Security research firm Security Explorations reported two new zero day exploits hit Java on February 25. Since then, the company has provided a number of updates on the progress its made with Oracle to patch these security holes:

25-Feb-2013

27-Feb-2013

28-Feb-2013

The issues referenced above – 54 and 55 – can apparently be combined to “gain a complete Java security bypass in the environment of Java SE 7 (Update 15).” Issue 54 is being labeled by Oracle as a non-issue, but issue 55 has been picked up for further investigation.

This latest discovery only further stains Java’s reputation as it has not only been exploited twice in the past two months, but said exploits led to major firms like Apple and Facebook being hacked. Granted, Oracle can’t predict every new exploit that comes its way, but you would think it would be more thorough before releasing updates.

So, what can you do to prevent any Java-based attacks? It’s rather simple really – just disable Java. Firefox automatically disables it for you, and it’s easy enough to disable on other browsers as well.

[h/t: ZDNet]

Not to fear, though. Facebook says that they have found no evidence that any of your information was ever compromised.

“Last month, Facebook Security discovered that our systems had been targeted in a sophisticated attack. This attack occurred when a handful of employees visited a mobile developer website that was compromised. The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops. The laptops were fully-patched and running up-to-date anti-virus software. As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day,” says Facebook on its Security page.

Facebook identified the problem as a zero-day Java exploit.

“After analyzing the compromised website where the attack originated, we found it was using a “zero-day” (previously unseen) exploit to bypass the Java sandbox (built-in protections) to install the malware. We immediately reported the exploit to Oracle, and they confirmed our findings and provided a patch on February 1, 2013, that addresses this vulnerability.”

Apparently, the hack is still being investigated but they reiterate (multiple times) that no user data was accessed .

“Facebook, like every significant internet service, is frequently targeted by those who want to disrupt or access our data and infrastructure,” says the company.

Krebs on Security reports that a hacker has already found a hole in the Java fix that Oracle uploaded this week. This particular hacker relayed the news to others on a private Web forum, and began looking for buyers. Here’s the sales pitch:

New Java 0day, selling to 2 people, 5k$ per person

And you thought Java had epically failed when the last 0day came out. I lol’d. The best part is even-though java has failed once again and let users get compromised… guess what? I think you know what I’m going to say… there is yet another vulnerability in the latest version of java 7. I will not go into any details except with seriously interested buyers.

Code will be sold twice (it has been sold once already). It is not present in any known exploit pack including that very private version of [Blackhole] going for 10$k/month. I will accepting counter bids if you wish to outbid the competition. What you get? Unencrypted source files to the exploit (so you can have recrypted as necessary, I would warn you to be cautious who you allow to encrypt… they might try to steal a copy) Encrypted, weaponized version, simply modify the url in the php page that calls up the jar to your own executable url and you are set. You may pm me.

What’s worrisome is that the thread is reportedly gone as of today which means that the exploit has been sold to two people already. That means we could be seeing another potentially dangerous zero-day attack on Java in the near future.

Oracle can’t predict the future, and its engineers obviously can’t predict what exploits are going to be found in its software. Hackers will always be one step ahead of software developers. All Oracle can do is remain vigilant and quickly put out a fix whenever a new exploit is found. Java’s presence on over 1 billion PCs must put a ton of pressure on the company, but hopefully it can push out fixes just as quickly as the last one.

And next time, maybe check the fix to make sure there aren’t any security holes left in it.

[h/t: Ars Technica]

Originally spotted in the wild by @kafeine, other security research teams, including AlienVault Labs, have confirmed that a new zero day exploit has been found in Java. This particular exploit looks like it can hijack your PC into executing malicious code. It seems that one group is even using the exploit to install ransomware on affected PCs.

So, what can you do to protect yourself from this particular exploit? The easiest solution is to just disable Java in your browser. Since it seems to affect all browsers and all operating systems, there’s really not much else you can do.

