Warning: Java Zero Day Flaw Under Attack
by Coryphaeus - 8/27/12 6:41 PM
by: Coryphaeus August 27, 2012 6:41 PM PDT
0 people like this thread
Warning: Java Zero Day Flaw Under Attack
by Coryphaeus - 8/27/12 6:41 PM
Total posts: 7 (Showing page 1 of 1)
Attackers Pounce on Zero-Day Java Exploit
A BIG thanks to Coryphaeus for stressing this!
Some additional posts from the news thread:
Attackers have seized upon a previously unknown security hole in Oracle's ubiquitous Java software to break into vulnerable systems. So far, the attacks exploiting this weakness have been targeted and not widespread, but it appears that the exploit code is now public and is being folded into more widely-available attack tools such as Metasploit and exploit kits like BlackHole.
News of the vulnerability surfaced late last week in a somewhat sparse blog post by FireEye, which said the exploit seemed to work against the latest version of Java 7, which is version 1.7, Update 6. This morning, researchers Andre' M. DiMino & Mila Parkour published additional details on the targeted attacks seen so far, confirming that the zero-day affects Java 7 Update 0 through 6, but does not appear to impact Java 6 and below.
Initial reports indicated that the exploit code worked against all versions of Internet Explorer, Firefox and Opera, but did not work against Google Chrome. But according to Rapid 7, there is a Metasploit module in development that successfully deploys this exploit against Chrome (on at least Windows XP).
Also, there are indications that this exploit will soon be rolled into the BlackHole exploit kit. Contacted via instant message, the curator of the widely-used commercial attack tool confirmed that the now-public exploit code worked nicely, and said he planned to incorporate it into BlackHole as early as today. "The price of such an exploit if it were sold privately would be about $100,000," wrote Paunch, the nickname used by the BlackHole author.
Continued : http://krebsonsecurity.com/2012/08/attackers-pounce-on-zero-day-java-exploit/
Warning on critical Java hole
Java zero day vulnerability actively used in targeted attacks
New Java Zero Day Being Used in Targeted Attacks
New Java Exploit Spotted in the Wild
Care to Disable the Java Plugin?
Near the end of the above post, Brian Krebs writes:
If you primarily use Java because some Web site, or program you have on your system — such as OpenOffice or Freemind — requires it, you can still dramatically reduce the risk from Java attacks just by disabling the plugin in your Web browser. In this case, I would suggest a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it.
For browser-specific instructions on disabling Java see:
How to Unplug Java from the Browser
For Windows users:
Mozilla Firefox: From the main menu select Add-ons, and then disable any plugins with the word "Java" in them. Restart the browser.
Google Chrome: Click the wrench icon in the upper right corner of the browser window, then select Settings. In the search results box to the right in the next screen, type "Java". A box labeled "Content settings" should be highlighted. Click that, and then scroll down to the Plug-ins section. Click the "Disable individual plug-ins" link, find Java in the list, and click the disable link next to it.
Apparently, getting Java unplugged from Internet Explorer is not straightforward. The U.S. Computer Emergency Response Team (USCERT) lists the following steps, which may or may not completely remove Java from IE:
In the Windows Control panel, open the Java item. Select the "Java" tab and click the "View" button. Uncheck "enabled" for any JRE version listed. Note that this method may not work on Vista or newer systems. As an alternative, you may use one of the following techniques:
Click the start key and type "regedit" in the search box. Double-click the regedit program file when it appears.
- Change the HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\\UseJava2IExplorer registry value to 0, where is any version of Java on your system. 10.6.2, for example.
If you are running a 32-bit version of Java on a 64-bit platform, you should set the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in\\UseJava2IExplorer registry value to 0.
- Run javacpl.exe as administrator, click the "Advanced" tab, select "Microsoft Internet Explorer" in the "Default Java for browsers" section, and press the space bar to uncheck it. This will properly set the above registry value, despite the option being greyed out.
US-CERT has some additional suggestions for removing Java from IE if the above steps do not do the trick. See their advisory for more details.
For Mac users:
Safari: Click Preferences, and then the Security tab (uncheck "Enable Java").
Google Chrome: Open Preferences, and then type "Java" in the search box. Scroll down to the Plug-ins section, and click the link that says "Disable individual plug-ins." If you have Java installed, you should see a "disable" link underneath its listing.
Firefox: Click Tools, Add-ons, and disable the Java plugin(s).
From Zscaler Research : Are you vulnerable to the latest Java 0-day exploit?
Researchers Identify Second New Java Bug
Researchers who have dug into the exploit for the new Java CVE-1012-4681 vulnerability found that there are actually two previously unknown security bugs in Java 7 and that the exploit, which has been tied to attackers in China, is using both of them to get full control of vulnerable machines.
