Day One of the PWN2OWN contest at CanSecWest 2013.
Java falls, three times.
Chrome for Windows falls.
Firefox for Windows falls.
(Apple Safari wasn't tested at the contest. The best guess why is that no one had found a handy Safari exploit, probably a good thing).
So what are the THREE JAVA EXPLOITS? We're not going to know until they've been tossed over to Oracle and they've been patched.
How to keep track of the latest Java zero-day exploits:
Java 0Day countdown
This kewl, simple webpage provides a lot of useful information.
1) Check out the left side of the page to find out if your browser is SAFE from Java. If you effectively have Java OFF, as you should (!!!), you will see the following:
You're safe! Your browser Java support seems to be disabled.
navigator.javaEnabled() == false2) Also on the left, a search link for Java CVEs at the (decrepit) web.nvd.nist.gov website.
3) On the right are links to information about the most current Java zero-day exploits.
4) Also on the right, a link to find out 'Is it still a threat?' aka "is the patch useless yet?" *snark* You'll love the resulting page, very simple, very direct, in great big letters. Check it out now:
Today the answer to that question is YES.
But guess what! It gets worse. According to one source, there may actually be more than 60 (SIXTY) known security holes in the current versions of Java. Even worse: Oracle has known about over 50 of those exploits for months, and done NOTHING to fix them. Instead of actually fixing their crapcode for all time, Oracle is patching their Java browser plug-in technology on a piecemeal basis. They're waiting for each security hole to become publicly exploited before they bother to patch it. And that sucks.
I'm going to be investigating this situation in a future article.
Conclusion: Expect Java security hell to continue for a long, long time.
Recite the mantra: JUST TURN JAVA OFF!