April 16, 2014

In brief: Apple updates Java after Oracle’s October patches

(LiveHacking.Com) – Apple has once again updated the versions of Java running on its Mac OS X operating system soon after Oracle released its patches. This is in contrast to the fiasco which took place earlier this year which Apple took until April 2012 to push out a patch that had been available to Windows users since February.

This time Apple has been quick off the mark. According to the security advisory: Multiple vulnerabilities exist in Java 1.6.0_35, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating to Java version 1.6.0_37.

Additionally, for OS X 10.6 and OS X 10.7 this update removes the Apple-provided Java applet plug-in from all web browsers. It also removes the Java Preferences application, which is no longer required to configure applet settings. For Mac users who need a Java plugin (and you really must need it, other wise don’t bother) click on the region labeled “Missing plug-in” to download the latest version of the Java applet plug-in directly from Oracle.

The update is available for the last three versions of Mac OS X: Mac OS X Snow Leopard v10.6.8, OS X Lion v10.7 or later, and OS X Mountain Lion v10.8 or later.

Oracle’s latest Critical Patch Update fixes over 30 security vulnerabilities in Java

(LiveHacking.Com) – Oracle has released its latest Critical Patch Update (CPU) which addresses multiple security vulnerabilities in multiple Oracle products including Java. In total the software giant has fixed almost 140 vulnerabilities in a range of its products including Oracle Database, Fusion Middleware, MySQL, Solaris and VirtualBox.

For Java, Oracle has patched a total of 30 holes, all but one of which can be exploited remotely without authentication  This means that just visiting a web page which starts a Java app can cause a PC to be breached and infected with malware. This is the way several types of malware have been spreading in recent times. At the end of August Oracle was forced to release an out-of-band update for Java due to some severe Java vulnerabilities which were being exploited in the wild.

Many of the vulnerabilities were reported to Oracle by Adam Gowdiak of Security Explorations. Adam and his team have reported dozen of vulnerabilities to Oracle. Just under three weeks ago Adam reported a vulnerability that if successfully exploited would completely bypass the Java security sandbox. The bug allows hackers / attackers to violate a fundamental security constraint (type safety) of a Java Virtual Machine.

There are lots of concerns in the security industry about the level of vulnerabilities which exist in Java. It you don’t need Java it is best to remove it completely from your system. As an alternative you can also disable your current Java Plug-in temporarily to prevent being vulnerable to Java-based threats. For Windows systems, go to “Control Panel” and select “Java”. When the “Java Runtime Environment Settings” dialog box appears, select the “Java” tab. From there, click the “View” button. You will see a list of the currently installed versions of Java. Uncheck the “Enabled” check box to disable that installation from being used by Java Plug-in and Java Web Start. Oracle has a detailed description these setting here.

If you need to keep Java on your machine then the most effective measure against these vulnerabilities is by keeping your Java version up to date. To check the version of JRE your browser is running, use this link. You will then be prompted if you need to upgrade your Java version.

 

In brief: Another critical security issue found affecting Java SE 5/6/7

(LiveHacking.Com) – Adam Gowdiak, founder and CEO of Security Explorations, has posted information on the Full Disclosure mailing list about yet another security vulnerability affecting all the latest versions of Oracle’s Java SE software. He and his team have been able to successfully exploit the vulnerability and achieve a complete Java security sandbox bypass. The bug allows hackers / attackers to violate a fundamental security constraint (type safety) of a Java Virtual Machine.

The following Java SE versions were verified to be vulnerable:

  • Java SE 5 Update 22 (build 1.5.0_22-b03)
  • Java SE 6 Update 35 (build 1.6.0_35-b10)
  • Java SE 7 Update 7 (build 1.7.0_07-b10)

It appears that all the major browsers (with Java plugins) are vulnerable. Tests on a fully patched Windows 7 32-bit system were able to compromise Firefox 15.0.1, Google Chrome 21.0.1180.89 and Internet Explorer 9.0.10.

Details have been given to Oracle along with a technical description of the issue found plus the source code for a Proof of Concept demonstrating the complete Java security sandbox bypass.

