to load it

you're still not getting it - if a java exploit crashed the system then it'=
s not the exploit but the payload. if it were the exploit it would have onl=
y crashed java itself.

Quoted text here. Click to load it

that's because 2000-2005 was already past win9x's time. win2k and winxp wer=
e the 'current' versions of windows at the time, that's what people focused=
 on.

[snip]
Quoted text here. Click to load it

WTF? i know you saw the word "today" in there because you copied and pasted=
 it. i'm talking about *TODAY* not a decade ago. wake up and smell the coff=
ee, rip van winkle.

Quoted text here. Click to load it

you are deluding yourself if you think they were dominant in the 2000-2005 =
time frame.

Quoted text here. Click to load it

as has been stated by others, counting vulnerabilities is a natural way to =
measure security if you're a dumbass.

Quoted text here. Click to load it

this is false. win9x was never vulnerable to a *specific type* of network w=
orm (the type that exploited vulnerabilities in network related services th=
at win9x didn't have in the first place) but there were other types of netw=
ork worms that simply copied themselves to poorly protected shares and thos=
e did affect win9x systems.

[snip]
Quoted text here. Click to load it

again, you need to learn to distinguish between the exploit and the payload=
. and you need to stop living in the past - why would people write exploit =
payloads for non-current (even in that time frame) versions of the OS?

Quoted text here. Click to load it

it's not always clear exactly versions are affected. for example, there's d=
ebate about what versions of java are affected by this most recent 0-day. a=
pparently there's reason to believe it may go back all the way to version 5=
. http://isc.sans.edu/diary/Java+0-day+impact+to+Java+6+%28and+beyond%3F%29 =
/14917

Re: So what's the deal with the warnings about JAVA ???

On Saturday, January 12, 2013 4:14:00 AM UTC+2, Virus Guy wrote:
Quoted text here. Click to load it

Why do you want to play with fire?  Read the below...ironically I just inst=
alled (manually) this version yesterday.  For some reason the Java updater =
was not working...it's possible that my Microsoft Security Essentials flagg=
ed this version of Java as a virus and would not let it upload, so I had to=
 manually install it?

Anyway, my Firefox browser is blocking its use as I type this...it will not=
 run.

RL


http://www.usatoday.com/story/tech/2013/01/11/homeland-security-disable-jav =
a-security-vulnerability/1828011/=20

Java has experienced a number of exploits in the past few months, followed =
by a few months of silence. However, recent updates to a number of exploit =
kits have revealed that new holes exist in Java 7 Update 10.

A researcher going by the name @kafeine spotted the exploit in action on a =
site that they claim receives "hundreds of thousands of hits daily". Lookin=
g at the HTTP GET requests and their related headers, kafeine shows how a n=
umber of sites using the exploit are able to download files directly to the=
 victim's machine, and execute actions such as installing ransomware.

According to the researcher, the exploit is already being used in the Cool =
EK, Nuclear Pack, Redkit, Blackhole, and Sakura exploit toolkits, making it=
 easy for criminals to deploy and make money

Re: So what's the deal with the warnings about JAVA ???

RayLopez99 wrote:
 
Quoted text here. Click to load it

http://javatester.org /

=====================
There is yet another (in a long line) of Java security flaws. Java 7 is
vulnerable to this latest bug, Java 6 is not (jury may still be out on
this though). Thus, the advice I offered back in August on my
Computerworld blog, still applies - if you need Java, go with version 6
on Windows.

OS X users running Snow Leopard are safe, as Java 7 is not supported. OS
X users running Lion and Mountain Lion with Java 7, should disable Java
in their browers. To that end see How do I disable Java in my web
browser? from Oracle. Everyone should see the section below on whether
they need Java in the first place.
======================

So here we see (again) that old is better than new.

Java version 6 *probably* does not have this vulnerability.

Java 7 update 10 is the latest varient of version 7 (released December
12 last year).

Java 6 is still supported by Oriface (at least until Feb this year)
although that date has been moved back at least once before, and may
very well get pushed back again).  The last update for version 6 is 38
(also released on Dec. 12).

I'm running version 6 update 30 on this win-98 system.  I've tried to
install newer versions but have had some problems getting them to
install.  KernelEx api helper allows win-98 systems to run JAVA version
6.

Re: So what's the deal with the warnings about JAVA ???

On Fri, 11 Jan 2013 21:14:00 -0500, Virus Guy wrote:

Quoted text here. Click to load it

Maybe you shouldn't worry about Java. Support for W98 was dropped in
2006.

--
s|b

Re: So what's the deal with the warnings about JAVA ???

s|b wrote:
 
Quoted text here. Click to load it

By the time that "support" (if you want to call it that) for win-98 was
dropped in the summer of 2006, Secunia.org listed a whopping 33
advisories and 22 vulnerabilities for win-98.

At the same time, there were over 200 vulnerabilities for Windows XP -
with some "critical" vulnerabilities not patched.  Today, there are over
400 advisories and 560 vulnerabilities for Windows XP.

