file Java Security Vulnerabilities

  • Aayrl
  • Aayrl's Avatar Topic Author
  • Offline
  • Administrator
  • Administrator
  • Big Deal!
  • Posts: 1118
  • Thank you received: 370
12 Sep 2014 01:23 #1

Hey folks,

Recently we've been getting suspicious activity on our Uploads form, so we've taken Uploads offline for the time being. If you have any levels or content you'd like uploaded to MarbleBlast.com, please contact us via Skype or email.

In addition, we've identified a security issue with the Windows version of the MBP 1.50 launcher, specifically allowing the entire Java 7 library root access to computer systems, which may lead to compromised computers should the user be infected with rogue malware awaiting raised user privileges to unleash its payload. To those users that are on Windows clients, we strongly recommend you run an antivirus scan and malware scan to ensure file integrity before running the Marble Blast Launcher.

We will be uploading a new Marble Blast Launcher for Windows shortly that fixes this issue and installs Marble Blast Platinum to a new location (<user>/AppData/Local/roaming/Marble Blast Platinum) WITHOUT administrative rights (meaning it will run without raised privileges). We also strongly recommend all users update to Java 7 u67 (or Java 8 if applicable) and uninstall any existing versions of Java to ensure maximum security on your computer systems.

Thanks,
~Aayrl

Please Log in or Create an account to join the conversation.

  • Posts: 194
  • Thank you received: 401
12 Sep 2014 02:21 #2
I'm not sure why you're making such a big deal out of this.

You had a virus on your machine, and you're placing the blame on Java? What? If it wasn't the launcher that helped the virus get elevated, it would have been something else. There's no "vulnerability" in Java and nobody is at risk. Yes, it's good that you're making it not require admin access, and yes, it's good that you're making it install to AppData, but you're blowing this way out of proportion.

If you get a virus, it's your own fault, end of story.

"You know you've spelled something wrong when the only search results are Jeff convos" - HiGuy

Please Log in or Create an account to join the conversation.

  • Aayrl
  • Aayrl's Avatar Topic Author
  • Offline
  • Administrator
  • Administrator
  • Big Deal!
  • Posts: 1118
  • Thank you received: 370
12 Sep 2014 02:26 #3
There is in fact vulnerabilities in most versions of Java7 up through 7u51. Any version higher than that (including the most recent J7u67) have no confirmed vulnerabilities.

Saying there are no vulnerabilities is a complete lie - there are some exploits that are being targeted by rogue malware confirmed as recently as yesterday afternoon spanning all the way back to 2013.

I'm using my own personal unfortunate experience to notify all of our users of this potential security issue and pressing them to ensure they are running the most recent version of Java, as rogue malware may be sleeping in their temporary files waiting for elevated privileges (such as our lovely Launcher client) to give them the proper access required to unleash their payload.

Sure, we're not directly causing security issues for our users - and sure, the launcher is definitely not the cause of the problem - but the launcher is a potential platform that malware can use to compromise our user's systems, and it's something that needs to be made publicly aware until we remove administrative access from the launcher completely.

~Aayrl

Please Log in or Create an account to join the conversation.

  • Posts: 194
  • Thank you received: 401
12 Sep 2014 02:34 - 12 Sep 2014 02:39 #4

Aayrl wrote: There is in fact vulnerabilities in most versions of Java7 up through 7u51. Any version higher than that (including the most recent J7u67) have no confirmed vulnerabilities.

Saying there are no vulnerabilities is a complete lie - there are some exploits that are being targeted by rogue malware confirmed as recently as yesterday afternoon spanning all the way back to 2013.


Right, but those aren't related to this problem, and most of them are used by websites to exploit users' systems. Even if there is a vulnerability in Java, the launcher wouldn't be affected by it unless there was a virus on your machine to begin with. It's pretty simple for a virus to hook onto any program, not just Java, and wait for it to become elevated. You make it sound as if you've found some new unconfirmed issue with Java.

Aayrl wrote: I'm using my own personal unfortunate experience to notify all of our users of this potential security issue and pressing them to ensure they are running the most recent version of Java, as rogue malware may be sleeping in their temporary files waiting for elevated privileges (such as our lovely Launcher client) to give them the proper access required to unleash their payload.

Sure, we're not directly causing security issues for our users - and sure, the launcher is definitely not the cause of the problem - but the launcher is a potential platform that malware can use to compromise our user's systems, and it's something that needs to be made publicly aware until we remove administrative access from the launcher completely.


Fair enough, sounds good.

"You know you've spelled something wrong when the only search results are Jeff convos" - HiGuy
Last edit: 12 Sep 2014 02:39 by Derpky.

Please Log in or Create an account to join the conversation.

  • RandomityGuy
  • RandomityGuy's Avatar
  • Offline
  • Administrator
  • Administrator
  • This entire place is bruh
  • Posts: 271
  • Thank you received: 81
13 Sep 2014 04:54 #5
I'm scanning my computer for viruses as I'm getting viruses

Github:
github.com/RandomityGuy
Feel free to support me at ko-fi.com/randomityguy

Please Log in or Create an account to join the conversation.

Moderators: Doomblah
Time to create page: 1.394 seconds