Researchers Highlight Recent Uptick in Java Security Exploits

Microsoft researcher Holly Stewart pointed out this week on his blog that Java has now passed Adobe Reader as the most common target for malware. Mr. Stewart reports that most Java security exploits seen "in the wild" are targeting issues that have had fixes available for some time. In particular, three long-known issues with the Oracle JVM around Calendar deserializationlong file URLs, and RMI connections represent an outsized portion of attacks.
Security researcher Brian Krebs hypothesizes on his blog that these long-standing holes are seeing a surge of exploitation because "exploit pack" makers have recently started including functionality specifically targeted at these issues. Exploit packs are pre-configured pieces of software sold by hackers to criminal rings. Criminal rings then use the exploit packs to take over computers that visit tainted web sites. The most sophisticated exploit packs have professional-looking management and statistics consoles that tell the buyer how successful they've been gaining access to computers. Mr. Krebs sites proportedly real-life screenshots of these consoles as evidence that Java is a favorite target.
All of the three favorite Java security holes have been fixed since at least March and one was even fixed in April, 2009. But the report suggests that many computers have not been patched with the fixes. A very large percentage of computers are running old versions of Java. Statistics site StatOwl detected more than 10% of users have only Java version 1.4 or 1.5 installed, both of which have not been supported by Oracle for more than a year. Even on computers running version 1.6, more than half are not running a recent patch that addresses the worst vulnerabilities.
There may be a variety of reasons why computers have not been upgraded. Often, consumers do not know that they are running Java at all, much less which version they have nor how to upgrade it. In the enterprise, desktops are often required to keep older versions of Java to support in-house applications that haven't been upgraded yet or to support vendor applications that have not been upgraded yet. For example, according to Oracle, if 1.6 update 22 is applied: "The fix for CVE-2010-3560 could cause certain Java applets running in the new Java Plug-in to stop working if they are embedded in web pages which contain JavaScript that calls into Java in order to perform actions which require network security permissions." Even Oracle products can have issues with minor Java point releases so IT managers are likely to be cautious at all times. Likewise, legacy applications that still run on Java 1.5 could be vulnerable because Oracle stopped support for 1.5 in November, 2009 and will only issue patches to Java for Business subscribers.
This week, Oracle released update 22 to JDK 1.6 that fixed 29 security issues, some of them major. Java developers often assume that their applications are immune to security holes because of the sandbox that the JVM supplies. But under the bytecode, the JVM implementation itself still has direct access to memory and is implemented in an un-sandboxed language like C.


source:http://www.infoq.com/news/2010/10/java-exploit-uptick

Researchers Highlight Recent Uptick in Java Security Exploits

Microsoft researcher Holly Stewart pointed out this week on his blog that Java has now passed Adobe Reader as the most common target for malware. Mr. Stewart reports that most Java security exploits seen "in the wild" are targeting issues that have had fixes available for some time. In particular, three long-known issues with the Oracle JVM around Calendar deserializationlong file URLs, and RMI connections represent an outsized portion of attacks.
Security researcher Brian Krebs hypothesizes on his blog that these long-standing holes are seeing a surge of exploitation because "exploit pack" makers have recently started including functionality specifically targeted at these issues. Exploit packs are pre-configured pieces of software sold by hackers to criminal rings. Criminal rings then use the exploit packs to take over computers that visit tainted web sites. The most sophisticated exploit packs have professional-looking management and statistics consoles that tell the buyer how successful they've been gaining access to computers. Mr. Krebs sites proportedly real-life screenshots of these consoles as evidence that Java is a favorite target.
All of the three favorite Java security holes have been fixed since at least March and one was even fixed in April, 2009. But the report suggests that many computers have not been patched with the fixes. A very large percentage of computers are running old versions of Java. Statistics site StatOwl detected more than 10% of users have only Java version 1.4 or 1.5 installed, both of which have not been supported by Oracle for more than a year. Even on computers running version 1.6, more than half are not running a recent patch that addresses the worst vulnerabilities.
There may be a variety of reasons why computers have not been upgraded. Often, consumers do not know that they are running Java at all, much less which version they have nor how to upgrade it. In the enterprise, desktops are often required to keep older versions of Java to support in-house applications that haven't been upgraded yet or to support vendor applications that have not been upgraded yet. For example, according to Oracle, if 1.6 update 22 is applied: "The fix for CVE-2010-3560 could cause certain Java applets running in the new Java Plug-in to stop working if they are embedded in web pages which contain JavaScript that calls into Java in order to perform actions which require network security permissions." Even Oracle products can have issues with minor Java point releases so IT managers are likely to be cautious at all times. Likewise, legacy applications that still run on Java 1.5 could be vulnerable because Oracle stopped support for 1.5 in November, 2009 and will only issue patches to Java for Business subscribers.
This week, Oracle released update 22 to JDK 1.6 that fixed 29 security issues, some of them major. Java developers often assume that their applications are immune to security holes because of the sandbox that the JVM supplies. But under the bytecode, the JVM implementation itself still has direct access to memory and is implemented in an un-sandboxed language like C.