Apple releases Java update for OS X including Snow Leopard

(LiveHacking.Com) – There has been a flurry of activity over the last few weeks, both by hackers and by the Java engineers at Oracle, around a series of critical vulnerabilities in Java 7 which has allowed hackers to run arbitrary code on a victim’s computer. Oracle recently released a patch for the flaws in Java 7 but they also released an update to Java 6 (update 35) at the same time. Now Apple has released the update to Java 6 for OS X Snow Leopard and OS X Lion. The Java 6 update addresses a related flaw CVE-2012-0547.

Apple’s advisory reads as follows “This update configures web browsers to not automatically run Java applets. Re-enable Java applets by clicking the region labeled “Inactive plug-in” on a webpage. If no applets have been run for an extended period of time, the Java web plug-in will deactivate.”

According to Oracle, update 35 addresses CVE-2012-4681 and two other vulnerabilities affecting Java running in web browsers on desktops. These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications. The vulnerabilities may be remotely exploitable without authentication if an unsuspecting user visits a malicious web page that leverages this vulnerability. However there is some confusion as CVE-2012-4681 only affects Java 7.

It seems that the confusion is spreading as Brian Krebs, the renowned and respected security expert, didn’t quite understand Apple’s somewhat hazy advisory either. In an update to his blog post he confirms that the OS X update addresses CVE-2012-0547. “Upon closer inspection, it looks like this patch applies just to CVE-2012-0547,” wrote Krebs.

OS X 10.8 Mountain Lion isn’t affected as Apple no longer ship Java by default with OS X, however there are Oracle builds available for the platform. However this update is Apple’s first patch for OS X Snow Leopard since June 12. Apple seems to have abandon the older OS, with out any notifications or end of lifetime announcements which is typical of Apple. The odd thing is that OS X Snow Leopard still powers around a third of all Macs.

Java 6 version 35 can be downloaded from Apple’s website for OS X Snow Leopard and Lion.

Oracle releases out-of-band update for Java to fix vulnerabilities which are being exploited in the wild

(LiveHacking.Com) – In a surprise move, which security researchers hoped for – but dared believe it would happen, Oracle has released an out-of-band update to Java to fix several security vulnerabilities which are being exploited in the wild. The update addresses security issues CVE-2012-4681 (US-CERT Alert TA12-240A and Vulnerability Note VU#636312) and two other vulnerabilities (CVE-2012-3136, and CVE-2012-0547) affecting Java running in web browsers on desktops.

These vulnerabilities, which are not applicable to Java running on servers or standalone Java desktop applications, can be exploited remotely without authentication. The exploit happens when an unsuspecting user visits a malicious web page designed to leverages the vulnerabilities. Upon successful exploitation the attackers can run arbitrary code on the victim’s computer.

“If successfully exploited, these vulnerabilities can provide a malicious attacker the ability to plant discretionary binaries onto the compromised system, e.g. the vulnerabilities can be exploited to install malware, including Trojans, onto the targeted system,” wrote Oracle’s Eric P. Maurice in a blog post.

Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2012-4681 “in the wild,” Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

Users can download Java 7 Update 7 for Windows, Linux, Mac OS X, Solaris x86 and Solaris SPARC. The update is available in 32-bit and 64-bit versions for all platforms except OS X which is 64-bit only. New versions of the Java SE Development Kit are with the updated Java runtimes are also available.

Oracle knew of Java vulnerabilities in April and had proof of concept code examples

(LiveHacking.Com) – It turns out that the latest Java vulnerabilities, which are being used to spread malware across the global, aren’t zero day vulnerabilities at all. PC World is reporting that Oracle knew about the existence of the two unpatched Java 7 vulnerabilities since April. Polish security firm Security Explorations reported 19 Java 7 security issues to Oracle on Apr. 2. Those issues included the two zero-day vulnerabilities that are being exploited in the wild now. Including further vulnerabilities that the company reported to Oracle in May, the total reported problems was 29. “We demonstrated 16 full Java SE 7 sandbox compromises with the use of our bugs,” said Adam Gowdiak, the founder and CEO of Security Explorations.

