August 21, 2014

New zero-day Java exploit on sale for a five digit sum

(LiveHacking.Com) – A new zero-day Java exploit has been offered for sale on an underground black market cyber criminal Internet forum. The new threat is advertised as working on Java JRE 7 Update 9, the most recent version of Java, but doesn’t affect Java 6 or earlier versions.

According to Brian Krebs, the exploit is serious enough that an attacker could use it to remotely seize control over any systems running the program. This typically means it would be used to spread malware. If a cyber criminal did buy this exploit it would most likely be used to spread a banking Trojan so that the buyer could recoup the money spent. In the end it is all about money (illegally and immorally gained of course).

The exploit has been offered for sale on an invite-only Underweb forum for an undisclosed sum but the seller suggested that it needs to be five digits (meaning $100,000 or more). There are not many details, but the vulnerability is said to be in ‘MidiDevice.Info,’ a Java class which handles MIDI devices. The seller has tested the exploit on Firefox and Internet Explorer running on Windows 7.

“I will only sell this ONE TIME and I leave no guarantee that it will not be patched so use it quickly,” the exploit seller is reported to have written.

Many security experts, including us here at Live Hacking, have lots of concerns about the number of possible vulnerabilities in Java. If you don’t need Java it is best to remove it completely from your system.

As an alternative you can also disable your current Java Plug-in temporarily to prevent being vulnerable to Java-based threats. For Windows systems, go to “Control Panel” and select “Java”. When the “Java Runtime Environment Settings” dialog box appears, select the “Java” tab. From there, click the “View” button. You will see a list of the currently installed versions of Java. Uncheck the “Enabled” check box to disable that installation from being used by Java Plug-in and Java Web Start. Oracle has published a detailed description of these settings.

In brief: Apple updates Java after Oracle’s October patches

(LiveHacking.Com) – Apple has once again updated the versions of Java running on its Mac OS X operating system soon after Oracle released its patches. This is in contrast to the fiasco which took place earlier this year which Apple took until April 2012 to push out a patch that had been available to Windows users since February.

This time Apple has been quick off the mark. According to the security advisory: Multiple vulnerabilities exist in Java 1.6.0_35, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating to Java version 1.6.0_37.

Additionally, for OS X 10.6 and OS X 10.7 this update removes the Apple-provided Java applet plug-in from all web browsers. It also removes the Java Preferences application, which is no longer required to configure applet settings. For Mac users who need a Java plugin (and you really must need it, other wise don’t bother) click on the region labeled “Missing plug-in” to download the latest version of the Java applet plug-in directly from Oracle.

The update is available for the last three versions of Mac OS X: Mac OS X Snow Leopard v10.6.8, OS X Lion v10.7 or later, and OS X Mountain Lion v10.8 or later.

Oracle’s latest Critical Patch Update fixes over 30 security vulnerabilities in Java

(LiveHacking.Com) – Oracle has released its latest Critical Patch Update (CPU) which addresses multiple security vulnerabilities in multiple Oracle products including Java. In total the software giant has fixed almost 140 vulnerabilities in a range of its products including Oracle Database, Fusion Middleware, MySQL, Solaris and VirtualBox.

For Java, Oracle has patched a total of 30 holes, all but one of which can be exploited remotely without authentication  This means that just visiting a web page which starts a Java app can cause a PC to be breached and infected with malware. This is the way several types of malware have been spreading in recent times. At the end of August Oracle was forced to release an out-of-band update for Java due to some severe Java vulnerabilities which were being exploited in the wild.

Many of the vulnerabilities were reported to Oracle by Adam Gowdiak of Security Explorations. Adam and his team have reported dozen of vulnerabilities to Oracle. Just under three weeks ago Adam reported a vulnerability that if successfully exploited would completely bypass the Java security sandbox. The bug allows hackers / attackers to violate a fundamental security constraint (type safety) of a Java Virtual Machine.

