Critical 0-Day Java Bug "Massively Exploited"

Discussion in 'other security issues & news' started by Mman79, Jan 10, 2013.

Thread Status:
Not open for further replies.
  1. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    http://arstechnica.com/security/201...bug-is-being-massively-exploited-in-the-wild/

    "According to researchers at Alienvault Labs, the exploits work against fully patched installations of Java. Attack files are highly obfuscated and are most likely succeeding by bypassing security checks built in to the program. KrebsOnSecurity said the malware authors say the exploits work against all versions of Java 7."

    I wonder how long Oracle will take this time?
     
  2. badkins79

    badkins79 Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    60
    Location:
    Maryland
    Its starting to look like the Java plugin is the one to go to for new exploits instead of Flash.
     
  3. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    Flash will keep getting attacked as long as it remains in massive use. But, as far as I know, Java does not have any sandbox protection or much protection at all from attacks. It's pretty easy pickings, which makes the use of it for financial institutions and other secure sites pathetic. It seems like the XP of the plugin world, the thing just won't die off.
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Flash isn't nearly the threat it used to be. Flash 0days are far less common than they used to be - the majority of users, or at least a very significant amount, are using a sandboxed Flash.

    Flash also has an auto-updater, so users are patched more frequently.

    Java does have a sandbox, it's just awful. Most of the attacks we see are sandbox bypasses that allow arbitrary code to run as if it were signed/trusted.

    Oracle takes ages to patch typically. I think it's fair to expect that this one will hit quite a number of users.

    Linux users should set up an apparmor profile for their Java plugin, it's very simple.
     
  5. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Also cited: https://net-security.org/secworld.php?id=14216
    http://isc.sans.edu/diary/Java is still exploitable and is likely going to remain so /14899
    http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
     
    Last edited: Jan 10, 2013
  6. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    I wasn't aware there was a sandbox for it, thanks for that bit of knowledge. Does Oracle really even care these days? I'm sure someone there gives a damn, but it seems like the overall response is "Meh, we'll get to it".
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It's not a sandbox like the one used in Flash or Chrome. As we've seen so many times it's not all that useful.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Last edited: Jan 11, 2013
  9. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Article
     
  10. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Article.

    ESET's Robert Lipovsky wrote:
    Blog entry
     
  11. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
    Shame that a lot of Brazilian banks require Java to install their "own security"...
    It's ridiculous that the banks do so and let the users with this vulnerability.
    This is what we get when developers think more in "their" security than ours (users).
     
  12. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,728
    Location:
    Texas
    http://arstechnica.com/security/201...ty-made-possible-by-earlier-incomplete-patch/
     
  13. Frank the Perv

    Frank the Perv Banned

    Joined:
    Dec 16, 2005
    Posts:
    882
    Location:
    Virginia, USA
    Soooo.... for the moment, setting aside The U.S. Department of Homeland Security's advisement for users to disable Java software, is this an issue that current AVs or MBAM can address?
     
  14. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    What I don't understand is that despite all the warnings, we continue to run Sun Java. Unless you are implicitly required to run it, there is no point in risking using this software. All due to Larry Ellison.
     
  15. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    I don't know why anyone would install it unless absolutely necessary at this point. I have been rid of it for a couple of years now.
     
  16. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    I'm glad I don't need Java for anything here, including online banking.

    If I ever needed Java for something like online banking, I would certainly prefer to use a portable browser with Java Portable (jPortable) to restrict it as much as possible: http://portableapps.com/apps/utilities/java_portable
     
  17. Jim1cor13

    Jim1cor13 Registered Member

    Joined:
    Aug 4, 2012
    Posts:
    453
    Location:
    US
    'Homeland' tells computer users to disable Java

    Hi :)

    I thought I would post this info, as I am aware that it appears java continues to be a problem in regards to malware/hacking, etc. I think the advice given is proper, although I am not a real fan of DHS.

    http://finance.yahoo.com/news/us-government-tells-computer-users-010200788.html

    Personally, I run FF with No script which I think is prudent considering the security holes within java plugin.

