Attackers Pounce on Zero-Day Java Exploit

Discussion in 'malware problems & news' started by siljaline, Aug 27, 2012.

Thread Status:
Not open for further replies.
  1. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Warning on critical Java hole:
    Article
     
    Last edited: Aug 27, 2012
  2. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Glad I have no java on windows or Os X and I removed Adobe Reader from both OS.
     
  3. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    I find no compelling reason to run Java either.
     
  4. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Is that your blog.?
     
  5. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    That Blog would belong to an old friend from the security community: Corrine
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Linux users can sandbox Java easily.

    Java may run in the Chrome sandbox as well. It's unclear but the process is a chrome process with the java*.so as a parameter, the same way Flash is.
     
  7. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I like it, its a nice blog IMO.:thumb:
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    From the article:

    Some organizations don't find it convenient to disable JAVA. Fortunately, such organizations which give their System Administrator the leeway to lock down systems so that non-whitelisted executables can not run/install, are protected by a variety of solutions available against exploits that deliver a binary executable payload.

    hiExe.jpg



    ----
    rich
     
  9. tgell

    tgell Registered Member

    Joined:
    Nov 12, 2004
    Posts:
    1,075
    From the article:
    Can anybody confirm if v6 is also affected?
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Attackers Pounce on Zero-Day Java Exploit
    http://krebsonsecurity.com/2012/08/attackers-pounce-on-zero-day-java-exploit/

    "Does not appear" isn't a very confident answer. I would want to see actual test results, or at least other confirmations, before concluding that v.6 is immune.


    And:

    Once in an Exploit Kit, you can be sure that it will circulate widely very soon!


    ----
    rich
     
  11. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Cited: here, there is not a lot a confidence in these findings, either.
     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Oh well, I run Java for the few sites I need it for with utmost confidence for the same reasons Rmus cites.
     
  13. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Right on ! Just so everyone is one the same page, I have nothing to contend with that Rmus has lined out. What needs clarification is what builds of Oracles's Sun Java are currently affected. More as I know more or as anyone with solid information could add to this thread.
     
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Thank you for the information, siljaline. It is, however, unfortunate that Java requires constant "assistance" from security measures that, although are easily implemented, are not necessarily well known or mainstream for most typical home pc users.
     
  15. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    Java 0day found in the wild

    (http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/)

     
  16. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Sophos reports.
    Secunia Advisory 50133
     
    Last edited: Aug 28, 2012
  17. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,956
    Location:
    U.S.A.
    Merged Threads to Continue Same Topic.
     
  18. iammike

    iammike Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    276
    Location:
    SE Asia
    I Wonder if EMET is of use in this one. Can anyone of the experts comment ?

    Just in case I have disabled Java in my Browsers, and indeed it's just surprising how (not) that many websites are using Java. ;)
     
  19. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    EMET will almost certainly not do anything to stop this. For whatever reason in Java 7.0 something that should have been protected was made unprotected allowing for unprivileged code to essentially set its own privilege. EMET doesn't really play into this.
     
    Last edited: Aug 28, 2012
  20. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Rather than seeing some security experts suggesting to remove/disable Java from every system (and, for certain, many have it because it's needed), maybe they should just explain users, in general, how to allow it to specific websites?

    If you allow it to specific websites, then what do you have to worry about? The boogy man? o_O

    Yes, it's worrying that Oracle doesn't do crap to minimize the risk of security vulnerabilities, but the same it's not the same as saying anyone using Java is doomed. :ouch:
     
  21. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    This thread discusses software that is currently Zero-day, m00nbl00d. :ouch:

    The intention is not how anyone can get in pecking order to suggest ways of being exploited while your system is vulnerable assuming you run Oracle Java.

    We wait for a patch from Oracle.
     
  22. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,509
    Reuters article about the exploit says to immediately disable Java:
    http://www.reuters.com/article/2012/08/27/us-cybersecurity-java-idUSBRE87Q18820120827

    There's a link at the bottom of the article to Rapid7 site to see if Java is exploitable on your computer:
    http://www.isjavaexploitable.com/

    Java on my Sandboxied Chrome wasn't recognized as exploitable there, even though

    Java - Version: 10.5.1.255
    NPRuntime Script Plug-in Library for Java(TM) Deploy
    Name: Java Deployment Toolkit 7.0.50.255

    is listed in my Chrome plugins.
     
  23. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    Out of interest, rather than panic, would Sandboxie with Drop Rights 'on' stop the exploit should I happen to land on a compromised page?

    The article link shows me that my Java (IE9) is indeed exploitable...

    Thanks

    philby
     
  24. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yeah... the boogy man... What's news? Tell me, when was the last time a zero day against Java didn't exist? Precisely.

    Everytime I hear something about a new zero day, etc., I always see a few people advising people to remove Java. Guess what? Maybe many of the people running Java actually need it? So, the solution is not to remove it, but actually to allow the plugin to be accessable by whitelisted domains.

    So, if I whitelist Java plugin to the IRS website domain only, then what the heck would I care about some zero-day? How would it (the zero-day) hurt anyone, if these people knew they can isolate the plugin?

    Maybe if people security firms (who also have blogs), security experts, etc., mentioned these little details, there would be no reason to over hyper these Java/Flash zero-days.

    I have done that to many systems. So what if there's a new zero-day tomorrow and the day after? Because, guess what? There will be many more zero-days against Java... and people will still need to use it then. So, maybe instead of saying to disable/remove... maybe just whitelist the access to the one or two websites that actually need it.

    That's all I'm saying.

    But, I also mentioned that I'd like to see Oracle more proactive about these bugs. ;)
     
  25. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Whitelisting Java to specific websites would stop it, too. Sandboxie would, at least, contain the exploit to the sandboxed area, thus not letting it affect the real file system.

    Internet Explorer 9 has ActiveX filtering. I think that if it's enabled, then it should allow you to whitelist Java plugin in a per-site basis. Maybe someone using IE9 can say a word about it. :)
     
Loading...
Thread Status:
Not open for further replies.