Hacker News new | comments | show | ask | jobs | submit login
Days since last known Java 0-day exploit (java-0day.com)
291 points by anon1385 1657 days ago | hide | past | web | 81 comments | favorite

http://istherejava0day.com/ should really link to the 0days for reference. just saying "there is a 0day" with no details is pointless.

Is navigator.javaEnabled() (used in this page) accurate ? I deactivated Java plugin in Chrome's about://plugins (and restarted everything just to be sure), and it still returns true. Did I do something wrong ?

It's the bug (or feature) of Chrome:


Someone should really spend a second thinking about what use that API with that behavior is to developers. And then not implement it anyway, because it's not in the spec.

I think it dates back to when Netscape had built-in Java.

You can tell if Java is running in your browser by testing it here: http://www.java.com/en/download/testjava.jsp

I prefer: http://javatester.org/version.html

Tells you whether it's loaded, and what version you have loaded. No frills, no crap website.

It made me actually check and make sure that I had disabled the plugin. I thought I had already done it.

Same here. Appears to be disabled http://www.java.com/en/download/testjava.jsp

Returns true even though I have Click-To-Play enabled. Cannot decide if that is accurate or not...

That makes sense. If you have Click-To-Play you do have Java, so returning true is correct.

Damn, I created http://isjavavulnerable.com/ two days ago :-(.

Yours is better, FWIW

We have a "space" on the black board that's reserved, in the security class I'm taking. It's commonly know as the "java 0-day calendar". Everyone thought it was funny at first. Yet, lately the professors has started whining about not having enough space left for their lectures. Yeah, now it's basically just sad.

I don't get why it's called a "countdown", when the counter on the page clearly intends to count up...

Edit: original page title is "Java 0day countdown".

"Down" sounds sexier than "up". Also there's a connotation of impending... er... something with a countdown vs. count-up, which I guess makes sense for the anticipation of another vulnerability.

All browsers were compromised last Wednesday (except Safari on ML)


I don't see any mention of Opera :)

Safari wasn't.

Also, nobody compromised Safari at Pwn2own last year.

probably bc they are saving those safari bug bounty's for iOS: https://twitter.com/i0n1c/status/309585202810867712

i highly doubt it was because no one could pwn safari.

Interesting perspective.

Charlie Miller teased about it and a conversation involving i0n1c ensued:


This may be the cynic in me, but I feel that's because exploits fetch quite a sum in the black market these days.

If so, why would somebody spend months working on a IE10 exploit (http://threatpost.com/en_us/blogs/pwn2own-browser-exploits-g...) and then demo that here instead of selling it in the market?

If the market pays lots of money for Mac OS X exploits, why would it pay less for Windows ones? It can't be market share and I doubt it is because Mac users have faster Internet (so that their machines can be bigger DDOS sources, have more money to steal from them (both may or may not be true, but I doubt that fully offsets the difference in market share)

Another only thing I can think of why Mac exploits would be more expensive is that buyers expect Mac zero days to last longer, but I doubt that, too.

That leaves two reasons: because it is so easy that nobody considers it a challenge, and everybody expects someone else to pick up the price, or because it is too hard.

Alternative theories welcome.

I really have no specific explanation for it (that's really not the crew I hang out with), but exploits for the Mac ecosystem, iOS in particular, are in very high demand and do cost more.

Some theories:

I don't necessarily think it's because Mac 0-days last longer, but I know they do consider it a challenge; The difficulty may factor in to the price somehow. Maybe because there's the presumption the average user on iOS may have more cash to burn than the average Windows user.

They may have more to gain by hitting Apple employees for trade secrets.

Of course, all this is pure speculation.

That's not quite accurate. iOS exploits are worth a lot, bit OS X exploits are not worth as much. There is no relation between the two in terms of value. It's also much easier to write OS X exploits than it is to write Windows exploits in general. Windows has always been far ahead of OS X in terms of mitigations.

Safari on OS X is considered a soft target compared to the other browsers. It is the least difficult and has the fewest users. That is why the payout is less.

Never mentioned OS X. Parent did, I didn't. OS X's "soft target" status would explain why Pwn2own offered a lesser prize for Safari on it, but iOS is a different beast altogether and more likely to be carried around by Apple devs on their mobile devices. Hence my theory they may be after trade secrets.

You did, because Mac and OS X are synonymous :)

It has nothing to do with being after trade secrets from Apple employees. The people who sell both iOS and Mac (OS X) exploits do not sell them to people trying to steal Apple's trade secrets.

Safari on OS X has some good mitigation a these days, such as running the web content in a separate sandboxed process, which Friefox does not do. I suspect attackers either failed to find or did not want to burn their WebProcess sandbox escape.