The good news is that Oracle is already working on a fix. According to @kafeine, Oracle has already assigned a security ticket to the exploit. While that’s nice and all, there’s still no word on how long it’s going to take to patch. Oracle could even wait until its next Patch Tuesday to issue the fix leaving millions of PCs in limbo until then.

Despite the severity of the exploit, it’s not that surprising. In a report from AVG earlier this month, the security company said that Java would remain the most exploited software on PCs. It’s unfortunate that the report has already proven itself accurate so soon in the new year, but perhaps this will push Oracle to stay one step ahead of hackers that look for these exploits.

[h/t: Sydney Morning Herald]

Computer security company AVG released its list of the top threats facing computer, and mobile device, users in 2013. Not surprising, the list contains a number of threats that were already at large or growing to be a major threat last year.

First up, AVG predicts that Java will continue to be the most exploited software on computers. That may just be the case as Oracle already had to deal with a major zero-day exploit last year along with other various security loopholes that hackers always seem to find before security researchers. The software’s spread across over 1 billion computers ensures it will remain a desirable target.

Besides Java’s vulnerabilities, the biggest threat facing users is mobile malware. Android is especially susceptible to malware as many people download malicious apps from unofficial app stores that don’t properly screen their services for malware. Google Play or Amazon’s Android Appstore are the safest bets for avoiding mobile malware, but no promises can be made.

Other threats include an increase in ransomware, cloud service breaches and other scary things that lawmakers and government agencies refer to when trying to push new cybersecurity laws that curb your privacy rights.

AVG’s report may sound like a lot of fear mongering, but it’s seemingly appropriate in an age where people are falling for obvious malware attacks all the time. People need to be more vigilant when browsing the Internet or checking email and avoid any links that look even remotely suspicious. Another handy rule of thumb is to disable Java or any other vulnerable Web plugin before visiting a site that doesn’t look legitimate. You should also stop using dumb passwords, like “password.”

On a final note, you should probably stop using Internet Explorer.

JavaWorld reports that some recent rumors suggest OpenJDK, the Oracle-sanctioned open source version of Java, would be coming to Android. It would provide Java developers with an easy entry into Android development. The question now is whether or not it’s possible.

Speaking to JavaWorld, Java founder James Gosling said that there’s no major technical hurdles standing in the way.

“Technically, it’s not a huge problem. Android is just Linux on ARM, and there’s already a nice ARM/Linux version of OpenJDK,” said Gosling. “There are issues that would make the current binaries inappropriate (mostly graphics integration), but it’s not insurmountable.”

That being said, Gosling thinks that the bad blood between Oracle and Google might impede any efforts to bring OpenJDK to Android. If you recall, Oracle and Google were locked in a lawsuit earlier this year over accusations that the latter copied the former’s Java APIs when developing the Android OS. The jury sided with Google, and then Oracle was ordered to pay Google $1 million. After all of that, it doesn’t seem like Oracle would want to play nice with Google.

Even if there was no bad blood between the two companies, analysts seem to think that OpenJDK on Android just isn’t worth Oracle’s time. John Rymer of Forrester Research told JavaWorld that he thinks “the Java on Android ship has sailed” and that developers wouldn’t care for it anyway.

At the moment, it seems that the prevailing feeling towards OpenJDK on Android is one of pessimism. The major problem is the obvious conflict between Google and Oracle, but developer interest is also questionable. It’s too early to say that OpenJDK on Android will never happen, but chances are not looking good.

First, back in late August the Java browser plug-in was found to be vulnerable to an exploit that could make all PCs using browsers with the Java plug-in installed open to malware by visiting a malicious website. Thankfully, Oracle didn’t wait for its October patch to fix the issue, and released a patch just a few days later.

Only that wasn’t the end of it. A security company announced the day after the patch that another vulnerability in the Java software had been found. Meanwhile, the news came that Oracle knew about the exploits but did not fix them until news of them forced their hand.