According to the press release which Security Explorations issued at the time, the  security issues violated the “Secure Coding Guidelines for the Java Programming Language”  and most of them demonstrate a specific problem related to Java SE security. As part of the research, Security Explorations developed reliable Proof of Concepts for ALL of the issues found. This included 12 exploits that demonstrated a complete JVM security sandbox bypass.

This means that for the last four months Oracle has had information about critical Java vulnerabilities including proof of concept code. The last status report that Adam Gowdiak received from Oracle revealed that the company was planning to fix the two vulnerabilities, which are being exploited today, in its October Critical Patch Update (CPU).

“Although we stay in touch with Oracle and the communication process has been quite flawless so far, we don’t know why Oracle left so many serious bugs for the Oct. CPU,” Gowdiak said.

Oracle use a 4 month patch cycle (middle of February, June, October) and the next patch is scheduled for October 16.

Concern grows as zero day Java exploit spreads

(LiveHacking.Com) – Concerns about the impact (even devastation) of the recently discovered zero day Java exploit are starting to grow as the exploit has been added to the infamous Blackhole exploit kit. It has also been discovered that the attacks, which have now become global with cases recorded in the United States, Russia, Belarus and Germany,  are actually using two unpatched vulnerabilities in Java 7 – not one, as was originally thought. Kurt Baumgartner, a senior security researcher at security firm Kaspersky Lab, wrote in a blog post that the infections are becoming more common and have spread out from their initial starting point in China.

Oracle have yet to comment on the vulnerability and since every major browser is susceptible to the attack, US-CERT has released Vulnerability Note VU#636312 which advises users to disable the Java browser plugin.

  • To disable the Java web plug-in in Safari, open Safari > Preferences, click “Security” and uncheck “Enable Java”.
  • To disable Java applets in Firefox, click on the Firefox button and then click Add-ons., select the Plugins panel, click on the Java (TM) Platform plugin and then click on the Disable button.
  • For Chrome,  type chrome://plugins/ into the address bar, scroll down to Java and click Disable.
  • Disabling Java in Internet Explorer isn’t easy, detailed instructions can be found here, here and here.

Disclosure concerns
There have also been some concerns about how this exploit was disclosed. It appears that some bloggers irresponsibly reported the vulnerability by including links to known sites serving the attack. “Would you encourage folks to walk down a mugger’s dark alley with no protection or would you work to communicate the muggers’ whereabouts to the right folks and work on lighting the alley or giving better directions?” wrote Kurt Baumgartner from Kaspersky.

Also since the exploit was added to the Metasploit penetration testing framework it became available to every would-be hacker. The counter argument is that such full disclosure will force Oracle to deliver an out-of-band patch, which in the past it has failed to do.  The company’s next scheduled Java security updates is on October 16 2012.

 

New zero day Java vulnerability spotted in the wild

(LiveHacking.Com) – A zero day vulnerability is considered by some as their worst security nightmare. It is a vulnerability (bug) in software that no-one knew about (hence zero day) which allows hackers to execute remote code on a victim’s machine. And that is exactly what has happened over the weekend with the discovery of a new zero day vulnerability in Java 7. According to FireEye, all versions of JRE 1.7x are vulnerable and the exploit has been successfully tested against the latest version of FireFox with JRE version 1.7 update 6 installed. It appears that Java 6 is not vulnerable.

The exploit is hosted on the domain ok.XXX4.net which resolves to an IP address in China. After a successful exploit the dropper MD5: 4a55bf1448262bf71707eef7fc168f7d (which is only detected by 28 out of 42 antivirus scanners as Gen:Trojan.Heur.FU.bqW@a4uT4@bb; Backdoor:Win32/Poison.E) is installed on the infected machine from http://ok.XXX4.net/meeting/hi.exe. Then the dropper talks to a command and control server (hello.icon.pk) in Singapore.