One issue may be that the usage share for IE10 is almost negligible currently because it hasn't landed on Windows 7 yet. (But it will soon, so... hmm.)

Pwn2own bounty for breaking IE9 is only $75,000.

Bug price list 1 year ago:


It is indeed too bad that the Safari bounty is only $65,000.

And IE9's bounty is only $75,000.

So yeah, perhaps these bugs are being sold to governments instead.

IE10 for win7 was released last week.

What about Java so exploit-prone?

I always thought that, from day one, it was specifically designed to run untrusted code downloaded over the network in a secure sandbox. Java's over 15 years old and has always had the backing of a major company, so it's not like these are the growing pains of a new technology.

You might ask the same thing about Flash. You'd think that after the first dozen or so releases with gaping holes that they'd take a step back and rethink things.

I came up with a hypothesis about this kind of stuff not too long ago. Once your product becomes sufficiently crappy, nobody in their right mind will want to work on it. Good people will leave to get away from it. The project gets to a point where the badness "rubs off on you". Anyone who cares about their reputation will run from it.

Obviously, you can't write code without developers, so you start scraping the bottom of the barrel to get anyone who will work on it. You get people who don't care about their reputations and/or quality and are only there for a paycheck. You get green people fresh out of school who think everything is always nice and happy, and haven't been beaten down by the harsh reality of the industry yet.

The bozos got to the project, and broke it. Once that happened, the only people willing to work on it are more bozos (and the unfortunate ignorant folks who don't know any better).

I dubbed it "The Bozo Loop". I originally only intended for this to describe a specific situation (Flash), but since then it's become quite clear that it can extend to Java and many other things.

If they're both similar in this way, why did Flash win, or at least stay alive, while Java lost, to the point where most people can be told to turn it off and won't notice the difference?

Because Flash plays streaming video well and Java doesn't?

Only way to watch a video

HTML 5 video?

We are only just now hitting the point where you could use HTML 5 video only for a broad reaching consumer site. Once this is no longer an issue flash will probably drop off a lot more.

I assume only having up to IE8 on XP is going to be an issue to full html5 video adoption for some time yet.

I just found out from W3S that there's still 19.1% of users using XP. I see where that could become problematic.

Only way with 98% (at peak) market availability... Also, the tools for working with flash (for creative content) are better than those for Java.

I'm using this if you don't mind.

I don't think there's anything about Java the language, any more than any plugin. It is the development and deployment methodology that is dated. Oracle (and the same went for Sun) issues updates on a scale of months. I think this is now turning out to be an unviable strategy for any platform that has to survive in the wild and run untrusted code. It's hard to swallow, but we have to accept:

1. Completely secure code is extraordinarily expensive and difficult to write. All cost effective software is going to contain vulnerabilities

2. The only path to security is aggressive discovery and disclosure followed up with an immediate patch and deploy mechanism

This is the new model which Chrome and various other end-user-facing software is running - silent, rapid updates and a product engineered from the ground up to support that without major regressions. Anybody who wants to be a player in the browser market basically has to adopt this model. If Oracle cares about retaining any presence of their browser plugin in modern browsers they need to drastically change course - but I'm not sure they do.

It's actually pretty hard to find details, maybe because I don't know any good security-related blogs, but I did find this about a recent exploit: http://www.security-faqs.com/another-day-another-java-0-day....

Java downloaded an executable with a misleading '.jpg' extension and then executed it (it was a trojan that downloads other malware: http://go.eset.com/us/threat-center/encyclopedia/threats/win... ).

Because the JVM is written in C, and thus EVERY line of C code in it (which is millions, maybe tens of millions) has to be trusted. That's just the way C is (but not Java, to its credit). Anybody can introduce a security hole at any point, essentially.

There are ways to structure your code to mitigate this, but Java is almost 20 years old, so I'm sure there are a bunch of dark corners in there.

A more secure way to go about it would probably be to bootstrap the language more and write more of the VM in Java. I guess PyPy is exactly that, although I don't know enough to comment on its security.

Javascript interpreters are also written in C. Flash is written in C. HTML parsers are written in C.

All of these are exposed directly to untrusted code from the Internet, and none of them break at anything like the rate that Java seems to have done recently, nor get as much bad press as Java does. The closest analogy I can think of is MSIE in the post-Netscape, pre-Firefox era (c. 2001-2005).

Maybe the conclusion is, security holes don't get fixed if a technology is closed-source, is developed by a single large company, and there are no alternative implementations.

