CSIS study lists the major programs and vulnerabilities targeted by web exploit kits

I can confirm that on IE9, when you specifically select "don't enable plugins", then go into Manage add-ons and also disable the 3 activex controls for Java, that an exploit kit will still load Java through IE and can successfully exploit it (two trojans as before).

I tried the registry edit mentioned in the cert article, but it didn't prevent Java from being exploited. I only added the CLSID for JDK, but will try the CLSIDs for the other components later.

 

Could you try and see if once closing IE9, after running the Java test, if any iexplore.exe processes remain active?

I did check it again, and that's why Java still loaded when I previously tested it.

 

So, as I previously mentioned, in what comes to Java, Firefox, Google Chrome or Opera would be the best options to be safer, because even with everything disabled in IE, an exploit will still be able to run Java.

For good reasons I got it blocked by default. lol

 

So... Chrome actually does stop the exploit. Right?

 

Looks like it, but it's something we already knew from exploit kit statistics, e.g. http://labs.m86security.com/wp-content/uploads/2011/05/panel2.png

With so few Chrome infections, it's more a question of why any of the 15000+ were exploited. I wonder if the 57 exploited 'Chrome' browsers were actually other browsers with false useragent IDs.

 

This is quite the headache, yet another reason to stay the heck away from Java. Is it exploiting a loophole in IE to stay enabled? That would be my guess.

I tried disabling "Scripting of Java applets", which according to Google is the way to disable Java in later versions of IE. The Java test site continues to say "no java detected on your system" yet continues to load it.

If I change "Allow Scriptlets" from the ActiveX section to prompt, it will ask me to load Java when I visit the test page. If I state no, the test page will give me the same "no java detected on your system" but still loads it under that message about 5 seconds later. Meanwhile the usual IE9 notification bar tells me "This site may not run correctly as you chose to prevent certain ActiveX controls from loading" or something similar.

This plugin is like a disease that won't die, the only way is using ActiveX filtering. I'm going to shoot off a few emails to some friends and see if they know more about this that I do.

 

Meh, as long as I'm protected on Chrome.

 

Discovered a registry workaround that appears to work. A site advised looking in the registry for the 'UseNewJavaPlugin' key, but it made more sense to alter the UseJava2IExplorer key instead, which I did.

HKLM > Software > Javasoft > Java Plug-in > x.x.x_xx,
then change 'UseJava2IExplorer to 0 (from 1).




Afterwards you get a 'plugin failed to load properly' message on the Java test page.

I'll test with another exploit kit, as the one I was using yesterday no longer is accessible to me (again).

Ridiculous that one needs to use a registry editor just to disable a common browser plugin.

 

You can also block Java in IE using Group Policy Editor. Not available in all Windows versions, though.

That was the reason I couldn't run Java in IE, yesterday.

 

In IE8, that value is controlled from within the Advanced Options:

Please post back your results.

I just tested one and it does not work with the Plug-in disabled.

Of course, this covers this particular exploit. Do you know which of the exploits it is, and are you confident that no other JAVA exploits would work?

regards,

-rich

 

This JAVA exploit works also in Opera, *if* both plugins and javascript are enabled. I had a chance to peek at the code in the page:



Opera has Global settings:



The user can choose to disable JAVA and Scripting globally, and enable them per site.
In this case, the user is protected in case of being redirected to a site booby trapped with a JAVA exploit,
since that site will not have content/scripting enabled:






And the page just loads and sits there and won't run any of the code:



(This is Opera 9. Newer versions may have different displays)

Again, this works to protect against this particular exploit.
Since it's been stated that some JAVA exploits run even if Plugins are disabled (they don't mention Javascript),
one should have other protection in place to catch the payload just in case.

For example, most AV have heuristics that identify these already patched exploits.


regards,

-rich

 

So from what I'm reading this effects Opera, IE9, and Firefox when Java is disabled and that's the only mitigation taken (ie: javascript enabled)

 

I still haven't re-read the rest of the thread, but judging by Rmus post, that particular exploit only worked because both Java plugins were enabled, as well as JavaScript.

I couldn't tell if having the plugins disabled would suffice for Opera? And, for what I recall, Java would still load only for IE, even in the more than safe Java test page. Java would still run with all Java plugins disabled.

 

If Javascript is enabled and the Plugin disabled per site, nothing happens. Same as my screen shot above, where both javascript and plugins are disabled.

It appears that configuring the browser properly takes care of things.

regards,

-rich

 

Interesting Java test: after uninstalling 32 bit java and keeping only the 64 bit version, java tester (-http://javatester.org/version.html) doesn't load, because an "Add-on failed to load". However, Karl's Mortgage Calculator (-http://www.drcalculator.com/mortgage/ca/) loads under the 64 bit java. After re-installing 32 bit java, the test page loads fine, so obviously it only likes the 32 bit java, while Karl's will load under both 32 or 64.

I'm thinking now that with IE9, is the only way to restrict java by using an application control in the firewall, restricting java.exe to only trusted ip addresses?

EDIT

Wierd...now it works with only x64 right after I uninstalled the 32 bit Java

 

That's the idea I had. Opera properly blocks Java, hence the exploit not being successful.

 

I had to edit my post #89 because I realized that I had JAVA enabled for the site, but not Plugins. So, the exploit attempted to run via the script, but failed.

I show in an earlier screen shot of the Site Preferences that there is a check box for both JAVA and Plugins. I'm not sure what's going on behind the scenes, but I just keep both disabled and no JAVA exploit is successful.

regards,

-rich