http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
:tspry:
And now the exploit code is out there also for every one
java is the most unsecure and exploited plugin out there. Also their installer blows asstits.
75% of people browse the internet have java enabled 0.2% of web sites use it as a client technology and 2 million machines are exploited with it every 3 months.
A lot of computer vendors will us it (Nvidia I think) for automatic detection for drivers/software. Intel also uses it. HP however uses ActiveX. We also have sites students use that require java to load applets.
Caught wind of this earlier today. Pain in my ass.
You should probably avoid Adobe Flash and Adobe reader also :lol:
and avoid the following with iMessage and IIRC your browsers too: File:slash slash slash
*replaces slash slash slash with ///
Aren’t they supposed to install in my system32 folder.
Come on man, those programs are super secure. They update them almost daily. 
The real fucking issue is instead of writing more secure code all of these companies go lets use ASLR, DEP, and Sand boxing which just makes it harder to write successful exploit code.
All that did was buy them a few years till the hacker community/everyone else caught up with techniques to circumvent those technologies.
It’s the same shit with Microsoft every new OS release includes more bolt on security features but it never fixes the shitty code to begin with.
If you’re interested in this stuff good 30min on code audit/etc video https://www.youtube.com/watch?v=8gV0rug2u1E&list=PL272864B2BA593715
I’ll play devil’s advocate.
Fixing millions of lines of shitty code is a DAUNTING task. Especially when it’s some code you bought from a half-ass startup. Of course every company would love to be able to comb through it all and fix it. The reality is that much of that effort gets put on the backburner for various reasons. They have customers demanding vague and UN-obtainable features at the same time as limited resources (FTEs) to write all the code. Some companies are worse off than others. Oracle and Adobe are failing pretty badly right now, but eventually they’ll be out of the spotlight and another company will be in their shoes learning lessons the hard way.
Software will never be 100% secure. For both business reasons and technical reasons. ALL IT professionals need to understand this and need to understand what they can do to bring down the risk and limit the exposure.
There was a Java 0day every other month last year.
This resulted in breaches of fortune 100, Defense contractors, and millions of home PCs.
Adobe reader got a good year out of their sand boxing technology 2 years ago there was 0day every month…Instead of using this time to do a deep dive and audit their code base they did nothing and new 0day will continue to show up.
The mindset of many of these companies is why hire quality talent when I can buy some 100k piece of code auditing software and fix all the bugs that the software finds. The guy in the video I posted went to an extremely large company to follow up on a breach they had. After days of them refusing to give him 100% of the source code they finally came out and said we have all the same software auditing tools you guys have you won’t find any bugs then asked what software he used he responded with vi…After some laughs about only using a text editor they ended up giving him the code and within a few hours he came back with 20 bugs they could start fixing.
Companies that understand security Google, Paypal, etc offer bug bounty programs where they let the public help audit their sites/code and then give payouts for bugs found and this in addition to high skilled and qualified security teams working on their products.
It’s to the point where fortune 100 and other companies are making moves towards eliminating the need for Java completely along with Flash and other products.
Do you think enough quality talent exists?
So many companies struggle with writing secure code. I’m sceptical that we’ll ever have enough people trained and in the job market to stay ahead of the bad guys.
Most companies do focus on buying software based solutions because they tend to work faster and create prettier reports in less time.
There is no way that me and my small team of peers could manually do vulnerability assessments without such tools. I can’t pour through netflow logs, nmap scans, security logs, source code etc… data fast enough to have any real impact on security posture. It would take a massive team.
What the executives fail to realize is that there is a trade-off to automated software. The trade-off is in the quality. False positives, false negatives, NOISY results, etc…
It’s all in the culture though. A lot of people don’t understand the impact and the risks (at a technical level) and executives are CONSTANTLY battling the balance of security spending versus business value. If I’ve got to spend 2 million dollars to secure 1 million dollars worth of sales, then what’s the point of being in business? (I know that’s an exaggeration, balance does exist as some companies are able to prove)
Getting it right is hard work and it’s expensive. If your margins are high, you’re probably in better shape to make it happen. If you’re a startup with limited funds and FTEs, you better not piss off the wrong hacker. I’m not trying to make excuses, I just hate to see people blasting out blame without understanding both sides of the game. If it was as easy as some people sarcastically make it sound, it would already be done.
So its two separate issues.
Secure code coming from major vendors
Securing computer environments based on business needs/risk
On the secure code side there is no reason the bar can’t be raised even higher if your the primary vendor in that space. People will find alternatives or your product will get pushed out of market hell Apple is disabling java in their updates and major companies are filtering JAR/JAVA on their external proxies with minimal whitelisting for critical apps.
The lack of companies like Adobe taking things seriously screws the average home user who doesn’t have the time to make sure every 3rd party product is patched on a daily basis and now credit card companies, banks, and everyone else is stuck paying for it.
The security program of a company is a completely different situation and you need to weigh the risk/cost benefit. It sounds stupid but most places don’t follow free industry best practices guides put our or align themselves with a security standard like NIST/NSA. Companies that take the time to build a secure desktop image and include microsoft and other best practices tend to do best when it comes to pentests/audit. Companies that decide we want to go buy this new magic box that keeps us safe and forget the basics tend to get destroyed in pentests which is funny because the majority of the basics are free and take little time to implement.
I enjoy discussing this stuff since its what I do all day sucks you don’t live closer
Secure coding is a security program just like any other. I don’t view it all that differently. We have a lot of security programs and you would be surprised how similar they each are to execute.
You’re right on the money with the security standards. If you do it right the first time, it’s super easy. Get’s more difficult as you shift from insecure desktop to standard desktop, but that’s not a cost, it’s a culture shift. Good management can fix that.
Shiny box = false sense of security
Also, as someone who is responsible for pushing out updated software via SCCM to computers, it isn’t feasible for us to build, test, and update packages for every release the Adobe does. Their own distribution model doesn’t even allow for it. It’s fucked up how that works.
good point. we don’t use sccm, but we have a competitor’s solution. coordination and testing takes time. we have a lot of applications that depend on specific versions of java and adobe products, so it sucks doubly to have to test them all.
If it makes you feel better over the past year and half 99% success rate on internal pentests most of the time not even using exploits.
On externals that include webapps its something like 40-50% and if we include phishing it pushes it back up to the upper 90s
And this is regardless of size of corporation and even if they have a whole floor of security people
Usually spend more time on remediation strategies with the companies then trying to get in.
Alteris? (sp?) Java also sucks huge balls to automate. There is NO WAY to easily remove previous versions and install a customized (we disable the updater) version.
We have applications that are written in VB6.