The worrying thing is that Oracle use a 4 month patch cycle (middle of February, June, October) and the next patch is scheduled for October 16. That is nearly two months away. Oracle rarely issues out-of-cycle patches. We can only hope that Oracle makes an exception in this case.

“It will be interesting to see when Oracle plans for a patch, until then most of the Java users are at the mercy of this exploit. Our investigation is not over yet; more details will be shared on a periodic basis,” wrote FireEye researcher Atif Mushtaq on the company blog. 

A module has been published for Metasploit and it is my advice that you disable Java on all your systems! Most home users don’t run Java programs and have no need for it. On top of that the majority of security experts agree that the risk of running Java outweighs the potential benefits.

AlienVault and DeependResearch have further analysis of the vulnerability.

Protect yourself from Java-based malware

(LiveHacking.Com) – The onslaught of Java vulnerabilities doesn’t seem to be abating. Recently we have seen malware successfully exploiting different Java bugs from the CVE-2012-0507, the AtomicReferenceArray type-confusion vulnerability, to the newly found  type-confusion vulnerability CVE-2012-1723. Both vulnerabilities have been actively exploited.

A type-confusion is a vulnerability that occurs when the type safety checks, built into the Java Runtime Environment, fail to verify wrong types supplied to instructions expecting a different type. This is very dangerous as, if exploited correctly, it allows the program to access methods that are not supposed to be available to it and ultimately it leads to a Sandbox compromise.

There have been calls for users to remove Java from their PCs unless it is absolutely necessary. “I’ve repeatedly encouraged readers to uninstall this program,” said Brian Krebs former in house security expert for The Washington Post. “Not only because of the constant updating it requires, but also because there seem to be a never-ending supply of new exploits available for recently-patched or undocumented vulnerabilities in the program.

If you need to keep Java on your machice then the most effective measure against these vulnerabilities is by keeping your Java version up to date. To check the version of JRE your browser is running, use this link. You will then be prompted if you need to upgrade your Java version.

You can also disable your current Java Plug-in temporarily to prevent being vulnerable to Java-based threats. For Windows systems, go to “Control Panel” and select “Java”. When the “Java Runtime Environment Settings” dialog box appears, select the “Java” tab. From there, click the “View” button. You will see a list of the currently installed versions of Java. Uncheck the “Enabled” check box to disable that installation from being used by Java Plug-in and Java Web Start. Oracle has a detailed description these setting here.

For Mac users, Apple has published details on how to disable the Java Plug-in for Safari: http://support.apple.com/kb/HT5241

[Via Microsoft Malware Protection Center]

Incredibly Apple releases Java update for OS X on the same day as Oracle

(LiveHacking.Com) – In the past Apple has come under heavy criticism due to the unacceptable amount of time it takes the Cupertino company to release Java updates for its OS X operating system. April and May saw a massive malware breakout on OS X due to a vulnerability in Java. The problem was that Oracle fixed the vulnerability in February but Apple didn’t release a patch until April. In the intervening months over half a million Macs got infected with the Flashback Trojan.

This time around Oracle has patched a number of Critical vulnerabilities in Java and Apple has stepped up its game. On the same day as Oracle, Apple released a Java update for  Mac OS X v10.6 Snow Leopard and OS X Lion v10.7 Lion.

The Java update fixes 14 security issues, 12 of these vulnerabilities can be remotely exploitable without authentication. This means that they can be exploited over a network without the need for a username and password. The most serious of the vulnerabilities allows an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.

The OS X update also includes some security hardening measures. First, the Java browser plugin and Java Web Start are deactivated if they are no used for 35 days. By default they are automatically deactivated. Secondly, the Java browser plugin and Java Web Start are deactivated if they do not meet the criteria for minimum safe version. The minimum safe version of Java is updated daily, as needed. To re-enable Java a newer versions needs to be installed.

The update from Oracle affects the following versions of Java:

  • JDK and JRE 7 Updates 4 and earlier
  • JDK and JRE 6 Update 32 and earlier
  • JDK and JRE 5.0 Update 35 and earlier
  • SDK and JRE 1.4.2_37 and earlier
  • JavaFX 2.1 and earlier