    Have a good weekend :)

    Jim
     
  18. bgoodman4

    bgoodman4 Registered Member

    Joined:
    Jan 13, 2009
    Posts:
    3,130
    I have Java disabled in Opera and enabled in IE & Chrome at the high security setting. Since I do 99% of my browsing with Opera and only use the other 2 for specific business related sites I feel this is a reasonable solution.

    If you want to turn Java off in a particular browser (or completely for all) but do not know how to see http://nakedsecurity.sophos.com/2012/08/30/how-turn-off-java-browser/
     
  19. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,728
    Location:
    Texas
    http://www.reuters.com/article/2013/01/12/us-usa-java-security-idUSBRE90B0EX20130112
     
  20. brave71_heart

    brave71_heart Registered Member

    Joined:
    Apr 29, 2007
    Posts:
    6
    So if i want to watch videos on you tube are there any other option's than java/flash player?and does exploitshield keep you safe from these attacks?
    My go to browser is chrome,does html5 work with this browser and is it safe?
    Many Thanks
     
    Last edited: Jan 12, 2013
  21. Frank the Perv

    Frank the Perv Banned

    Joined:
    Dec 16, 2005
    Posts:
    882
    Location:
    Virginia, USA
    31 August 2012, 11:36
    Only 9 of 22 virus scanners block Java exploit

    According to an analysis conducted by the AV-Comparatives test lab on behalf of The H's associates at heise Security, less than half of the 22 anti-virus programs tested protect users against the currently circulating Java exploit that targets a highly critical vulnerability in Java version 7 Update 6.
    Two versions of the exploit were tested: the basic version that was largely based on the published proof of concept and started the notepad instead of the calculator, and, for the second variant, heise Security added a download routine that writes an EXE file to disk from the internet. The test system was Windows XP that, except in the case of Avast, Microsoft and Panda, had the full versions of the security suites installed. For Avast, Microsoft and Panda, the researchers used the free versions of the products.

    Only 9 of the 22 tested products managed to block both variants of the exploit (Avast Free, AVG, Avira, ESET, G Data, Kaspersky, PC Tools, Sophos and Symantec). Twelve virus scanners were found to be unsuccessful (AhnLab, Bitdefender, BullGuard, eScan, F-Secure, Fortinet, GFI-Vipre, Ikarus, McAfee, Panda Cloud Antivirus, Trend Micro and Webroot). Microsoft's free Security Essentials component at least managed to block the basic version of the exploit.

    It should be pointed out that these results are based on a snapshot taken on 30 August at 1pm and don't represent the overall quality of these anti-virus programs. The tested version of Java was current at the time, and the exploit code had been in circulation for several days.
     
  22. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    That article is from 31 August 2012... I suppose this thread is about a different Java vulnerability and exploit.
     
  23. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,161
    Location:
    USA
    Yes ExploitShield does protect against the latest Java7 0day, as well as the latest IE 0-day and the previous Java 0day, etc. etc.
     
  24. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes, but all of the Java Exploits that make their way into the Exploit Kits that pervade the internet have in common that they download/infect with a binary executable file. The article mentions that this action was tested:

    Look here:

    0 day 1.7u10 (CVE-2013-0422) spotted in the Wild - Disable Java Plugin NOW !
    http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html

    Enlarge the screenshots that show the "GET http" routines; look at the "Request Headers" boxes and you see that cybercriminals just insert the URL to their respective payload download site into the exploit code they have purchased from the underground sites that sell the vulnerability exploits.

    If you missed it, see Brian Kreb's blog:

    Zero-Day Java Exploit Debuts in Crimeware
    http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
    Now, the article Wild Hunter refers to reports that "Only 9 of 22 virus scanners block Java exploit." But that is the wrong type of product to insure that an unauthorized executable can not write to disk.

    There are just too many protective solutions today against this type of payload, making it easy to have something on board to prevent this type of exploitation, should a user encounter such an exploit by accident:

    java_block_payload.jpg


    ----
    rich
     
  25. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    What You Need to Know About the Java Exploit:
    http://krebsonsecurity.com/2013/01/what-you-need-to-know-about-the-java-exploit/
     
Loading...
Thread Status:
Not open for further replies.