
Days since last known Java 0-day exploit - anon1385
http://java-0day.com
======
peterwwillis
<http://istherejava0day.com/> should really link to the 0days for reference.
just saying "there is a 0day" with no details is pointless.

------
Wilya
Is navigator.javaEnabled() (used in this page) accurate ? I deactivated Java
plugin in Chrome's about://plugins (and restarted everything just to be sure),
and it still returns true. Did I do something wrong ?

~~~
mike_esspe
It's the bug (or feature) of Chrome:

<http://stackoverflow.com/a/13648431/507072>

~~~
revelation
Someone should really spend a second thinking about what use that API with
that behavior is to developers. And then not implement it anyway, _because
it's not in the spec_.

~~~
yuhong
I think it dates back to when Netscape had built-in Java.

------
X-Istence
Damn, I created <http://isjavavulnerable.com/> two days ago :-(.

~~~
icambron
Yours is better, FWIW

------
a1a
We have a "space" on the black board that's reserved, in the security class
I'm taking. It's commonly know as the "java 0-day calendar". Everyone thought
it was funny at first. Yet, lately the professors has started whining about
not having enough space left for their lectures. Yeah, now it's basically just
sad.

------
bra1n
I don't get why it's called a "countdown", when the counter on the page
clearly intends to count _up_...

Edit: original page title is "Java 0day countdown".

~~~
eksith
"Down" sounds sexier than "up". Also there's a connotation of impending...
er... something with a countdown vs. count-up, which I guess makes sense for
the anticipation of another vulnerability.

------
free652
All browsers were compromised last Wednesday (except Safari on ML)

[http://www.zdnet.com/pwn2own-down-go-all-the-
browsers-700001...](http://www.zdnet.com/pwn2own-down-go-all-the-
browsers-7000012283/)

~~~
fjarlq
Safari wasn't.

Also, nobody compromised Safari at Pwn2own last year.

~~~
officialjunk
probably bc they are saving those safari bug bounty's for iOS:
<https://twitter.com/i0n1c/status/309585202810867712>

i highly doubt it was because no one could pwn safari.

~~~
fjarlq
Interesting perspective.

Charlie Miller teased about it and a conversation involving i0n1c ensued:

<https://twitter.com/0xcharlie/status/310018569058525184>

------
csense
What about Java so exploit-prone?

I always thought that, from day one, it was specifically designed to run
untrusted code downloaded over the network in a secure sandbox. Java's over 15
years old and has always had the backing of a major company, so it's not like
these are the growing pains of a new technology.

~~~
rachelbythebay
You might ask the same thing about Flash. You'd think that after the first
_dozen_ or so releases with gaping holes that they'd take a step back and
rethink things.

I came up with a hypothesis about this kind of stuff not too long ago. Once
your product becomes sufficiently crappy, nobody in their right mind will want
to work on it. Good people will leave to get away from it. The project gets to
a point where the badness "rubs off on you". Anyone who cares about their
reputation will run from it.

Obviously, you can't write code without developers, so you start scraping the
bottom of the barrel to get anyone who will work on it. You get people who
don't care about their reputations and/or quality and are only there for a
paycheck. You get green people fresh out of school who think everything is
always nice and happy, and haven't been beaten down by the harsh reality of
the industry yet.

The bozos got to the project, and broke it. Once that happened, the only
people willing to work on it are more bozos (and the unfortunate ignorant
folks who don't know any better).

I dubbed it "The Bozo Loop". I originally only intended for this to describe a
specific situation (Flash), but since then it's become quite clear that it can
extend to Java and many other things.

~~~
csense
If they're both similar in this way, why did Flash win, or at least stay
alive, while Java lost, to the point where most people can be told to turn it
off and won't notice the difference?

~~~
mattmanser
Only way to watch a video

~~~
solistice
HTML 5 video?

~~~
robryan
We are only just now hitting the point where you could use HTML 5 video only
for a broad reaching consumer site. Once this is no longer an issue flash will
probably drop off a lot more.

I assume only having up to IE8 on XP is going to be an issue to full html5
video adoption for some time yet.

~~~
solistice
I just found out from W3S that there's still 19.1% of users using XP. I see
where that could become problematic.

