Facebook computers compromised by zero-day Java exploit

Aaaand that's why I don't have the Java plugin installed. Anywhere.<p>I'd like to think that we're almost to the point of viewing Java in the same light as Bonzi Buddy or Comet Cursor; IT discovers you got Java on your computer again, they just sigh and re-image it, with some stern warnings to please not download such sketchy software.

If your default browser still has the plugins enabled for Java, Acrobat and Flash you are asking for it.<p>In Chrome: go to chrome://plugins and disable all<p>Safari: Preferences, Security uncheck 'Enable Plugins'<p>Firefox: Tools &#62; Addons &#62; Plugins Tab &#62; disable all<p>Don't use Flashblock or Javablock or similar extensions, they hide the applet, they don't stop execution.<p>You should <i>always</i> use a browser with all plugins disabled as your default browser. Run a second browser for trusted sites where you enter the URL in yourself.

&#62; Rather than using typical targeted approaches like "spear phishing" with e-mails to individuals, the attackers used a "watering hole" attack—compromising the server of a popular mobile developer Web forum and using it to spring the zero-day Java exploit on site visitors.<p>&#62; "The attack was injected into the site's HTML, so any engineer who visited the site and had Java enabled in their browser would have been affected," Sullivan told Ars, "regardless of how patched their machine was."<p>It seems it's high time now to start working with two separate profiles in a browser if you're forced to use Java - one internal-only with Java enabled, and the second for browsing the internet, with Java disabled (of course this works as long as your internal apps do not get hacked...).<p>Rather easy to achieve with Firefox (probably there are command line switches for Chrome as well):<p>1. Create two profiles, `external` and `internal`, using `firefox -p`<p>2. Open external profile and disable Java (will be kept in profile settings)<p>Then, run first `firefox -p external`, then `firefox -no-remote -p internal`, that way links opened e.g. from email clients will go to the external instance.<p>To differentiate the two instances, you can install some theme: <a href="http://www.getpersonas.com/en-US/" rel="nofollow">http://www.getpersonas.com/en-US/</a><p>Total paranoiacs could try to find/write some extension that will block all the pages other than approved internal ones in the internal profile (perhaps AdBlock Plus will do?).

This happened last month, so it was 0-day THEN, not NOW.<p>The hole in question was patched in the February 1st Java release.<p>This is news because it shows how Facebook was affected by the many unaddressed security holes that were present in Java (and how it could be run -- last month -- silently), but this is NOT news of new holes in Java.<p>So far the latest (quite significant) fixes seem to have been effective.

<i></i>"The attack was injected into the site's HTML, so any engineer who visited the site and had Java enabled in their browser would have been affected," Sullivan told Ars, "regardless of how patched their machine was."<i></i><p>It's criminal how Oracle can release production code with so many security holes. It seems like every week there is a new new Java based exploit.

Any ideas on which "waterhole" website was compromised?

Browser plugins are bad and should be eradicated.<p>But that is only half of the way, because thanks to C and C++ runtimes, they are still open to security exploits triggered by buffer overflows, strings misuse, use after free, double deallocation, array access out of bounds, stack overflow, pointer misuse...<p>The only safe way is to use a separate VM for browsing, or failing that, run the browser under a different user account with limited user rights.

The only reason I still have Java installed on my OSX machine is to use a SQL Server management tool. If I were to run that in a virtualized environment by installing Parallels and running a separate instance of OSX in that virtual environment, would that completely isolate Java to that one "box" and protect the rest of my environment?

<i>"The attack was injected into the site's HTML, so any engineer who visited the site and had Java enabled in their browser would have been affected," Sullivan told Ars, "regardless of how patched their machine was."</i><p>How can one find out if one has been infected?

How long will we wait and shrug our shoulders until we start blaming Oracle and looking for assurances this doesn't happen again? 'Free' services continuously disappoint me, notwithstanding FLOSSware.<p>Perhaps there is a mole at Oracle leaking security holes elsewhere.

It is an excellent idea to always use click to play for all plugins.

I wonder what the most practical but effective defense against these kinds of exploits would be?<p>Company-wide install of NoScript? But that wouldn't save you if a trusted site got compromised.<p>Maybe they should prohibit use of all commonly targeted software? (Flash, Acrobat Reader, Java..)<p>This seems really serious. Surely someone must be working on a better way to protect against this kind of thing?

Isn't the Skype plugin for Facebook video-chats made in Java, too? Sounds to me like Facebook should be one of the very first companies to want to adopt WebRTC. Not only will they become independent of Skype for video-calls, but they can offer it for everyone inside the browser, too, instead of getting them to install plugins. Hopefully they intend to make it federated though, rather than keeping it Facebook-only.

Are there any good malware scans for Mac? Obviously it's not going to prevent a novel attack, but I'd like to see if I'm infected with this or other known attacks.

I have two banks, that require me to use Java. Please, banks, stop using java, so we can finally get rid of that POS.

Java is that prevalent to make it a good target, or it is full of holes making it a easy target?<p>Also this must be (more) very negative pr to Oracle

Defense in depth.<p>People should <i>really</i> all consider doing what I do: install a throwaway VM on your system from which you surf the Web. For all the sites that I don't trust I do surf from a VM which can be erased / re-installed at will.<p>For sites I trust, like my GMail / Google Docs, I surf from a <i>separate user account</i>. I'm using a firewall that can do "per user" rules and I'm only using whitelists. By default no packets can be emitted. Then the user account used to access GMail / Google Docs is configured so that it can emit HTTP/HTTPS trafic.<p>No Java in the user accounts / VM that do surf the Web: and I'm a "Java" dev (Java + Clojure). Java can be installed only for one user account on Linux, without needing to be root.<p>Wanna do online banking / MoneyBookers / etc.: boot a read-only Linux CD / DVD.<p>Yes, it is slightly more inconvenient than using your main user account to surf the Web. But so far security and conveniency haven't exactly been good matches yet.<p>The state of security today is really terribly bad. It is so bad that I'm going back to a "stupid" Nokia S40 phone until things settle down.

Wonder if those laptops were running Windows, OS X or Linux.<p>Hard to find details on that, anyone know?