FedEx Will Pay You $5 to Install Flash on Your Machine
We certainly hope that FedEx shows more concern over the safety of its drivers and pilots than it shows to customers wanting to order printing online.

FedEx is making you an offer you
iCub the Open Source Robot
It occurs to us that the iCub might be the perfect companion for an only child. Probably cheaper in the long run than a little brother or sister, and it can be turned off at night.

The Screening Room

Linux Action Show to End Eleven-Year Run at LFNW
Six more episodes before the popular Linux podcast, Linux Action Show, ends its nearly 11-year run in a live broadcast from LinuxFest Northwest.


Jupiter Broadcasting's long-running
No, Evil Hackers Aren't After You
Humankind has outgrown the need to have monsters hiding under our beds. Now we let them hide in our phones, computers and microwave ovens.

Roblimo's Hideaway

OMG! I think I see a giant camera lens on
Four Things a New Linux User Should Know
When you move from "that other operating system" to Linux, you're going to find that in most ways you'll be in familiar territory. However, that's not always the case. We sometimes do things a little differently
Should the U.S. Army Have Its Own Open Source License?
Should the U.S. armed forces begin releasing software under an OSI approved open source license rather than as public domain?

Roblimo's Hideaway

This question has generated many pixels'
GitHub CEO Chris Wanstrath on Open Source
Did you know that the software Stephen Hawking uses to speak is open source and that it's available on GitHub? Neither did we.

The Screening Room

At the Computer History museum, GitHub CEO Chris
January 16th, 2013

Java Still Isn’t Safe – Possible New Vulnerability

I was just guessing on Monday when I said that the Java security patch pushed by Oracle on Sunday was “too little too late.” This appears to have been a lucky good guess on my part, as word is out now that the Java browser plugin still isn’t safe.

At least that’s what Brian Krebs is reporting on his blog Krebs On Security. Evidently there’s a black hat on a hacker forum who’s offering-up info to two buyers on a new vulnerability in the latest and greatest version of Java (that would be version 7, update 11) for the sum of $5,000 each.

Krebs published a piece of the hackers sales pitch, which is an interesting look at the underbelly of the Internet for those of us who don’t ever go there:

“…The best part is even-though java has failed once again and let users get compromised… guess what? I think you know what I’m going to say… there is yet another vulnerability in the latest version of java 7. I will not go into any details except with seriously interested buyers.”

The black hat goes on to say he’s already found one buyer and he’s looking for a second, then explains what the 5K buys:

“…What you get? Unencrypted source files to the exploit (so you can have recrypted as necessary, I would warn you to be cautious who you allow to encrypt… they might try to steal a copy) Encrypted, weaponized version, simply modify the url in the php page that calls up the jar to your own executable url and you are set. …”

The second buyer has already been found, Krebs assumes, as the reported thread has already been deleted from the forum.

There’s no word on what can be accomplished using this exploit, or if this exploit even exists, but why take chances? As I wrote on Monday, most people don’t need Java to surf the web. You’re better off without it. Even when it’s fully patched with no known exploits, that just means you’re waiting for the next exploit to be discovered.

The Internet is insecure enough already as it is without adding another layer of insecurity.

The following two tabs change content below.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

1 comment to Java Still Isn’t Safe – Possible New Vulnerability