Yet another Java zero-day exploit

[SpywareDr]

Another Java zero-day exploit in the wild actively attacking targets

Quote:

Latest attacks used to surreptitiously install McRat trojan on victim machines. by Dan Goodin - Mar 1 2013, 11:10am EST Hackers are exploiting a previously unknown and currently unpatched vulnerability in the latest version of Java to surreptitiously infect targets with malware, security researchers said Thursday night. The critical vulnerability is being exploited to install a remote-access trojan dubbed McRat, researchers from security firm FireEye warned. The attacks work against Java versions 1.6 Update 41 and 1.7 Update 15, which are the latest available releases of the widely used software. The attack is triggered when people with a vulnerable version of the Java browser plugin visit a website that has been booby-trapped with attack code. FireEye researchers Darien Kindlund and Yichong Lin said the exploit is being used against "multiple customers" and that they have "observed successful exploitation." The security of Java is reaching near-crisis levels as reports of new in-the-wild exploits have become an almost weekly occurrence over the past few months. [...continues...]

[David M]

I'm glad I deleted Java and Flash from my computer. In the two months I have been without it, I have found that I do not really need either. Hopefully HTML 5 will become the more secure standard.

[SpywareDr]

Proof-of-concept site FillDisk.com manipulates the Web Storage standard included in the HTML5 specification. As its name suggests, it loads an almost unlimited amount of data onto hard drives. It requires no user interaction and works with Google Chrome, Internet Explorer and Safari. According to Feross Aboukhadijeh, the Web developer and computer science grad student who created the site, it was shown adding 1GB of data every 16 seconds on a MacBook Pro Retina equipped with a solid state drive.

[Force Flow]

After the last few months of Java security issues, and corrupted installs on about 1/3 of the workstations I've deployed Java to (using group policy), I've changed my tune about Java.

1) I uninstalled Java from all the workstations at work.
2) I've found that there have been no complaints about it, as none of the business applications use it, and for the webinar applications that do, there are alternatives anyway.
3) If I actually do need it to be installed somewhere to support a software application, I make sure the Java browser plugins are disabled.

Quote:

Originally Posted by SpywareDr Proof-of-concept site FillDisk.com manipulates the Web Storage standard included in the HTML5 specification. As its name suggests, it loads an almost unlimited amount of data onto hard drives. It requires no user interaction and works with Google Chrome, Internet Explorer and Safari. According to Feross Aboukhadijeh, the Web developer and computer science grad student who created the site, it was shown adding 1GB of data every 16 seconds on a MacBook Pro Retina equipped with a solid state drive.

Yep. I expect this exploit will be addressed soon, though.

[SpywareDr]

Yep, I'm sure it will. Cat and Mouse continues ...