source:http://www.infoq.com/news/2010/10/java-exploit-uptick

What's New in Eclipse? part-III

The AspectJ Technology Project will release AspectJ 5.0 soon after Eclipse 3.1 is shipped. The new version includes full support for J2SE5 features, integration of AspectWerkz-style code, better deployment (especially for container-based environments), faster performance, and more comprehensive IDE support. For example, generics are integrated with AOP language features such as join points, pointcuts, advice, and inter-type declarations. Annotations bring AOP to pure Java source files, so you can continue to use your favorite Java compiler and then weave in the aspects in another build step or when classes are loaded. Deployment in J2EE containers is easier and compiling and weaving runs faster and generates better code than before. The class-loading and runtime aspect weaving that made AspectWerkz so convenient should also be supported.
For a gentle introduction to AOP, you may want to check out the Concern Manipulation Environment project (CME) project. It offers powerful code navigation to help you identify cross-cutting aspects in your existing Java code.
Finale
In four short years since Eclipse exploded onto the scene, it has come to dominate the Java IDE landscape. User groups have sprouted up around the world, and hundreds of books and articles have been written about it (two dozen in Japanese alone!). Eclipse 3.1 is the culmination of a year's worth of development effort on features such as J2SE5 support, performance improvements, and rich clients. If that weren't enough, it will be the base of the next wave of software releases from the Eclipse Foundation and its partners. Whether you're a programmer trying to build the next Killer App or an entrepreneur building a business model on open source, this is an exciting time to be involved with Eclipse.
Acknowledgments
I wish to thank the many readers of www.eclipsepowered.org who contributed to this article, including Chris Gross, Philippe Ombrédanne, Ng Chin Kiong, Sam Mesh, Bob Foster, David Orme, mgallego, lmandel, and nobodaddy. And a special thanks to Xavier Méhaut, who maintains the Eclipse wiki site, http://eclipse-wiki.info, where we worked on the draft.



What's New in Eclipse? part-III

The AspectJ Technology Project will release AspectJ 5.0 soon after Eclipse 3.1 is shipped. The new version includes full support for J2SE5 features, integration of AspectWerkz-style code, better deployment (especially for container-based environments), faster performance, and more comprehensive IDE support. For example, generics are integrated with AOP language features such as join points, pointcuts, advice, and inter-type declarations. Annotations bring AOP to pure Java source files, so you can continue to use your favorite Java compiler and then weave in the aspects in another build step or when classes are loaded. Deployment in J2EE containers is easier and compiling and weaving runs faster and generates better code than before. The class-loading and runtime aspect weaving that made AspectWerkz so convenient should also be supported.
For a gentle introduction to AOP, you may want to check out the Concern Manipulation Environment project (CME) project. It offers powerful code navigation to help you identify cross-cutting aspects in your existing Java code.
Finale
In four short years since Eclipse exploded onto the scene, it has come to dominate the Java IDE landscape. User groups have sprouted up around the world, and hundreds of books and articles have been written about it (two dozen in Japanese alone!). Eclipse 3.1 is the culmination of a year's worth of development effort on features such as J2SE5 support, performance improvements, and rich clients. If that weren't enough, it will be the base of the next wave of software releases from the Eclipse Foundation and its partners. Whether you're a programmer trying to build the next Killer App or an entrepreneur building a business model on open source, this is an exciting time to be involved with Eclipse.
Acknowledgments
I wish to thank the many readers of www.eclipsepowered.org who contributed to this article, including Chris Gross, Philippe Ombrédanne, Ng Chin Kiong, Sam Mesh, Bob Foster, David Orme, mgallego, lmandel, and nobodaddy. And a special thanks to Xavier Méhaut, who maintains the Eclipse wiki site, http://eclipse-wiki.info, where we worked on the draft.



if Statement

if statement is a basic control flow structure of C programming languageif statement is used when a unit of code need to be executed by a condition true or false. If the condition is true, the code in if block will execute otherwise it does nothing. The ifstatement syntax is simple as follows:
1.if(condition){
2./* unit of code to be executed */
3.}
C programming language forces condition must be a boolean expression or value. ifstatement has it own scope which defines the range over which condition affects, for example:
01./* all code in bracket is affects by if condition*/
02.if(x == y){
03.x++;
04.y--;
05.}
06./* only expression x++ is affected by if condition*/
07.if(x == y)
08.x++;
09.y--;
In case you want to use both condition of if statement, you can use if-else statement. If the condition of if statement is false the code block in else will be executed. Here is the syntax of if-else statement:
1.if(condition){
2./* code block of if statement */
3.}else{
4./* code block of else statement */
5.}
If we want to use several conditions we can use if-else-if statement. Here are common syntax of if-else-if statement:
01.if(condition-1){
02./* code block if condition-1 is true */
03.}else if (condition-2){
04./* code block if condition-2 is true */
05.}else if (condition-3){
06./* code block if condition-3 is true */
07.}else{
08./* code block all conditions above are false */
09.}
1.if(x == y){
2.printf("x is equal y");
3.}
4.else if (x > y){
5.printf("x is greater than y");
6.}else if (x < y){
7.printf("x is less than y");
8.}

source:cprogramlanguage.net

Follow by Email

There was an error in this gadget