There are lots of concerns in the security industry about the level of vulnerabilities which exist in Java. It you don’t need Java it is best to remove it completely from your system. As an alternative you can also disable your current Java Plug-in temporarily to prevent being vulnerable to Java-based threats. For Windows systems, go to “Control Panel” and select “Java”. When the “Java Runtime Environment Settings” dialog box appears, select the “Java” tab. From there, click the “View” button. You will see a list of the currently installed versions of Java. Uncheck the “Enabled” check box to disable that installation from being used by Java Plug-in and Java Web Start. Oracle has a detailed description these setting here.

If you need to keep Java on your machine then the most effective measure against these vulnerabilities is by keeping your Java version up to date. To check the version of JRE your browser is running, use this link. You will then be prompted if you need to upgrade your Java version.

 

In brief: Another critical security issue found affecting Java SE 5/6/7

(LiveHacking.Com) – Adam Gowdiak, founder and CEO of Security Explorations, has posted information on the Full Disclosure mailing list about yet another security vulnerability affecting all the latest versions of Oracle’s Java SE software. He and his team have been able to successfully exploit the vulnerability and achieve a complete Java security sandbox bypass. The bug allows hackers / attackers to violate a fundamental security constraint (type safety) of a Java Virtual Machine.

The following Java SE versions were verified to be vulnerable:

  • Java SE 5 Update 22 (build 1.5.0_22-b03)
  • Java SE 6 Update 35 (build 1.6.0_35-b10)
  • Java SE 7 Update 7 (build 1.7.0_07-b10)

It appears that all the major browsers (with Java plugins) are vulnerable. Tests on a fully patched Windows 7 32-bit system were able to compromise Firefox 15.0.1, Google Chrome 21.0.1180.89 and Internet Explorer 9.0.10.

Details have been given to Oracle along with a technical description of the issue found plus the source code for a Proof of Concept demonstrating the complete Java security sandbox bypass.

Apple releases Java update for OS X including Snow Leopard

(LiveHacking.Com) – There has been a flurry of activity over the last few weeks, both by hackers and by the Java engineers at Oracle, around a series of critical vulnerabilities in Java 7 which has allowed hackers to run arbitrary code on a victim’s computer. Oracle recently released a patch for the flaws in Java 7 but they also released an update to Java 6 (update 35) at the same time. Now Apple has released the update to Java 6 for OS X Snow Leopard and OS X Lion. The Java 6 update addresses a related flaw CVE-2012-0547.

Apple’s advisory reads as follows “This update configures web browsers to not automatically run Java applets. Re-enable Java applets by clicking the region labeled “Inactive plug-in” on a webpage. If no applets have been run for an extended period of time, the Java web plug-in will deactivate.”

According to Oracle, update 35 addresses CVE-2012-4681 and two other vulnerabilities affecting Java running in web browsers on desktops. These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications. The vulnerabilities may be remotely exploitable without authentication if an unsuspecting user visits a malicious web page that leverages this vulnerability. However there is some confusion as CVE-2012-4681 only affects Java 7.

It seems that the confusion is spreading as Brian Krebs, the renowned and respected security expert, didn’t quite understand Apple’s somewhat hazy advisory either. In an update to his blog post he confirms that the OS X update addresses CVE-2012-0547. “Upon closer inspection, it looks like this patch applies just to CVE-2012-0547,” wrote Krebs.

OS X 10.8 Mountain Lion isn’t affected as Apple no longer ship Java by default with OS X, however there are Oracle builds available for the platform. However this update is Apple’s first patch for OS X Snow Leopard since June 12. Apple seems to have abandon the older OS, with out any notifications or end of lifetime announcements which is typical of Apple. The odd thing is that OS X Snow Leopard still powers around a third of all Macs.

Java 6 version 35 can be downloaded from Apple’s website for OS X Snow Leopard and Lion.

Oracle releases out-of-band update for Java to fix vulnerabilities which are being exploited in the wild

(LiveHacking.Com) – In a surprise move, which security researchers hoped for – but dared believe it would happen, Oracle has released an out-of-band update to Java to fix several security vulnerabilities which are being exploited in the wild. The update addresses security issues CVE-2012-4681 (US-CERT Alert TA12-240A and Vulnerability Note VU#636312) and two other vulnerabilities (CVE-2012-3136, and CVE-2012-0547) affecting Java running in web browsers on desktops.