I'm willing to guess that the JVM source is an order of magnitude larger than any JS interpreter or Flash interpreter (I'd be interested in being corrected if wrong). The number of security holes is proportional to the trusted code size.

I thought that Java had a pretty good record until recently. As I wrote in a previous comment, what may have happened is that Windows and Flash and other ubiquitous client software really cleaned up their act in the last few years. So hackers started going for the JVM and Adobe Reader as vectors. The JVM wasn't under as much scrutiny when Windows was wide open, although that was quite a few years ago.

I wouldn't rule out other possible reasons either, e.g. the fact that there may have been a huge brain drain in JVM talent after the Oracle acquisition. Or a failure of software engineering processes after a re-org.

I agree that closed source software doesn't have a great security track record... but I think there are some other factors at play here, some of which I'm speculating on.

Guys, the cause of security is not helped by speculating wildly.

First of all, the Sun JVM is written in C++, not C. Second of all, the recent security problems are not the result of buffer overflows or other C++ coding problems, but design choices in the Java security model coupled with poor library coding. These vulnerabilities existed for a long time. The fact that they're only coming to light now is just a historical accident more than anything else. Oracle's response has been slow, but they did not create the problem. Sun did. (And I say that as a big fan of the old Sun Microsystems.)

The Java security model is supposed to allow you to keep both trusted and untrusted code in the same process space. Unfortunately, if any trusted library is poorly coded, you can use it to escalate your privileges. You can basically get something a lot like "eval" using the classloader and reflection.

This was a tradeoff that the Java language designers made. They chose to implement a powerful, but complex, sandboxing scheme. It would have been a lot simpler just to run the untrusted code in a separate process, like Chrome does. But that would have required interprocess communication. A lot of these 0-days have used this mechanism, or something like it, to exploit their privileges.

Another decision the Java web plugin designers made was to give plugins the ability to do almost everything native applications could do-- manipulate the filesystem, send network traffic, etc. This was another design choice that could have been made differently-- for example, Javascript historically never offered these kinds of abilities.

There have been a ton of Java 0-days and I don't have time to explain or research them all. But most of them flow directly out of the underinvestment in Java plugins over the last decade (a policy Sun started, and Oracle continued), and the fundamental design decisions made in the early days. I haven't seen any of them that were related to C or C++ (although I haven't examined all of them in detail so maybe there was one somewhere.)

I wonder if these are new vulnerabilities or if the maybe existed all along? Would an adapted exploit work against Java 5?

Maybe java security research just had a breakthrough and they found some new attack vector/methodology which uncovers all these vulnerabilites?

Days since a sizable number of hacker newsers confused java the language with the jvm with the browser plugin: also 0



Personally I didn't think a project like that existed until you mentioned it.

Someone needs a similar site that contains the 0-day for not only Java, but everything: languages, frameworks, jars, gems, projects, etc. For example, how about one for each currently maintained version of Rails, IE, Firefox, Chromium/Chrome, Opera, Safari, Windows, Linux, OS X, etc. Just a big sortable grid for each category type with name, days since 0-day, and a link and/or description of the last vulnerability, with another link to list all reported vulnerabilities and links to reports. That would be awesome.

At home I have often used not fully patched Windows systems and not fully updated Browser/Plugin stacks. Oh and Java and Flash are always activated. This is the Windows 7 dual boot on my laptop. When really bad news arrives (HN, other tech news) I do updates or other precautions like avoiding crappy web sites, MSIE etc.

Until 2 years ago I even had a Windows XP VM with broken update mechanism and IE6 which I used frequently.

And guess what, never something happened. But speaking for me, I will keep Flash and Java activated for another few years. I'm no security expert but my explanation why this works is this: I don't install any toolbar, in fact I have only the bare minimum of Firefox add-ons. (Why don't they allow me to uninstall MS Office Live-Plugin anyway? Or this Ubuntu thing?) I hate to install Software on Windows, and if, I really make sure I understand what I install and how trustable the vendor is.

Two relatives of mine have been infected with some spam bot net thing more than once. Their systems were like 90% patched, but they were vulnerable through Toolbars. (I think in both cases it was the Yahoo Toolbar.)

This is certainly not meant as a general advice, but I guess the lesson is being minimal and careful is as valuable as keeping your system patched. Oh and yes, I do always have an up-to-date Virus scanner.

So it's a static website? ;)

Can't be. Has to say "0" sometimes.

I've given up trying to keep OSX java up to date. I can still use Libreoffice. I just keep the plugins disabled in the browsers. Oracle has made it, or rather left it, unusable.

