Attackers Pounce on Zero-Day Java Exploit

Discussion in 'malware problems & news' started by siljaline, Aug 27, 2012.

Thread Status:
Not open for further replies.
  1. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517
    According to a security site, once a zero-day is out, the pattern seems to suggest the exploiters aim their initial attacks toward Korean sites because the overall IT security in Korea is too weak /or ignored.
     
  2. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517

    Uhm, here you go. It's in Korean though. :)

    -http://www.dailysecu.com/news_view.php?article_id=2835

    "공격자들은 제로데이가 나오는 즉시 한국에 제일 먼저 이용한다. 그만큼 한국의 악성코드 대응체계가 제대로 이루어지지 않고 있기 때문”이라고 안타까워했다."
     
  3. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    345
    Location:
    SE Asia
    Thanks :thumb:

    That's why we have Google Translate :)
     
  4. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517
    :)

    IT security in Korea is generally weak. Never mind average Lee or Kim but one would think those folks responsible for IT installed in hotel chains would pay attention to at least some basic or minimal security, but they don't. When I traveled to Korea, I've been to at least one hotel chain in Seoul that ran their public computers under Admin account. How sick is that?
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I like Krebs articles. ;)

    Regarding other "security experts" articles, rather than always beating the blind man up (blind man = Java/Flash/Adobe Reader; beating it up = remove it), maybe they could write ONE article that explains that these programs(Java, Flash, Adobe Reader) can be exploited by hackers/attackers, due to being massively used, and then advise and show how to install it (from the official website) and how to whitelist it on a per-site basis.

    Let's face it - the masses use 3 web browsers: IE, Google and Firefox. So... wouldn't be better to take a little time and write a proper article explaining how they can do it for these 3 web browsers? I may be wrong, though.

    Maybe the next time, if 10 people happen to read that article, they'll be aware of the dangers and how to "counter attack", and then these 10 people will alert other 10 people... Make it viral.

    But, if the info doesn't get out there, and if the masses don't have a will to pursue this kind of knowledge on their own, how will they be safer? They won't. I wouldn't uninstall Java if I had it installed, just because some guy said it so, when I actually need it, and I won't be uninstalling it and reinstall it every time a new article comes out advising to remove it again. Ain't that a bit stupid (Sorry, I'm lacking a better word now.)? Now to mention, I'd have to remember to revisit that same website and see if there's some new article advising to remove it again? How the heck is this helpful? lol

    So, if these "security experts" have reasons to be believe that people will be visiting their blogs/websites, and will read the alert telling them to uninstall Java, then maybe they should do the opposite and explain how they can whitelist it, instead of removing something they need in the first place.

    That's just me saying. :)
     
    Last edited: Aug 29, 2012
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Well, this is all very confusing.


    (First, you omitted that I did say I was referring to my system)

    From h-online:

    The new Java 0Day examined
    http://www.h-online.com/security/features/The-new-Java-0day-examined-1677789.html

    It's not clear whether this "new method" lets v.6 be exploitable.

    and:


    Java 0Day: Turn off Java applets now
    http://www.h-online.com/security/news/item/Java-0Day-Turn-off-Java-applets-now-1678618.html

    Perhaps the sites I encountered don't have an exploit that has been worked out to affect v.6.

    Too many variables and unknowns to ignore the warnings to either disable the plugin, or remove JAVA itself.

    By the way, the first time I went to that JAVA check site, my Plugin was disabled in Opera, and this is the message from that site:

    java_exploitable-1.jpg

    regards,

    -rich
     
  7. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    Not intentionally, I can assure you.
    I actually didn't know if you were referring to your system or others too.
    I assumed that you meant yours, and then did not reiterate that.
    Thanks for clarifying.

    For me, I just use Chrome and no problems because Java is easily disabled in it. I'll wait to see what develops before I take further action with IE. :)
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Yes, I didn't elaborate more fully. Not good.


    ----
    rich
     
  9. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    Java zero-day exploit goes mainstream, 100+ sites serve malware

    http://www.computerworld.com/s/article/9230736/Java_zero_day_exploit_goes_mainstream_100_sites_serve_malware?source=rss_latest_content&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+computerworld%2Fnews%2Ffeed+%28Latest+from+Computerworld%29

    TH
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
  11. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618

    Attached Files:

    Last edited: Aug 29, 2012
  12. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    I tested this against Ubuntu 12.04 64 bit and the exploit worked (I used metasploit). I tested it against both Firefox and Chromium and it worked in both. Chromium's default chroot sandbox doesn't confine Java, so it's useless against this attack.

    However, there is good news. I enabled the AppArmor profile and it stopped the exploit cold. What the metasploit implementation does is download a payload to /tmp and then chmod +x it. Then it executes it. AppArmor stopped the browser from being able to execute from /tmp.

    It doesn't. Chromium only sandboxes itself and Adobe Flash (which is why they bundle their own Flash version).
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I wasn't sure. I know on Windows that's the case (except it restricts IPC) but with Chrome on Linux I saw it open it as a Chrome process. There's really no good documentation for Linux's sandbox for Chrome.

    This is what I would expect.

    Even if it were able to execute it (/tmp/* ix, for example) it would be stuck in a very confined environment.
     
  14. joeyg

    joeyg Registered Member

    Joined:
    Jul 20, 2011
    Posts:
    3
  15. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,065
    Hey Rmus,

    Im hoping me showing you a screenshot will help.

    settings,preferences,advanced tab,content.

    enabling the plugins globally but using the plugins on demand option you will have a box where the plugin is and a big play button. no plugin will automatically load on any page and will require a user to click on the play button.

    I have uploaded a second picture with an example of the on demand plugins which in this case is blocking flash adverts until the play button is pressed but it works for all plugins including java.

    I dont whitelist any site for plugins incase a legitimate website gets hacked and prefer the on demand plugins for all websites.
    I am using opera 12.02 64bit
     

    Attached Files:

    Last edited: Aug 30, 2012
  16. prius04

    prius04 Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    1,248
    Location:
    USA
  17. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Hardly. The vulnerability was reported a long time ago and it's been 4 days of exploitation.
     
  18. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    For those that ran or run Oracle | Java, obtain your patches here
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Thanks, lodore, I see what you were referring to.


    ----
    rich
     
  20. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    Downloads for Oracle | Java Java SE 7u7 & Java SE 6 Update 35, here. Affected versions were: JRE 7 Update 7 and earlier JRE 6 Update 34 and earlier.
     
  21. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,752
    Location:
    Toronto Canada
    Saw that in the other thread. Thanks.
     
  22. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
    Not sure if this blocks the exploit but Chromium (I use it) asks me every time a website wants to run Java. :D :rolleyes:
     
  23. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    Not a prob, though, the other thread really should have been combined by the Mod team to this one is this is ongoing, for feedback, outcome, comments, etc. All due to all concerned.
     
  24. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    It does.
     
  25. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    Only 9 of 22 virus scanners block Java exploit
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.