So ya. It is something to be aware of since everyone here clearly uses Java
Quick version is patch now. Right now. WHY are you still reading this sentence?! Go! Patch!
The other thing is that such exploits and vulnerabilities may have a ripple effect with peoples usage of Java in general. Aside from Adobe one of the more commonly exploited thing is Java. And given the extremely volatile nature of attacks at this point it may be something that people want to keep in the back of their mind.
Any ways interesting read and the articles at the bottom shed some more light onto the entire issue if you want more details.
Oh. Annnnnnnnnd in case ya donât want to read the article fully or the links therein hereâs a bullet form of what it is what if affects etc.
Q: How is this exploit exploited?
A: Java embedded in websites. NOT Javascript just to be clear, but Java. To clarify this is exploited THROUGH browsers not by native Java applications
Q: What version of Java?
A: Version 7 primarily⌠Possibly others. But theyâre not sure. Wonderful eh?
Q: Pffft! I run Linux/OSX Iâm safe right?
A: Ya. No. Sorry. It has a good chance of injuring you as well.
Q: Whatâll it do to me!?
A: Well you could essentially be giving full control of your machine to someone else.
Thereâs a lot more complexity to it than just this but this is the high level overview of what this is and what it can do. To guard against this the current recommendation is to disable Java in your browser entirely. So for those of us that want to make the game an in browser game this may be a bit of a concern as then the people that want to play your game might not be able to. So having a downloadable client MAY be the way to go with this.
Some of the core devs have been playing with GetDown as an alternative to Applets/Webstarts, but with varying results. Personally I really want to see a Java API for Native Client, but that could be a pipedream.
Ya. Iâm sadly not entirely surprised. A lot of companies have a rather bad habit of aiming for features first and security an extremely distant second when it comes to any sort of development.
Dude, you are using a computer, you know that everyone that truly wants to has access to your information. Companies like Google, Microsoft and Facebook has your life in their database and you donât mind it, but some idiot hacker that at maximum is going to use your computer as processing power for him to attack websites, maybe steal some money from your account (youâll get a refund anyways), getâs full attention.
Oh. Donât get me wrong. Iâm not saying that any piece of software is bullet proof out there (especially Adobe Flash. SheeshâŚ). Plus getting at âyour informationâ is borderline inconsequential nowadays spookily enough (Fair example is how effective the whole âIâm a Nigerian Prince thatâs down on his luckâ scam works to this day). The new things making the rounds are targeted attacks to SCADA Hardware (i.e. The targets of âFlamerâ were Iranian centrifuges for processing nuclear fuel. The virus successfully took down 5000 of these.), acting as a proxy for other users (Recently Chinese hackers have decided to essentially force their way around government firewalls by using proxies [not bad in and of itself] without the users knowledge [thereâs the bad bit]), etc etc etc.
Privacy online is almost laughable in this day and age for a good portion of the population. Iâd even go out on a limb saying that thereâs probably less than mmmmm 5% of the population of ânetizensâ (UGH. I hate that word) that have a good grasp of what happens with their data online, or even what their foot print of information actually is.
Some of the whacky stuff I read daily on the latest and greatest threats out there is simply astounding at what people can do when they put their minds to it. Aside from that this was just a âheads upâ and a quick break down of this latest threat that happened to utilize our tool of choice. Not a huge social commentary.
@shirkit The companies you mentioned are being scrutinized in the news every single day. I havenât seen this exploit getting any more attention than the usual hacker news.
Point is that bad publicity for Java is bad publicity for Java-based games, and we ought to be prepared with knowledge about the issue when prospective users and investors express concerns, whether theyâre valid or not.
And itâs important that this continue to be reframed as a âjava in the browserâ problem and not a Java in general problem. Public perception is fickle.
@pspeed said:
And it's important that this continue to be reframed as a "java in the browser" problem and not a Java in general problem. Public perception is fickle.
Well whatever at least opera has since ancient versions a plugins in request option, instead of loading ANY kind of external plugin it just displays a palceholder till you specifically activate it. for 99% of issues with using a 1px div with invisble applet ect, the problem is solved alone by that.
There sure is a massive fuss about this exploit. I do not really understand why, though, it took Oracle 4 days to patch and while someone out there does have the source code for this exploit, it would take a lot of effort to efficiently distribute a virus containing the exploit through websites. Most likely only a few teenage boys visiting dodgy websites after their parents have gone to bed would be affected? Or am I wrong?
I mean, my bank has advised people to turn off Java when they do not need it for accessing net-banking, which I thought was much of an overreaction. I hardly think that is necessary as long as you donât venture to the darker corners of the internet, in which case you risk getting all sorts of malicious software. I donât know if I am being naiive here.
I am concerned about the public image of Java, though. But fortunately people tend to have the attention-span of a hamster when it comes to these kinds of things, I bet people will have forgotten within 7 days.
@zarch said:
Chrome does that as well. This site wants to run Java, do you want to allow it?
Does anyone know if these vulns can bypass that as well somehow or is it safe unless you enable java on the site?
You should be fine as long as you setup in IE, Firefox, Chrome, or whatever you use to not auto run JAVA (which is the default for Chrome so huzzah).
@nihal said:
There sure is a massive fuss about this exploit. I do not really understand why, though, it took Oracle 4 days to patch and while someone out there does have the source code for this exploit, it would take a lot of effort to efficiently distribute a virus containing the exploit through websites. Most likely only a few teenage boys visiting dodgy websites after their parents have gone to bed would be affected? Or am I wrong?
Very⌠VERY wrong. ON SALE TODAY if you know where to go people are selling exploit packs that have full documentation on how to bend someones computer to your will. Some of these start at around $10,000 a pop. And theyâre making millions doing just this. One of the best pieces of software I have seen recently was for a variant of the Zeus botnet. For a mere $5000 you get the software, 24/7 tech support from Russia for a year, automated reporting (to show you how many you infected over the night with the botnet code), and much much more.
As with ALL things that can be bent to good or evil people will find a way to make money at it. Or if you really want to start getting paranoid the Flamer that I mentioned earlier was put together by the US Government or at least SOME government⌠But most likely the US and Israel⌠Flame (malware) - Wikipedia FUN world we live in eh?
Small edit Flamer was for espionage while Stuxnet was the one that targeted the centrifuges. Sorry.