------
lrobb
Days since a sizable number of hacker newsers confused java the language with
the jvm with the browser plugin: also 0

~~~
GhotiFish
HA!

<http://gcc.gnu.org/java/>

Personally I didn't think a project like that existed until you mentioned it.

------
hakaaaaak
Someone needs a similar site that contains the 0-day for not only Java, but
everything: languages, frameworks, jars, gems, projects, etc. For example, how
about one for each currently maintained version of Rails, IE, Firefox,
Chromium/Chrome, Opera, Safari, Windows, Linux, OS X, etc. Just a big sortable
grid for each category type with name, days since 0-day, and a link and/or
description of the last vulnerability, with another link to list all reported
vulnerabilities and links to reports. That would be awesome.

------
blablabla123
At home I have often used not fully patched Windows systems and not fully
updated Browser/Plugin stacks. Oh and Java and Flash are always activated.
This is the Windows 7 dual boot on my laptop. When really bad news arrives
(HN, other tech news) I do updates or other precautions like avoiding crappy
web sites, MSIE etc.

Until 2 years ago I even had a Windows XP VM with broken update mechanism and
IE6 which I used frequently.

And guess what, never something happened. But speaking for me, I will keep
Flash and Java activated for another few years. I'm no security expert but my
explanation why this works is this: I don't install any toolbar, in fact I
have only the bare minimum of Firefox add-ons. (Why don't they allow me to
uninstall MS Office Live-Plugin anyway? Or this Ubuntu thing?) I hate to
install Software on Windows, and if, I really make sure I understand what I
install and how trustable the vendor is.

Two relatives of mine have been infected with some spam bot net thing more
than once. Their systems were like 90% patched, but they were vulnerable
through Toolbars. (I think in both cases it was the Yahoo Toolbar.)

This is certainly not meant as a general advice, but I guess the lesson is
being minimal and careful is as valuable as keeping your system patched. Oh
and yes, I do always have an up-to-date Virus scanner.

------
darkchasma
So it's a static website? ;)

~~~
yakiv
Can't be. Has to say "0" sometimes.

------
aj700
I've given up trying to keep OSX java up to date. I can still use Libreoffice.
I just keep the plugins disabled in the browsers. Oracle has made it, or
rather left it, unusable.

------
CodeCube
Interesting thought ... have there been any _high profile_ Windows OS
vulnerabilities in recent times? I mean, I'm sure there are, there are still
tons of patches rolled out on a regular basis. But they're not getting nearly
as much media focus as they once were; at least, not in any media that I'm
consuming.

Is it a case of the OS now really being way more secure than it once was? Lost
interest by malware writers? A bigger focus on vulnerabilities in specific
products (ie. Browsers)?

~~~
EvanKelly
MS12-063 was an IE exploit on XP, Vista, and 7. Though not specifically an OS
vulnerability, it's a pretty big one.

MS08-067 was certainly the goto XP exploit for the longest time. I still find
computers vulnerable to that nearly 5 years later.

Disclaimer: I only dabble in security and am basically limited to metasploit
for my knowledge, so corrections are welcome.

------
Legion
Are there any more sites like this, for other languages or frameworks? This
and others like it would be a great addition to our chatbot's morning news
update. :)

~~~
lawnchair_larry
About ten years ago, a guy named Thor Larholm used to maintain a page of
unpatched MSIE vulnerabilities. Anyone could go there and read about 20-30
vulnerabilities currently exploitable at any given time.

Check wayback for <http://www.pivx.com/larholm/unpatched> around 2002 to see
some samples.

In those days, browser exploits were not really seen as something of value.
Everyone thought, "You have to trick the victim into visiting your web page?
Pff". That's when hacking was still done by silently hitting vulnerable
services, with no user interaction. Crazy how times have changed...

(Sorry, not what you were asking for, but reminded me of that page.)

------
gph
>Has the counter ever reached ten days yet?

Should remove either the "ever" or "yet" from that sentence. Unless it's a
redundancy feature :D

~~~
tobyjsullivan
Has the counter ever reached ten days? Not yet.

There! All fixed.

------
benmmurphy
Beware click to play is not a security feature in Firefox or Chrome as
recommended by this site. In chrome you want to use 'block all'.

------
tobyjsullivan
As data is collected over time, I would love to see this plotted on a graph.
Mostly for purposes of hilarity.

~~~
solistice
It'll just look like a sawtooth wave.

------
yati
Do the OOP/Java courses still teach students that Java is "secure"?

~~~
ZoFreX
Java the language is not insecure, nor is having the JVM installed. The issue
comes from the Java browser plugin, which has been a security disaster to the
point that it's being disabled in browsers automatically.

~~~
yati
People are (even I was) taught Java to believe that if you embrace Java, you
no longer have to worry about security, without detailing them on what kind of
security problems are alleviated by Java. And Oracle has proved itself highly
inefficient when it comes to responding fast with patches.

------
j45
Why just Java plugins for browsers and not other things?

------
swalkergibson
Is there an API? ;)

~~~
Natsu
Nah, all you need to do is have a number that alternates between 1 and 0 and
it'll be close enough for all practical purposes.

------
martinced
Sun used to go after companies using "Java" in their names. Even events
haven't been spared: Javapolis (in Belgium), where even Gosling came to speak,
got renamed "Devoxx" due to trademark issues.

I somehow doubt that the french person who registered java-0day.com is in
compliance.

The idea isn't bad but it's a bad sad that everything is put together: mixing
Java applets exploits with server-side exploit with regulard client-side /
Java desktop exploits.

~~~
xradionut
If they forced to change the domain name, a hexy alternative might be:
BADC0FFEE

~~~
throwawayG9
Nice pun. For those who don't know, Java took his name from a Café's name or
something like that.

~~~
solistice
Java tooks it's name from the Java Coffee bean, which the original team
slightly overindulged in. I imagine it went like this. "What should we call
this?" _one of the devs looks around_ "Java"