Today, security company Security Explorations has once again called out Oracle for an exploit found in Java. The new exploit affects all the latest versions of Java SE software, including Java SE 5, 6, and 7. The company’s CEO, Adam Gowdiak stated that their tests were able to bypass Java’s security sandbox. The tests used a fully updated version of 32-bit Windows 7 and modern browsers. Anyone using Firefox, Chrome, Internet Explorer, Opera, or Safari is vulnerable.

Gowdiak said in an email that the company has notified Oracle of the exploit. He also told ComputerWorld in an interview that, thankfully, there is not yet any evidence of attacks that use the newly revealed exploit.

(via BGR)

Ali Afshar, Tech Lead for Google Drive Developer Relations, let it be known today that JavaScript support is now available in the Drive API. He says that all browser-based applications, including Chrome extensions, can take advantage of their client library. He points out that developers can also use CORS requests to the API.

Afshar also says that Google isn’t going into this halfheartedly. They went all out with their JavaScript support. All the functions of Drive are supported, including the uploading and downloading of files, tracking changes, listing files, and managing revisions.

Until now, Google Drive was available in Java, Phython, PHP, .NET, Ruby and Objective-C for iOS. You can view the respective examples for these languages over at the Google Drive documentation site. There isn’t a specific Drive example created in JavaScript yet, but it should show up soon enough.

For now, check out the Google Drive QuickStart guide for how to get started with Drive development in JavaScript. It’s super simple and should be a breeze for anybody just getting into development. There are plenty of resources in the above guide that will show you the way if the going ever gets rough.

Google announced the release of J2ObjC yesterday. The new open-source translator allows developers to convert Java into Objective-C without any additional input from them. It’s being billed as an easier way to developer iOS applications for those who are not immediately familiar with Objective-C.

Of course, you’re still going to need to know some Objective-C for the UI elements of an iOS app. Google says that their translator is best suited for the translation of data access or application logic elements. To that end, they hope the translator will be used to build cross-platform apps that can be accessed by Android, iOS and the Web.

They do point out that J2ObjC is not a Java emulator, but rather converts Java classes to Objective-C classes. It includes support for the full Java 6 language and most client-side runtime features, including exceptions, generic types and reflection.

You can start playing around with the translator now at the project page. It’s completely open source so you can poke around inside the code to see how it works. You might even be able to make an even better code translator based off of Google’s already impressive work.

Work like this only convinces me that development is only going to get easier from here on out. People will soon be able to code in their native language and translate it to any other without any trouble.

RedMonk is one of the many analysis firms that tracks the popularity of programming languages. They look at the popularity of languages on GitHub and StackOverflow. They found that language popularity tends to correlate between the two. That still seems to be the case with both sources returning JavaScript as the victor.

For added clarification, here’s the top 20 programming languages as determined by RedMonk:

1. JavaScript
2. Java
3. PHP
4. Python
5. Ruby
6. C#
7. C++
8. C
9. Objective-C
10. Shell
11. Perl
12. Scala
13. Haskell
14. ASP
15. Assembly
16. ActionScript
17. R
18. Visual Basic
19. CoffeeScript
20. Groovy

The guys at RedMonk go on to say that the top languages rarely change that much. It’s far more interesting to look at the turmoil happening in the lower rankings in the top 20. Over the past two years, many languages have dropped multiple ranks as other languages like Visual Basic 5 and ASP come into favor.

For comparison, the TIOBE Index is listing C as the most popular programming language in use at the moment. TIOBE bases their rankings off of the number of skilled engineers, courses and third party vendors that cater to a specific language.

Both rankings are a good idea of how the popularity of programming languages are evolving. RedMonk’s rankings are far more interesting, however, because they look at the popularity on GitHub. A lot of the guys on there are hobbyist coders that may not influence the strict guidelines that determine the TIOBE Index.