Attackers Pounce on Zero-Day Java Exploit

• New Java 7 exploit can potentially affect Macs

• Researchers find second Java bug

 

Thank you m00nbl00d!

 

As a Java zero-day spreads, disclosure questions arise

Attack targeting critical Java bug added to hack-by-numbers exploit kit

Links in quotes are de-linked, see article headers for all the details.

 

Interesting quote taken from the Reuters link in #22 (the underline is mine):

Are they really sure about that?

 

In terms of preventing the exploit there's very little you can do once you actually hit an exploit page. There's no patch out and EMET won't prevent it so you're stuck having to try to limit the damage.

 

surely the plugins on demand option in both firefox and opera would prevent the attack since the plugin wont load without permission?

you need to enable the option manually in opera first thou.

 

NoScript in Firefox or an anti-executable approach should work as well.

In a Krebs on Security blog post from mechbgon ( -http://www.mechbgon.com/build/security2.html#srp-)

-http://krebsonsecurity.com/2012/08/attackers-pounce-on-zero-day-java-exploit/-

 

Hmm i got Java on my everyday desktop because some websites i use need it but i don't have it on my laptop.
To uninstall or not to.

 

Well, the description, "researchers," has been hijacked, unfortunately, by those who really have no interest in working with responsible disclosure.

(I'm sure you already know this Ron!)


----
rich

 

Hi lodore,

I'm not sure what you mean by the last statement.

In Opera, to whitelist plugins per site, you first disable them in global preferences:



Then, you enable via site preferences for each site you wish:



I've tested this in the past both directly from a site which hosted the Blackhole Exploit Kit, and by being redirected from a site compromised by SQL injection.

The JAR file in the exploit will not execute if the plugin is not enabled for the site in question.


----
rich

 

Hi siljaline,

I can confirm that the exploit is up and running in sites that host Blackhole, and that the exploit does not work against v.6 of Java (which I currently have installed).

Looking at several sites this afternoon, the JAVA icon appears briefly, then another exploit runs.
Here, the HelpCenter exploit attempts to serve up a flashupdate:





In the past, the JAVA exploits in Blackhole did run against v.6:



(Plugins were enabled for testing these exploits, otherwise, they don't run)


----
rich

 

Thank you again Rmus. You are the best

 

A year ago, you would say "Adobe PDF Reader" instead of JAVA!

It really doesn't matter what software is being exploited via an Exploit Kit: the end result is always the same -- download a trojan executable of some type. Basic protection covered already, nullifies these exploits, so there is nothing more to add.

We (meaning those who have some knowledge about security) have to be a bit kind and understanding in this case.

Most of the general security blog writers know they are addressing the general public, and the easiest and most effective recommendation they can give is to just uninstall JAVA until a patch is issued. You can't blame them for that.

Think of all of the different ways the various browsers control plugins. It would be quite cumbersome to insure you (the writer of the blog) covered all bases, and, hope that your general readers have some understanding of what you are suggesting. One who didn't could come back and say your advice didn't work!

You can argue that it is the responsibility of each user to learn to control the security features of the browser in use, but unfortunately, that's not the case most of the time with the general public.

Brian Krebs is one security blogger who does advocate whitelisting plugins. I linked to Kreb's blog on this exploit in an earlier post; here it is again:

http://krebsonsecurity.com/2012/08/attackers-pounce-on-zero-day-java-exploit/

regards,

-rich

 

You are welcome, wat0114!


----
rich

 

I would never really tell users to use JAva on a website whitelist. That's gotta be a pain to manage.

Half the battle in terms of security is getting users to actually do something.

 

Oh man, should have been on Wilders earlier. Java was enabled until this past hour. Now I'm scanning with MBAM and 1 object has been detected (oh, the scan finished and it was nothing).

These past few days, Private Firewall has had pop ups on a bunch of stuff I'd already allowed and it all looked benign, so I just let it all through. Could this have been related?

 

Same old story really.

Knowledgable users understand that something like java could cause issues, so they take measures to restrict it. Nothing new there.

The uneducated use it because they are required by some website/webapp. They install and move on. There is nothing restriciting it, and in xp/admin account it runs wild, or in uac they click "duh, ok" and it runs wild. Nothing new there either.

I don't really believe the whole "do this or you will get infected/compromised" conspiracy theories - for myself. Haven't found one yet that bit me. But, I do think the best thing to do is make it known to the uneducated. Whether you need to "cry wolf" to achieve this is another matter, but something is better than nothing.

Sul.

 

Very easy to disable Java on Chrome if you have it running.
I don't have Java installed on one W7 box, and it is installed on another W7 box.
I turned it off on that one, and I also disabled it on an XP box I run.
This is in Chrome.
I am finding that disabling Java in IE is a whole different story, as in I can't accomplish it.
I followed instructions as linked by justenough here, to no avail.

Meanwhile, the version of Java I have is 6, and Rmus has said that 6 is not exploitable (despite what Is your Java exploitable? says).

Bottom line for me is , I use Chrome predominantly, and Java is disabled (or not installed). But IE is a different story, as far as inability to unplug it.

Excellent thread, by the way... the kind of thread that makes me glad I'm a member here.

 

Indeed I don't use Java since some years and I had not problems.

 

Similar to Rmus but i have Java 100% disbled in FF, plus i have an AntiExe, ProcessGuard. I know Rmus has one too So they block/prompt Any new .exe etc that tries to run

@ Page42

I still have IE6 but don't use it anymore. But when i did i was able to disable it like this for one.



You might find this useful

 

DITTO!

 

@ CloneRanger ...
Thanks for the reply.
Unfortunately, turning Java off by the traditional means in IE still produces an unsatisfactory result on the test page noted above.

 

Multiple people are having the same results with IE.

 

Do you think the results returned by isjavaexploitable.com are unreliable, or are the methods of turning java off in IE unreliable?

Edit in: For the record, I used all methods to turn off IE Java outlined in this article.