So I can understand this concept that many windoze users have regarding
it's perpetual state of support in terms of vulnerability and security,
and your failure to understand how and why this dire issue of support
never bled over into win-9x/me - because they were better by design.

Because Microsoft's motto is ->

"If it works, it's not complicated enough".

That motto is what drives Micro$haft to instill ever higher levels of
bloat and complexity with each new version of Windoze.

With bloat and complexity comes vulnerability.

Windoze NT (and it's offspring) -> code made from the finest, most
expensive threads, intended to tantilize the masses like the emperor's
new clothes.

Re: So what's the deal with the warnings about JAVA ???



Virus Guy wrote:
Quoted text here. Click to load it




XP still works fine for all my needs.
And the nice part is none of the hackers seem to bother writing viruses for
it anymore



OT: Windoz (was - Re: So what's the deal with the warnings about JAVA ???)


Quoted text here. Click to load it

snip...



Oh so true.  Especially the 'bloat and complexity' comment.

I use WinXP SP3 on my desktop system, but I also have a Ubuntu (Linux)
laptop.  Linux IS the better operator system; lean, fast, and mean.

Just as one example:  If I turn on my WinXP desktop first, then my
Ubuntu laptop, my laptop is ready to use while my desktop is still
loading (Win Desktop NOT fully ready to use), and the hardware for my
systems are comparable.  "Lean' = Linux uses much less resources than
Windoze.

Windoze is 'on top' ONLY because of the early marketing scheme that
made users (non-techies) habituated to Windoze.



--
=========== Tecknomage ===========
   Computer Systems Specialist
         IT Technician
           (retired)
         San Diego, CA

Re: So what's the deal with the warnings about JAVA ???

Virus Guy presented the following explanation :
Quoted text here. Click to load it

I don't know, I just heard about this on the news. I had to laugh when
they said it only affects PCs and everyone should disable Java.

When you find a POC, you'll have to look for a different output event
from the payload provided. You'll need to see that the "exploit" worked
even though the "payload" didn't.



Re: So what's the deal with the warnings about JAVA ???

On Sat, 12 Jan 2013 13:50:17 -0500, FromTheRafters

Quoted text here. Click to load it

WRONG

Today we cannot do without JAVA in some form.  It is use by almost all
WEB sites, therefore your browser needs it.  It is use by many
applications, like Libre Office suite which I use on my WinXP SP3
desktop and Ubuntu (Linux) laptop.

Then there's devices (SmartPhones, etc.) that run JAVA.


But JAVA is like ANY other app or OS, it will have holes that must be
plugged.



--
=========== Tecknomage ===========
   Computer Systems Specialist
         IT Technician
           (retired)
         San Diego, CA

Re: So what's the deal with the warnings about JAVA ???

Tecknomage wrote:
 
Quoted text here. Click to load it

I run Interactive Broker's "Trader Workstation" platform and it uses
JAVA.

A lot of websites that give real-time graphs of the financial markets
also use JAVA.

Many IP web-cams use Java to stream video to mozilla-based browsers (or
they use activex to stream to Internet Exploiter).

Re: So what's the deal with the warnings about JAVA ???

Virus Guy brought next idea :
Quoted text here. Click to load it

Many of my workplace's computers use Java applications and applets.
They're all PCs, but that's not the point. Java is a very widespread
cross-platform virtual-machine based system. I just updated my Java,
perhaps the zero-day is no more.



So what's the deal with the warnings about JAVA ???

+ User FidoNet address: 1:3634/12.42

 F> Many of my workplace's computers use Java applications and applets.
 F> They're all PCs, but that's not the point. Java is a very widespread
 F> cross-platform virtual-machine based system. I just updated my Java,
 F> perhaps the zero-day is no more.

ALL versions of Java 7 thru Update 10 are affected... don't guess... research
and find out for sure...

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Re: So what's the deal with the warnings about JAVA ???

mark lewis wrote on 1/15/2013 :
Quoted text here. Click to load it

It doesn't matter, it either is or it isn't. If they have issued a
patch, it is no longer zero-day.  My machine should seem vulnerable to
the exploit, and the work computers are administered by an outsourced
IT company - not my responsibility.



Re: So what's the deal with the warnings about JAVA ???

FromTheRafters wrote:
 
Quoted text here. Click to load it

Then what kind of "day" is it?

What does the availability of a patch have to do with what kind of "day"
vulnerability it is?

Is it (or was it) a zero-day vulnerability, or a zero-day exploit?

Aren't systems that haven't been patched still vunerable?  And if so, is
it "day zero" for them?  Or maybe "day one" ?

Re: So what's the deal with the warnings about JAVA ???

It happens that Virus Guy formulated :
Quoted text here. Click to load it

Zero-day is just a way of saying it is "fresh" and not yet dated
(nullified). There is no zero-day if the patch is out before the
vulnerability is exploited (like Blaster). Malware that is perhaps not
exploit based has a zero day that ends when antimalware definitions are
distributed to end users. You can't end a zero-day for exploits by
making such a definition, you have to fix the broken software.



Site Timeline