The latest Java exploit has given another view into the workings of the cybercrime economy. Although I should not be, I am always startled at just how open and robustly capitalistic the whole enterprise has become. The business is conducted more or less in the open.

Krebs on Security has a nice piece on an auction selling source code to the Java exploit. You can see that there is a high level of service provided, and some warnings about now to ensure that the exploit you paid for stays valuable.

hacking · java · vulnerability

I did not post on the recent Java vulnerability because the fixes came out so quickly, however, it looks like I relaxed too soon.

Apparently there was a second vulnerability that did not get fixed. At this point, you should probably just disable Java in your browser. Gizmodo has a short article on how to do that for the various browsers.

Very few websites actually require Java any more. If you absolutely need to visit one of them, I suggest enabling Java on just one of your browsers and using that browser exclusively for visiting that trusted site with Java.

java · security · vulnerability

spider.io is talking about a bug they discovered in Microsoft Internet Explorer versions 6-10. Evidently the bug allows tracking of your mouse movement even if the browser window has been minimized and you have a different application active.

They say that at least two companies providing display ad analytics are already using this exploit to improve their analysis.

OUCH! Yet another good reason to use any browser but IE.

browser · security · vulnerability