Interesting thought ... have there been any _high profile_ Windows OS vulnerabilities in recent times? I mean, I'm sure there are, there are still tons of patches rolled out on a regular basis. But they're not getting nearly as much media focus as they once were; at least, not in any media that I'm consuming.

Is it a case of the OS now really being way more secure than it once was? Lost interest by malware writers? A bigger focus on vulnerabilities in specific products (ie. Browsers)?

MS12-063 was an IE exploit on XP, Vista, and 7. Though not specifically an OS vulnerability, it's a pretty big one.

MS08-067 was certainly the goto XP exploit for the longest time. I still find computers vulnerable to that nearly 5 years later.

Disclaimer: I only dabble in security and am basically limited to metasploit for my knowledge, so corrections are welcome.

It's a case of the OS being way more secure than it once was. The new kernel that came out with vista helped quite a bit, as well as the constant stream of updates.

Because the OS is more secure, other parts of the system (ie browsers, flash, java) are now (in comparison to the OS) easier to exploit than they were.

Are there any more sites like this, for other languages or frameworks? This and others like it would be a great addition to our chatbot's morning news update. :)

About ten years ago, a guy named Thor Larholm used to maintain a page of unpatched MSIE vulnerabilities. Anyone could go there and read about 20-30 vulnerabilities currently exploitable at any given time.

Check wayback for http://www.pivx.com/larholm/unpatched around 2002 to see some samples.

In those days, browser exploits were not really seen as something of value. Everyone thought, "You have to trick the victim into visiting your web page? Pff". That's when hacking was still done by silently hitting vulnerable services, with no user interaction. Crazy how times have changed...

(Sorry, not what you were asking for, but reminded me of that page.)

>Has the counter ever reached ten days yet?

Should remove either the "ever" or "yet" from that sentence. Unless it's a redundancy feature :D

Has the counter ever reached ten days? Not yet.

There! All fixed.

Beware click to play is not a security feature in Firefox or Chrome as recommended by this site. In chrome you want to use 'block all'.

As data is collected over time, I would love to see this plotted on a graph. Mostly for purposes of hilarity.

It'll just look like a sawtooth wave.

Do the OOP/Java courses still teach students that Java is "secure"?

Java the language is not insecure, nor is having the JVM installed. The issue comes from the Java browser plugin, which has been a security disaster to the point that it's being disabled in browsers automatically.

People are (even I was) taught Java to believe that if you embrace Java, you no longer have to worry about security, without detailing them on what kind of security problems are alleviated by Java. And Oracle has proved itself highly inefficient when it comes to responding fast with patches.

Yup, instructors of my brother's Java oriented courses still keep that rhetoric going. Really that statement kept confused me from day 1 since examples to the contrary are easily found via google:


And that one is years prior to when I went to school. People can believe whatever they want about the security of their preferred platform but basically any large project is going to have some sort of vulnerability. All it takes is someone with enough gumption to find it.

As someone who is still in a beginners course on OOP/Java, I can tell you that that's not the only bull they'll spout.

Yes. Or at least, as recently as 2 years ago at my university, they did.

Why just Java plugins for browsers and not other things?

Is there an API? ;)

Nah, all you need to do is have a number that alternates between 1 and 0 and it'll be close enough for all practical purposes.

Sun used to go after companies using "Java" in their names. Even events haven't been spared: Javapolis (in Belgium), where even Gosling came to speak, got renamed "Devoxx" due to trademark issues.

I somehow doubt that the french person who registered java-0day.com is in compliance.

The idea isn't bad but it's a bad sad that everything is put together: mixing Java applets exploits with server-side exploit with regulard client-side / Java desktop exploits.

A trademark doesn't give you exclusive rights over all use of the mark. You can use it to prevent others from implying their products are associated with yours, as was presumably the case for Javapolis, but it doesn't give you the legal right to prevent others from criticizing your product.

If they forced to change the domain name, a hexy alternative might be: BADC0FFEE

Nice pun. For those who don't know, Java took his name from a Café's name or something like that.

Java tooks it's name from the Java Coffee bean, which the original team slightly overindulged in. I imagine it went like this. "What should we call this?" one of the devs looks around "Java"

There's a bunch of unaffiliated sites with "java" in their domain name, http://www.javaranch.com/ for one.

I think the difference is when you try and trade commercially using someone elses trademark.

You forgot that JavaPolis first renamed themselves to Javoxx, thinking that would save them. But no. http://weblogs.java.net/blog/fabriziogiudici/archive/2008/09...

Could this apply to non-IT related companies? "Java" is a name of a region in Indonesia to begin with, what about companies dealing with tourism or local products such as coffee or fabrics from that region?

Applications are open for YC Winter 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact