It looks as if java software can etch another notch in its holster. According to the latest news reports an attack on one of Yahoo's Ad servers perpetuated a large scale malware infestation across user's computers of the popular search engine and the breach seems to point to flaws in the java code used on the servers. Yahoo stepped up fairly quickly and released this comment "At Yahoo, we take the safety and privacy of our users seriously," a Yahoo spokeswoman said in a Saturday email to the Washington Post. "We recently identified an ad designed to spread malware to some of our users. We immediately removed it and will continue to monitor and block any ads being used for this activity."
The actual infections seem limited to countries outside the US and didn't affect mobile or Mac users but as with any malware exploit the payloads may take a while to fully propagate and it will be some time before the full ramifications are seen. Yahoo should be commended on acting swiftly and assuring its users that the threat was eliminated. Although, it should be noted that Yahoo has admitted the malware started being distributed on 12/31/2013.
Java still insists that giving users an option to allow running of the client code is enough to deter these types of exploits, what do you think? A breach of this size would sound an alarm if weren't for the fact that the alarm has been actively soundly for a few years now. Perhaps Oracle, the current owners of Java, should come up with a DefCon type of system or color coded heights of alarm states so the general public could better grasp the likelihood that Java exploits may bring down their system and possibly compromise their personal information.
by Jim Atkins 'thedosmann'