Exploit for recently-patched Java vulnerability is being integrated into exploit kits

Discussion in 'malware problems & news' started by MrBrian, Nov 28, 2011.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  2. wat0114

    wat0114 Guest

    Since I refuse to disable Java as the author and some others suggest, I restrict my Java-required sites to the IE Restricted zone, slightly modified from its default settings to allow Java and ActiveX controls and Plugins, the latter of which are restricted to only what I have installed and enabled in the managed add-ons. I'm also using x64 IE with compatible x64 Java and Flash. Java permissions are disabled in the Internet zone.
     

    Attached Files:

  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Patching + EMET is all I need for something like this.
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I thought the websites added in Restricted zone were forbidden to execute stuff? :D

    And, you modified the Restricted zone to allow Java, etc? I'm scratching my head, and you're making it bleed... :blink:

    The Restricted Sites Zone as the name implies, is to restrict, not to allow. If you want to allow Java, ActiveX and plugins, then you either allow them in the Internet zone or add the domains to the Trusted zone, leaving them blocked for the other zones.

    Is there some logic I'm failing to understand? There's been a long time since I last used IE... so, give me some break, will ya... :D
     
  5. wat0114

    wat0114 Guest

    Yes, the logic I use is that the Restricted zone is, as the name implies, more restrictive in other settings than the other zones, including Internet and Trusted. My logic is that although the Java is allowed, the site is restricted in those other areas that it wouldn't be in the Trusted or Internet zones. Hope this makes sense :) BTW, I don't place any other sites in the Restricted zone; I use it only for Java-required sites.

    Nothing wrong with that, and I agree it works fine. I just take these extra steps in an attempt to please those in this forum who are extra paranoid cautious :D
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    OK. That makes sense, considering you got no other domains there. :p
     
  7. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    Yes, the Enhanced Mitigation Experience Toolkit (EMET) HELPS prevent vulnerabilities in software from being
    successfully exploited and is designed to work with any software, regardless of when it was written or by whom
    it was written. However, some Software may be Incompatible with EMET due to the Risk that Some Applications rely
    on exactly the behavior that the mitigations EMET blocks. SO EMET IS NOT INVINCIBLE.

    The Enhanced Mitigation Experience Toolkit:
    http://support.microsoft.com/kb/2458544


    HKEY1952
     
  8. wat0114

    wat0114 Guest

    Right, that's the key. For Java-required sites I use the Sites to Zone Assignment list in Group Policy, with a value of 4 to force them to the Restricted zone. I've already got the Internet zone and other IE policy settings set quite restrctively, so this already provides good, general purpose security for everything else. Of course this is augmented by all my other "built-in" security as well, with EMET thrown into the mix :)
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    The quote you posted isn't about EMET not being effected it's about EMET not being compatible with everything. It's entirely correct.

    EMET isn't entirely effective though, not a single mitigation technique on it isn't bypassable on its own. Altogether it makes things quite a lot more difficult and many automated exploits that don't take it into account won't work. Of course some exploits aren't relevant to these mitigation techniques.
     
  10. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    That is correct, so, EMET is Not Invincible, and, Any Incompatable Software is Not Protected by EMET, and therefore
    Vulnerable to Exploit. However, in theory, EMET is next to impossible to penatrate.


    EDIT: clarity


    HKEY1952
     
    Last edited: Nov 29, 2011
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    No, the incompatible software is protect by EMET, it'll just crash and you'll be forced to remove EMET.dll.
     
  12. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    Remove the .dll remove the protection.

    \END


    HKEY1952
     
  13. Gobbler

    Gobbler Registered Member

    Joined:
    Jul 30, 2010
    Posts:
    270
    The exploit is also ineffective against Chrome :thumb:

     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Well that's odd. This isn't the first time we've seen Chrome stop Java exploits... with no real explanation.

    Probably some IPC calls are limited based on their sandbox or some such thing.
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    From Krebs:
    This may be one - a BlackHole link posted today:

    java-nov11.gif

    Since the aim of the Exploit Kits is to provide a mechanism (exploiting a vulnerability) with with to install a trojan (ransomware, banking, etc), any type of security that denies unauthorized executables is good frontline protection against this type of attack, if a user encounters such a thing before a patch against the vulnerability is installed.

    EDIT: I got the executable payload and it scans as:

    ----
    rich
     
    Last edited: Nov 29, 2011
  16. guest

    guest Guest

    There is a good reason for Sun automatically checking/downloading/installing Java updates every system startup (by default on Windows PCs with Java SE installed).
     
  17. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Public Java Exploit Amps Up Threat Level:
     
  18. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Unfortunately, for some reason, and this is something I hear from a lot of people, and I've seen it mentioned in this forum, is that the update process is somewhat flawed, ending up in Java not being updated. :ouch:

    I don't know if anything has changed, though.
     
  19. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Dead right :( I know people with Java on Vista & it wants to try & update on every boot. It often fails for "some" reason/s :thumbd:

    *

    What a bloated piece of Constantly badly written, ie: insecure, software it is. I'm glad i don't have it installed, or Ever have :p Yeah i know lots of us wouldn't get caught out with exploits for it, but that's not the point, Plenty of other people do, due to it's sloppy code year after year :thumbd:
     
  20. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Ironically Java is a fairly secure language, the JVM provided by Oracle is just awful.
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Tried with comodo defence plus( AV turned off)!

    - with paranoid settings maximum proactive security
    - default settings
     

    Attached Files:

  22. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    Nope it hasn't at least from what I seen. I know a several people where the update fails everytime it tries to auto update.
     
  23. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Web malware exploitation kits updated with new Java exploit:
     
  24. wat0114

    wat0114 Guest

    From the link MrBrian posted:

    It's so easy for them (cybercriminals) just to prey on the complacent.
     
  25. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    How about the Linux derivatives?
     
Loading...
Thread Status:
Not open for further replies.