These vulnerabilities, which are not applicable to Java running on servers or standalone Java desktop applications, can be exploited remotely without authentication. The exploit happens when an unsuspecting user visits a malicious web page designed to leverages the vulnerabilities. Upon successful exploitation the attackers can run arbitrary code on the victim’s computer.

“If successfully exploited, these vulnerabilities can provide a malicious attacker the ability to plant discretionary binaries onto the compromised system, e.g. the vulnerabilities can be exploited to install malware, including Trojans, onto the targeted system,” wrote Oracle’s Eric P. Maurice in a blog post.

Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2012-4681 “in the wild,” Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

Users can download Java 7 Update 7 for Windows, Linux, Mac OS X, Solaris x86 and Solaris SPARC. The update is available in 32-bit and 64-bit versions for all platforms except OS X which is 64-bit only. New versions of the Java SE Development Kit are with the updated Java runtimes are also available.

Oracle knew of Java vulnerabilities in April and had proof of concept code examples

(LiveHacking.Com) – It turns out that the latest Java vulnerabilities, which are being used to spread malware across the global, aren’t zero day vulnerabilities at all. PC World is reporting that Oracle knew about the existence of the two unpatched Java 7 vulnerabilities since April. Polish security firm Security Explorations reported 19 Java 7 security issues to Oracle on Apr. 2. Those issues included the two zero-day vulnerabilities that are being exploited in the wild now. Including further vulnerabilities that the company reported to Oracle in May, the total reported problems was 29. “We demonstrated 16 full Java SE 7 sandbox compromises with the use of our bugs,” said Adam Gowdiak, the founder and CEO of Security Explorations.

According to the press release which Security Explorations issued at the time, the  security issues violated the “Secure Coding Guidelines for the Java Programming Language”  and most of them demonstrate a specific problem related to Java SE security. As part of the research, Security Explorations developed reliable Proof of Concepts for ALL of the issues found. This included 12 exploits that demonstrated a complete JVM security sandbox bypass.

This means that for the last four months Oracle has had information about critical Java vulnerabilities including proof of concept code. The last status report that Adam Gowdiak received from Oracle revealed that the company was planning to fix the two vulnerabilities, which are being exploited today, in its October Critical Patch Update (CPU).

“Although we stay in touch with Oracle and the communication process has been quite flawless so far, we don’t know why Oracle left so many serious bugs for the Oct. CPU,” Gowdiak said.

Oracle use a 4 month patch cycle (middle of February, June, October) and the next patch is scheduled for October 16.

Concern grows as zero day Java exploit spreads

(LiveHacking.Com) – Concerns about the impact (even devastation) of the recently discovered zero day Java exploit are starting to grow as the exploit has been added to the infamous Blackhole exploit kit. It has also been discovered that the attacks, which have now become global with cases recorded in the United States, Russia, Belarus and Germany,  are actually using two unpatched vulnerabilities in Java 7 – not one, as was originally thought. Kurt Baumgartner, a senior security researcher at security firm Kaspersky Lab, wrote in a blog post that the infections are becoming more common and have spread out from their initial starting point in China.

Oracle have yet to comment on the vulnerability and since every major browser is susceptible to the attack, US-CERT has released Vulnerability Note VU#636312 which advises users to disable the Java browser plugin.

  • To disable the Java web plug-in in Safari, open Safari > Preferences, click “Security” and uncheck “Enable Java”.
  • To disable Java applets in Firefox, click on the Firefox button and then click Add-ons., select the Plugins panel, click on the Java (TM) Platform plugin and then click on the Disable button.
  • For Chrome,  type chrome://plugins/ into the address bar, scroll down to Java and click Disable.
  • Disabling Java in Internet Explorer isn’t easy, detailed instructions can be found here, here and here.

Disclosure concerns
There have also been some concerns about how this exploit was disclosed. It appears that some bloggers irresponsibly reported the vulnerability by including links to known sites serving the attack. “Would you encourage folks to walk down a mugger’s dark alley with no protection or would you work to communicate the muggers’ whereabouts to the right folks and work on lighting the alley or giving better directions?” wrote Kurt Baumgartner from Kaspersky.

