October 24, 2014

Another zero-day Java exploit for sale on Internet

Java(LiveHacking.Com) –  Less than a day after Oracle patched the zero-day vulnerability in Java 7, security journalist Brian Krebs has discovered that a new Java zero-day exploit is now available to purchase, in a crimeware and malware Internet forum, for US$5,000 per sale.

At the beginning of this week, an administrator of an exclusive cybercrime forum revealed that he is offering exploit code for a new zero-day vulnerability in Java, but he is only willing to sell it twice.

The seller was offering source files to the exploit plus an encrypted, weaponized version, ready for use. Since spotting the forum post, Krebs has noticed that the thread has since been deleted from the forum. This most likely means that buyers were found.

“To my mind, this should dispel any illusions that people may harbor about the safety and security of having Java installed on an end-user PC without taking careful steps to isolate the program,” wrote Krebs.

The current frequency of Java exploit has led many to declare Java unsafe. Even after the latest update for Java 7, Adam Gowdiak, the founder and CEO of Security Explorations – who has found several critical vulnerabilities in Java, said that “We don’t dare to tell users that it’s safe to enable Java again.”

This was a sentiment echoed by HD Moore, chief security officer with Rapid7 – the custodians of Metasploit, “The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don’t really need Java on their desktop.”

It looks like Gowdiak and Moore are right!

After latest vulnerability gets patched in Java, is it now seen as just too dangerous?

java-square(LiveHacking.Com) –  Oracle has released an update to Java 7 to address two Critical vulnerabilities. A few days ago, reports emerged about another new vulnerability in Java that was being exploited in the wild. The vulnerability allowed a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. An exploit for the vulnerability was quickly added to exploit toolkits like the Blackhole Exploit Kit (BHEK) and the Cool Exploit Kit (CEK).

These vulnerabilities, known as CVE-2013-0422 and CVE-2012-3174, do not affect Java on servers, Java desktop applications, or embedded Java, however Java running in a web browser is affected.

To exploit the vulnerability, an unsuspecting user is tricked into visiting a website which has been designed specifically to infect their PC with malware. Once at the website the vulnerability allows for the execution of a malicious applet within the browser which then results in the execution arbitrary code (to install malware).

As part of Java 7 update 11, Oracle is switching the Java security settings to “high” by default. This means that users need to expressly allow the execution of any applets, which are either unsigned or are self-signed, in the browser. The idea is that any unsuspecting users visiting malicious web sites will be told before an applet is run.

Since update 10 of  Java 7, it is possible to disable Java content in web browsers through the Java control panel applet. To do this de-select the “Enable Java content in the browser” check-box in the Java Control Panel (under the Security tab).

However questions are now being raised about the long-term viability of Java support in web browsers. Adam Gowdiak, the founder and CEO of Security Explorations – who has found several critical vulnerabilities in Java, told Reuters that “”We don’t dare to tell users that it’s safe to enable Java again.”

“The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don’t really need Java on their desktop,” said HD Moore, chief security officer with Rapid7  – the custodians of Metasploit.

Oracle’s latest Critical Patch Update fixes over 30 security vulnerabilities in Java

(LiveHacking.Com) – Oracle has released its latest Critical Patch Update (CPU) which addresses multiple security vulnerabilities in multiple Oracle products including Java. In total the software giant has fixed almost 140 vulnerabilities in a range of its products including Oracle Database, Fusion Middleware, MySQL, Solaris and VirtualBox.

For Java, Oracle has patched a total of 30 holes, all but one of which can be exploited remotely without authentication  This means that just visiting a web page which starts a Java app can cause a PC to be breached and infected with malware. This is the way several types of malware have been spreading in recent times. At the end of August Oracle was forced to release an out-of-band update for Java due to some severe Java vulnerabilities which were being exploited in the wild.

Many of the vulnerabilities were reported to Oracle by Adam Gowdiak of Security Explorations. Adam and his team have reported dozen of vulnerabilities to Oracle. Just under three weeks ago Adam reported a vulnerability that if successfully exploited would completely bypass the Java security sandbox. The bug allows hackers / attackers to violate a fundamental security constraint (type safety) of a Java Virtual Machine.

There are lots of concerns in the security industry about the level of vulnerabilities which exist in Java. It you don’t need Java it is best to remove it completely from your system. As an alternative you can also disable your current Java Plug-in temporarily to prevent being vulnerable to Java-based threats. For Windows systems, go to “Control Panel” and select “Java”. When the “Java Runtime Environment Settings” dialog box appears, select the “Java” tab. From there, click the “View” button. You will see a list of the currently installed versions of Java. Uncheck the “Enabled” check box to disable that installation from being used by Java Plug-in and Java Web Start. Oracle has a detailed description these setting here.

If you need to keep Java on your machine then the most effective measure against these vulnerabilities is by keeping your Java version up to date. To check the version of JRE your browser is running, use this link. You will then be prompted if you need to upgrade your Java version.

 

In brief: Another critical security issue found affecting Java SE 5/6/7

(LiveHacking.Com) – Adam Gowdiak, founder and CEO of Security Explorations, has posted information on the Full Disclosure mailing list about yet another security vulnerability affecting all the latest versions of Oracle’s Java SE software. He and his team have been able to successfully exploit the vulnerability and achieve a complete Java security sandbox bypass. The bug allows hackers / attackers to violate a fundamental security constraint (type safety) of a Java Virtual Machine.

The following Java SE versions were verified to be vulnerable:

  • Java SE 5 Update 22 (build 1.5.0_22-b03)
  • Java SE 6 Update 35 (build 1.6.0_35-b10)
  • Java SE 7 Update 7 (build 1.7.0_07-b10)

It appears that all the major browsers (with Java plugins) are vulnerable. Tests on a fully patched Windows 7 32-bit system were able to compromise Firefox 15.0.1, Google Chrome 21.0.1180.89 and Internet Explorer 9.0.10.

Details have been given to Oracle along with a technical description of the issue found plus the source code for a Proof of Concept demonstrating the complete Java security sandbox bypass.

Oracle knew of Java vulnerabilities in April and had proof of concept code examples

(LiveHacking.Com) – It turns out that the latest Java vulnerabilities, which are being used to spread malware across the global, aren’t zero day vulnerabilities at all. PC World is reporting that Oracle knew about the existence of the two unpatched Java 7 vulnerabilities since April. Polish security firm Security Explorations reported 19 Java 7 security issues to Oracle on Apr. 2. Those issues included the two zero-day vulnerabilities that are being exploited in the wild now. Including further vulnerabilities that the company reported to Oracle in May, the total reported problems was 29. “We demonstrated 16 full Java SE 7 sandbox compromises with the use of our bugs,” said Adam Gowdiak, the founder and CEO of Security Explorations.

According to the press release which Security Explorations issued at the time, the  security issues violated the “Secure Coding Guidelines for the Java Programming Language”  and most of them demonstrate a specific problem related to Java SE security. As part of the research, Security Explorations developed reliable Proof of Concepts for ALL of the issues found. This included 12 exploits that demonstrated a complete JVM security sandbox bypass.

This means that for the last four months Oracle has had information about critical Java vulnerabilities including proof of concept code. The last status report that Adam Gowdiak received from Oracle revealed that the company was planning to fix the two vulnerabilities, which are being exploited today, in its October Critical Patch Update (CPU).

“Although we stay in touch with Oracle and the communication process has been quite flawless so far, we don’t know why Oracle left so many serious bugs for the Oct. CPU,” Gowdiak said.

Oracle use a 4 month patch cycle (middle of February, June, October) and the next patch is scheduled for October 16.