Attackers Pounce on Zero-Day Java Exploit

As cited in this article, ESET's Virus signature database updates detect the Java exploit

 

Blog by Dutch security company Fox-IT from a few days ago:
"Observations on the recent Java 0-day exploits in the wild"
http://blog.fox-it.com/2012/08/30/observations-on-the-recent-java-0-day-exploits-in-the-wild/

May I quote just only one interesting part because it links to Dorifel :

 

I have java on my computers. I have no idea how much, or if its used at all. There are other users that constantly play games/videos, that's why i keep it. I guess Sandboxie would protect me anyway, however I have removed it, and will see if I actually need it at all

 

I am the same, I have been installing Java on every computer when it still was called Microsoft Java Virtual Machine and I always thought it was necessary, but just since a couple of days ago (discovering the first Zero Day Exploit) I have uninstalled Java and I am surprised to have learned that not that many Websites (in my case that is) use Java. My personal guess is that the problem will be a lot greater when a Zero Day exploit is to be found in Flash. But then again Java and Flash are the first things people install on their PC

 

For users of FireFox, SeaMonkey, PaleMoon, and other Mozilla browsers, the PrefBar extension provides an easy way to enable java, flash, javascript, and other options. This is one of the simplest ways to mitigate the risk from vulnerable extensions like java. You can leave java, flash, etc disabled by default and allow it only when needed on sites that you trust.

 

Java Exploit info

So as usual, those of us with AntiExe etc software, and/or default/deny policies, have Nothing to fear

 

Java 0day analysis (CVE-2012-4681)

-http://immunityproducts.blogspot.ca/2012/08/java-0day-analysis-cve-2012-4681.html-

I don't understand most of the technicalities, but in short: the exploit is able to execute with full permissions!

 

Critical bug in newest Java gives attackers complete control of PCs.

Note: Article contains a nice JavaScript Interpreter/Java Plugin to/from Java Applet interaction diagram.

-- Tom

 

From The Reg:
Sounds lovely..
http://www.theregister.co.uk/2012/09/03/java_cleanup/

 

In addition to disabling Java in browsers, are there any firewall settings that can be set for additional protection..?

 

If you are using an application outbound control firewall, the trojan should not be able to download other malicious payloads. See Rmus' post #37 this thread:

-http://www.wilderssecurity.com/showpost.php?p=2107470&postcount=37-

 

With Java disabled, then the Java exploit code cannot execute, and the firewall would not come into the picture.

Now, if Java is enabled, one possibility to have the firewall protect is if the exploit uses the Java engine to connect out.
If the user doesn't have the Java.exe application white listed in the Firewall list, then the Firewall will alert:



NOTE: This site hosts the Blackhole Exploit Kit which has an "updated" version of the exploit which does run against my Java v. 6

If I deny the outbound connection, then an error message appears:




So, the Java exploit fails to run.

But the user may not be out of danger just yet! The Blackhole Exploit Kit will serve up another exploit if the Java exploit fails.

The post that wat0114 links to shows the scenario on a site that hosted the Blackhole Kit, where the Zero-Day Java Exploit code did not execute against Java 6 on my computer (the plugin was enabled).

Then, the exploit code on the site served up another exploit, the one that targets the Microsoft Help Center.

That application (helphost.exe) attempting to connect out causes the Firewall to alert (that application is not authorized by me -- non-white listed).

For testing, I permitted the connection out to snag the executable payload.

regards,

-rich

 

Java Still Not Safe, Security Experts Say.

-- Tom

 

LOL @ that guy going through all those steps. The best solution is to nuke the hard drive and reinstall fresh (after backing up of course). This should be the one and only step you take when faced with a rootkit.

 

Does anyone know if ESET protects against this exploit? Or, is this the same threat that Microsoft issued an update for at http://support.microsoft.com/kb/2736233
? Any information appreciated!

 

Yes it does

 

If we have installed java on our computer and we disable from our browser (from example mozilla) , we are safe?

 

Yes. You are safe if you disable the plugin.

 

This JAVA= Just Another Vulnerability Added...
Where is it going to stop?
Unfortunately, many sites and Apps require this necessary "evil"...

 

Damn right... Java (and Adobe Flash) should be simply called ...SecurityHoleware! Thank god for Sandboxie/Shadow Defender keeping the real system safe from such crap, even when antiexecution is not present or active for some reason.