Also since the exploit was added to the Metasploit penetration testing framework it became available to every would-be hacker. The counter argument is that such full disclosure will force Oracle to deliver an out-of-band patch, which in the past it has failed to do.  The company’s next scheduled Java security updates is on October 16 2012.

 

New zero day Java vulnerability spotted in the wild

(LiveHacking.Com) – A zero day vulnerability is considered by some as their worst security nightmare. It is a vulnerability (bug) in software that no-one knew about (hence zero day) which allows hackers to execute remote code on a victim’s machine. And that is exactly what has happened over the weekend with the discovery of a new zero day vulnerability in Java 7. According to FireEye, all versions of JRE 1.7x are vulnerable and the exploit has been successfully tested against the latest version of FireFox with JRE version 1.7 update 6 installed. It appears that Java 6 is not vulnerable.

The exploit is hosted on the domain ok.XXX4.net which resolves to an IP address in China. After a successful exploit the dropper MD5: 4a55bf1448262bf71707eef7fc168f7d (which is only detected by 28 out of 42 antivirus scanners as Gen:Trojan.Heur.FU.bqW@a4uT4@bb; Backdoor:Win32/Poison.E) is installed on the infected machine from http://ok.XXX4.net/meeting/hi.exe. Then the dropper talks to a command and control server (hello.icon.pk) in Singapore.

The worrying thing is that Oracle use a 4 month patch cycle (middle of February, June, October) and the next patch is scheduled for October 16. That is nearly two months away. Oracle rarely issues out-of-cycle patches. We can only hope that Oracle makes an exception in this case.

“It will be interesting to see when Oracle plans for a patch, until then most of the Java users are at the mercy of this exploit. Our investigation is not over yet; more details will be shared on a periodic basis,” wrote FireEye researcher Atif Mushtaq on the company blog. 

A module has been published for Metasploit and it is my advice that you disable Java on all your systems! Most home users don’t run Java programs and have no need for it. On top of that the majority of security experts agree that the risk of running Java outweighs the potential benefits.

AlienVault and DeependResearch have further analysis of the vulnerability.

Protect yourself from Java-based malware

(LiveHacking.Com) – The onslaught of Java vulnerabilities doesn’t seem to be abating. Recently we have seen malware successfully exploiting different Java bugs from the CVE-2012-0507, the AtomicReferenceArray type-confusion vulnerability, to the newly found  type-confusion vulnerability CVE-2012-1723. Both vulnerabilities have been actively exploited.

A type-confusion is a vulnerability that occurs when the type safety checks, built into the Java Runtime Environment, fail to verify wrong types supplied to instructions expecting a different type. This is very dangerous as, if exploited correctly, it allows the program to access methods that are not supposed to be available to it and ultimately it leads to a Sandbox compromise.

There have been calls for users to remove Java from their PCs unless it is absolutely necessary. “I’ve repeatedly encouraged readers to uninstall this program,” said Brian Krebs former in house security expert for The Washington Post. “Not only because of the constant updating it requires, but also because there seem to be a never-ending supply of new exploits available for recently-patched or undocumented vulnerabilities in the program.

If you need to keep Java on your machice then the most effective measure against these vulnerabilities is by keeping your Java version up to date. To check the version of JRE your browser is running, use this link. You will then be prompted if you need to upgrade your Java version.

You can also disable your current Java Plug-in temporarily to prevent being vulnerable to Java-based threats. For Windows systems, go to “Control Panel” and select “Java”. When the “Java Runtime Environment Settings” dialog box appears, select the “Java” tab. From there, click the “View” button. You will see a list of the currently installed versions of Java. Uncheck the “Enabled” check box to disable that installation from being used by Java Plug-in and Java Web Start. Oracle has a detailed description these setting here.

For Mac users, Apple has published details on how to disable the Java Plug-in for Safari: http://support.apple.com/kb/HT5241

[Via Microsoft Malware Protection Center]