The Java vulnerability was first disclosed publicly on Sunday and researchers have spent the last couple of days looking at the bug as well as the exploit code that's been used in some of the attacks. What they found is that there are in fact two distinct zero day vulnerabilities in the latest version of Java and that the known exploit uses them both.
"The first bug was used to get a reference to sun.awt.SunToolkit class that is restricted to applets while the second bug invokes the getField public static method on SunToolkit using reflection with a trusted immediate caller bypassing a security check," Esteban Guillardoy of Immunity Inc., wrote in an analysis of the vulnerabilities.
"The beauty of this bug class is that it provides 100% reliability and is multiplatform. Hence this will shortly become the penetration test Swiss knife for the next couple of years.
"There are 2 different zero-day vulnerabilities used in this exploit: one is used to obtain a reference to the sun.awt.SunToolkitclass and the other is used to invoke the public getField method on that class. The exploit is making use of the java.beans.Expression which is a java.beans.Statement subclass. There are 2 Expression instances that are used to trigger these 2 different bugs."
Continued : https://threatpost.com/en_us/blogs/researchers-identify-second-new-java-bug-082812
Researchers: Java Zero-Day Leveraged Two Flaws
Posted by Brian Krebs two days after his initial post (Attackers Pounce on Zero-Day Java Exploit):
New analysis of a zero-day Java exploit that surfaced last week indicates that it takes advantage of not one but two previously unknown vulnerabilities in the widely-used software. The latest figures suggest that these vulnerabilities have exposed more than a billion users to attack.
Esteban Guillardoy, a developer at the security firm Immunity Inc., said the underlying vulnerability has been around since July 28, 2011.
"There are 2 different zero-day vulnerabilities used in this exploit," Guillardoy wrote in a lengthy analysis of the exploit. "The beauty of this bug class is that it provides 100% reliability and is multi-platform. Hence this will shortly become the penetration test Swiss knife for the next couple of years (as did its older brother CVE-2008-5353)."
ONE BILLION USERS AT RISK?
How many systems are vulnerable? Oracle Corp., which maintains Java, claims that more than 3 billion devices run Java. But how many of those systems run some version of Java 7 (all versions of Java 7 are vulnerable; this flaw does not exist in Java 6 versions).
To get an idea, I asked Secunia, whose Personal Software Inspector program runs on millions of PCs. Secunia said that out of a random sampling of 10,000 PSI users, 34.2 percent had some version of Java 7 installed. In the same data set, 56.4 percent of users had an update of Java 6 installed. Assuming that Secunia's 10,000 user sample is representative of the larger population of computer users, more than a billion devices could be vulnerable to attack via this exploit.
WHO BURNS THROUGH TWO-ZERO DAYS IN ONE SHOT?
On Monday, I interviewed the author of the BlackHole exploit kit, an extremely popular software package sold in the underground that is designed to be stitched into hacked sites and use browser exploits to drop malware on visiting PCs. The BlackHole author said he intended to (and did, it appears) fold the exploit into his kit, but said he was surprised that someone would just leak such a reliable exploit, which he said would fetch at least $100,000 if sold privately in the criminal underground.
Continued : http://krebsonsecurity.com/2012/08/java-exploit-leveraged-two-flaws/
Sorry, but any form of java does not go on my system until Oracle is willing to issue out-of-band patches. That has not happened so far. Next scheduled update is in October.
Oracle releases out of cycle fixes for Java
Out of nowhere Oracle has released an emergency update to address the zero-day vulnerabilities being exploited by many different criminal groups.
Surprisingly they included some previously unknown vulnerabilities that we can only assume may also have been in use in the wild.
The good news is customers who require Java in their environments can now deploy an official fix and proceed with less risk, the bad news is one of the fixes they shipped out affects Java 6, so everyone needs to patch not just those who were running Java 7.
Oracle officially fixed four CVEs, presumably covering five vulnerabilities. It appears that CVE 2012-4681 was actually two vulnerabilities, so it is difficult to tell for sure if they patched four or five flaws.
The first three only affect Java 7 and all have a CVSS score of 10, meaning they are remotely exploitable and result in code execution. That's as bad as it gets folks.
The fourth affects both Java 6 and Java 7, but in and of itself does not result in code execution. Oracle have not stated precisely what kind of flaw it is, but based on its description it sounds like a privilege escalation vulnerability.
The fact that Oracle included this fourth vulnerability implies that they are seeing it used in conjunction with other vulnerabilities in the wild and you would be strongly encouraged to apply the fix right away.
Continued : http://nakedsecurity.sophos.com/2012/08/30/oracle-releases-out-of-cycle-fixes-for-java/
See: Java SE 7u7 and SE 6u35 Release
For additional details from Immunity Products: Java patched at least 4 bugs
Total posts: 7 (Showing page 1 of 1)