Critical 0-Day Java Bug "Massively Exploited"

http://arstechnica.com/security/201...bug-is-being-massively-exploited-in-the-wild/

"According to researchers at Alienvault Labs, the exploits work against fully patched installations of Java. Attack files are highly obfuscated and are most likely succeeding by bypassing security checks built in to the program. KrebsOnSecurity said the malware authors say the exploits work against all versions of Java 7."

I wonder how long Oracle will take this time?

 

Its starting to look like the Java plugin is the one to go to for new exploits instead of Flash.

 

Flash will keep getting attacked as long as it remains in massive use. But, as far as I know, Java does not have any sandbox protection or much protection at all from attacks. It's pretty easy pickings, which makes the use of it for financial institutions and other secure sites pathetic. It seems like the XP of the plugin world, the thing just won't die off.

 

Flash isn't nearly the threat it used to be. Flash 0days are far less common than they used to be - the majority of users, or at least a very significant amount, are using a sandboxed Flash.

Flash also has an auto-updater, so users are patched more frequently.

Java does have a sandbox, it's just awful. Most of the attacks we see are sandbox bypasses that allow arbitrary code to run as if it were signed/trusted.

Oracle takes ages to patch typically. I think it's fair to expect that this one will hit quite a number of users.

Linux users should set up an apparmor profile for their Java plugin, it's very simple.

 

Also cited: https://net-security.org/secworld.php?id=14216
http://isc.sans.edu/diary/Java is still exploitable and is likely going to remain so /14899
http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/

 

I wasn't aware there was a sandbox for it, thanks for that bit of knowledge. Does Oracle really even care these days? I'm sure someone there gives a damn, but it seems like the overall response is "Meh, we'll get to it".

 

It's not a sandbox like the one used in Flash or Chrome. As we've seen so many times it's not all that useful.

 

Evidently one payload is an .exe file which is ransomeware:

http://4.bp.blogspot.com/-uSzVCnlQBQQ/UO7BiRpj_uI/AAAAAAAAFfU/5d74nSvL8GI/s1600/screenshot_195.png

(image link from http://malware.dontneedcoffee.com/ -- all links to the exploit posted there no longer work)


----
rich

 

• Article

 

• Article.

ESET's Robert Lipovsky wrote:

Blog entry

 

Shame that a lot of Brazilian banks require Java to install their "own security"...
It's ridiculous that the banks do so and let the users with this vulnerability.
This is what we get when developers think more in "their" security than ours (users).

 

Soooo.... for the moment, setting aside The U.S. Department of Homeland Security's advisement for users to disable Java software, is this an issue that current AVs or MBAM can address?

 

What I don't understand is that despite all the warnings, we continue to run Sun Java. Unless you are implicitly required to run it, there is no point in risking using this software. All due to Larry Ellison.

 

I don't know why anyone would install it unless absolutely necessary at this point. I have been rid of it for a couple of years now.

 

I'm glad I don't need Java for anything here, including online banking.

If I ever needed Java for something like online banking, I would certainly prefer to use a portable browser with Java Portable (jPortable) to restrict it as much as possible: http://portableapps.com/apps/utilities/java_portable

 

'Homeland' tells computer users to disable Java

Hi

I thought I would post this info, as I am aware that it appears java continues to be a problem in regards to malware/hacking, etc. I think the advice given is proper, although I am not a real fan of DHS.

http://finance.yahoo.com/news/us-government-tells-computer-users-010200788.html

Personally, I run FF with No script which I think is prudent considering the security holes within java plugin.

Have a good weekend

Jim

 

I have Java disabled in Opera and enabled in IE & Chrome at the high security setting. Since I do 99% of my browsing with Opera and only use the other 2 for specific business related sites I feel this is a reasonable solution.

If you want to turn Java off in a particular browser (or completely for all) but do not know how to see http://nakedsecurity.sophos.com/2012/08/30/how-turn-off-java-browser/

 

So if i want to watch videos on you tube are there any other option's than java/flash player?and does exploitshield keep you safe from these attacks?
My go to browser is chrome,does html5 work with this browser and is it safe?
Many Thanks

 

31 August 2012, 11:36
Only 9 of 22 virus scanners block Java exploit

According to an analysis conducted by the AV-Comparatives test lab on behalf of The H's associates at heise Security, less than half of the 22 anti-virus programs tested protect users against the currently circulating Java exploit that targets a highly critical vulnerability in Java version 7 Update 6.
Two versions of the exploit were tested: the basic version that was largely based on the published proof of concept and started the notepad instead of the calculator, and, for the second variant, heise Security added a download routine that writes an EXE file to disk from the internet. The test system was Windows XP that, except in the case of Avast, Microsoft and Panda, had the full versions of the security suites installed. For Avast, Microsoft and Panda, the researchers used the free versions of the products.

Only 9 of the 22 tested products managed to block both variants of the exploit (Avast Free, AVG, Avira, ESET, G Data, Kaspersky, PC Tools, Sophos and Symantec). Twelve virus scanners were found to be unsuccessful (AhnLab, Bitdefender, BullGuard, eScan, F-Secure, Fortinet, GFI-Vipre, Ikarus, McAfee, Panda Cloud Antivirus, Trend Micro and Webroot). Microsoft's free Security Essentials component at least managed to block the basic version of the exploit.

It should be pointed out that these results are based on a snapshot taken on 30 August at 1pm and don't represent the overall quality of these anti-virus programs. The tested version of Java was current at the time, and the exploit code had been in circulation for several days.

 

That article is from 31 August 2012... I suppose this thread is about a different Java vulnerability and exploit.

 

Yes ExploitShield does protect against the latest Java7 0day, as well as the latest IE 0-day and the previous Java 0day, etc. etc.

 

Yes, but all of the Java Exploits that make their way into the Exploit Kits that pervade the internet have in common that they download/infect with a binary executable file. The article mentions that this action was tested:

Look here:

0 day 1.7u10 (CVE-2013-0422) spotted in the Wild - Disable Java Plugin NOW !
http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html

Enlarge the screenshots that show the "GET http" routines; look at the "Request Headers" boxes and you see that cybercriminals just insert the URL to their respective payload download site into the exploit code they have purchased from the underground sites that sell the vulnerability exploits.

If you missed it, see Brian Kreb's blog:

Zero-Day Java Exploit Debuts in Crimeware
http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/

Now, the article Wild Hunter refers to reports that "Only 9 of 22 virus scanners block Java exploit." But that is the wrong type of product to insure that an unauthorized executable can not write to disk.

There are just too many protective solutions today against this type of payload, making it easy to have something on board to prevent this type of exploitation, should a user encounter such an exploit by accident:




----
rich

 

What You Need to Know About the Java Exploit:

http://krebsonsecurity.com/2013/01/what-you-need-to-know-about-the-java-exploit/