October 31, 2014

New zero-day Java exploit on sale for a five digit sum

(LiveHacking.Com) – A new zero-day Java exploit has been offered for sale on an underground black market cyber criminal Internet forum. The new threat is advertised as working on Java JRE 7 Update 9, the most recent version of Java, but doesn’t affect Java 6 or earlier versions.

According to Brian Krebs, the exploit is serious enough that an attacker could use it to remotely seize control over any systems running the program. This typically means it would be used to spread malware. If a cyber criminal did buy this exploit it would most likely be used to spread a banking Trojan so that the buyer could recoup the money spent. In the end it is all about money (illegally and immorally gained of course).

The exploit has been offered for sale on an invite-only Underweb forum for an undisclosed sum but the seller suggested that it needs to be five digits (meaning $100,000 or more). There are not many details, but the vulnerability is said to be in ‘MidiDevice.Info,’ a Java class which handles MIDI devices. The seller has tested the exploit on Firefox and Internet Explorer running on Windows 7.

“I will only sell this ONE TIME and I leave no guarantee that it will not be patched so use it quickly,” the exploit seller is reported to have written.

Many security experts, including us here at Live Hacking, have lots of concerns about the number of possible vulnerabilities in Java. If you don’t need Java it is best to remove it completely from your system.

As an alternative you can also disable your current Java Plug-in temporarily to prevent being vulnerable to Java-based threats. For Windows systems, go to “Control Panel” and select “Java”. When the “Java Runtime Environment Settings” dialog box appears, select the “Java” tab. From there, click the “View” button. You will see a list of the currently installed versions of Java. Uncheck the “Enabled” check box to disable that installation from being used by Java Plug-in and Java Web Start. Oracle has published a detailed description of these settings.

The difference between an expoit and vulnerability

(LiveHacking.Com) – Any reader of this blog will inevitably come across words like vulnerability, exploit, malware, Trojan and so on. Some of these words have connected meanings but in themselves they have clear and separate definitions.  For example a Trojan is a type of malware, but not all malware is a Trojan. What about ‘vulnerability’ and ‘exploit’, are they they same thing? If not, what is the connection?

A vulnerability is a flaw in a system, or in some software in a system, that could provide an attacker with a way to bypass the security infrastructure of the host operating system or of the software itself. It isn’t an open door but rather a weakness which if attacked could provide a way in.

Exploiting is the act of trying to turn a vulnerability (a weakness) into an actual way to breach a system. A vulnerability can therefore be ‘exploited’ to turn it into viable method to attack a system.

In software (rather than whole systems including the people, the computers, the firewalls and the networks etc), the most common type of vulnerability is a memory error. These can be buffer overflows, heap corruptions or NULL pointer de-references. Once a memory issue has been discovered an attacker will try to exploit it by manipulating how the memory is corrupted in the hope to alter some aspect of the addressing (maybe a return address). This can then be used to make the CPU run code in another part of memory. If arbitrary code execution is achieved then the system can be exploited. The extent of the exploit will depend on the nature of the vulnerability,  if privilege elevation was achieved and the extent of technologies such as sand-boxing or address space layout randomization (ASLR).

Turning a software vulnerability into an exploit can be hard. Google, for example, rewards security researchers for finding vulnerabilities in its Chrome web browser. The payouts Google make are in the range of $500 to $3000. However it also runs competitions for security specialists to present exploited vulnerabilities. These exploits are rewarded much larger sums, as much as $60,000. The difference in payouts reflects the magnitude of the task when trying to exploit a vulnerability.