February 28, 2020

Oracle knew of Java vulnerabilities in April and had proof of concept code examples

(LiveHacking.Com) – It turns out that the latest Java vulnerabilities, which are being used to spread malware across the global, aren’t zero day vulnerabilities at all. PC World is reporting that Oracle knew about the existence of the two unpatched Java 7 vulnerabilities since April. Polish security firm Security Explorations reported 19 Java 7 security issues to Oracle on Apr. 2. Those issues included the two zero-day vulnerabilities that are being exploited in the wild now. Including further vulnerabilities that the company reported to Oracle in May, the total reported problems was 29. “We demonstrated 16 full Java SE 7 sandbox compromises with the use of our bugs,” said Adam Gowdiak, the founder and CEO of Security Explorations.

According to the press release which Security Explorations issued at the time, the  security issues violated the “Secure Coding Guidelines for the Java Programming Language”  and most of them demonstrate a specific problem related to Java SE security. As part of the research, Security Explorations developed reliable Proof of Concepts for ALL of the issues found. This included 12 exploits that demonstrated a complete JVM security sandbox bypass.

This means that for the last four months Oracle has had information about critical Java vulnerabilities including proof of concept code. The last status report that Adam Gowdiak received from Oracle revealed that the company was planning to fix the two vulnerabilities, which are being exploited today, in its October Critical Patch Update (CPU).

“Although we stay in touch with Oracle and the communication process has been quite flawless so far, we don’t know why Oracle left so many serious bugs for the Oct. CPU,” Gowdiak said.

Oracle use a 4 month patch cycle (middle of February, June, October) and the next patch is scheduled for October 16.

Concern grows as zero day Java exploit spreads

(LiveHacking.Com) – Concerns about the impact (even devastation) of the recently discovered zero day Java exploit are starting to grow as the exploit has been added to the infamous Blackhole exploit kit. It has also been discovered that the attacks, which have now become global with cases recorded in the United States, Russia, Belarus and Germany,  are actually using two unpatched vulnerabilities in Java 7 – not one, as was originally thought. Kurt Baumgartner, a senior security researcher at security firm Kaspersky Lab, wrote in a blog post that the infections are becoming more common and have spread out from their initial starting point in China.

Oracle have yet to comment on the vulnerability and since every major browser is susceptible to the attack, US-CERT has released Vulnerability Note VU#636312 which advises users to disable the Java browser plugin.

  • To disable the Java web plug-in in Safari, open Safari > Preferences, click “Security” and uncheck “Enable Java”.
  • To disable Java applets in Firefox, click on the Firefox button and then click Add-ons., select the Plugins panel, click on the Java (TM) Platform plugin and then click on the Disable button.
  • For Chrome,  type chrome://plugins/ into the address bar, scroll down to Java and click Disable.
  • Disabling Java in Internet Explorer isn’t easy, detailed instructions can be found here, here and here.

Disclosure concerns
There have also been some concerns about how this exploit was disclosed. It appears that some bloggers irresponsibly reported the vulnerability by including links to known sites serving the attack. “Would you encourage folks to walk down a mugger’s dark alley with no protection or would you work to communicate the muggers’ whereabouts to the right folks and work on lighting the alley or giving better directions?” wrote Kurt Baumgartner from Kaspersky.

Also since the exploit was added to the Metasploit penetration testing framework it became available to every would-be hacker. The counter argument is that such full disclosure will force Oracle to deliver an out-of-band patch, which in the past it has failed to do.  The company’s next scheduled Java security updates is on October 16 2012.


New zero day Java vulnerability spotted in the wild

(LiveHacking.Com) – A zero day vulnerability is considered by some as their worst security nightmare. It is a vulnerability (bug) in software that no-one knew about (hence zero day) which allows hackers to execute remote code on a victim’s machine. And that is exactly what has happened over the weekend with the discovery of a new zero day vulnerability in Java 7. According to FireEye, all versions of JRE 1.7x are vulnerable and the exploit has been successfully tested against the latest version of FireFox with JRE version 1.7 update 6 installed. It appears that Java 6 is not vulnerable.

The exploit is hosted on the domain ok.XXX4.net which resolves to an IP address in China. After a successful exploit the dropper MD5: 4a55bf1448262bf71707eef7fc168f7d (which is only detected by 28 out of 42 antivirus scanners as Gen:Trojan.Heur.FU.bqW@a4uT4@bb; Backdoor:Win32/Poison.E) is installed on the infected machine from http://ok.XXX4.net/meeting/hi.exe. Then the dropper talks to a command and control server (hello.icon.pk) in Singapore.

The worrying thing is that Oracle use a 4 month patch cycle (middle of February, June, October) and the next patch is scheduled for October 16. That is nearly two months away. Oracle rarely issues out-of-cycle patches. We can only hope that Oracle makes an exception in this case.

“It will be interesting to see when Oracle plans for a patch, until then most of the Java users are at the mercy of this exploit. Our investigation is not over yet; more details will be shared on a periodic basis,” wrote FireEye researcher Atif Mushtaq on the company blog. 

A module has been published for Metasploit and it is my advice that you disable Java on all your systems! Most home users don’t run Java programs and have no need for it. On top of that the majority of security experts agree that the risk of running Java outweighs the potential benefits.

AlienVault and DeependResearch have further analysis of the vulnerability.

VUPEN Finds Zero Day Vulnerability in Chrome and Bypass Sandbox and Other Security Features

VUPEN, a security research company which works closely with Government institutions, has discovered a zero day vulnerability in Google’s Chrome web browser that allows a payload to be downloaded and executed on the host computer just by visiting a specially crafted web page.

As a proof of concept VUPEN has posted a video which shows how the Windows calculator accessory is launched after a web page is opened. Of course, Windows calculator is harmless, but any malware could be downloaded and installed at this point.

This is a complicated hack and has managed to bypass Chrome’s sandbox technology which isolates Chrome from the underlying operating system and is designed to make it difficult for a hacker to execute arbitrary code on the victim’s computer. The sandbox technology has served Chrome well, until now, as it has escaped undefeated in the last three Pwn2Own hacking contests.

This new attack also circumvented Windows 7’s address space layout randomization (ASLR) and data execution prevention (DEP) technologies, both of which are designed to hinder hackers.

VUPEN have not publicly disclosed the nature of the zero day vulnerability, but according to its blog the details will be shared exclusively with VUPEN’s Government customers as part of its vulnerability research services.

Zero-day hole in Internet Explorer

Microsoft Security Advisory has warned about a zero-day hole in all supported versions of Internet Explorer.

With reference to Microsoft security advisory, the vulnerability exists due to an security news at livehacking.com reference within Internet Explorer. It is possible under certain conditions for the invalid flag reference to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

Mitigation Factors:

  • Data Execution Prevention (DEP) helps protect against attacks that result in code execution and is enabled by default in Internet Explorer 8 on the following Windows operating systems: Windows XP Service Pack 3, Windows Vista Service Pack 1, Windows Vista Service Pack 2, and Windows 7.
  • Protected Mode in Internet Explorer on Windows Vista and later Windows operating systems helps to limit the impact of the vulnerability as an attacker who successfully exploited this vulnerability would have very limited rights on the system. An attacker who successfully exploited this vulnerability on Internet Explorer 7 or Internet Explorer 8 could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
  • In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
  • By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone, which disables script and ActiveX controls, removing the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.

Source:[Microsoft Security Advisory]

[ad code=2 align=center]