Attacks/Breaches
1/11/2013
09:22 AM
Connect Directly
RSS
E-Mail
50%
50%

Java Under Attack Again, Disable Now

Java zero-day vulnerability is under attack by at least four active campaigns. Oracle has yet to respond. Here's what to do.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Security experts have a message for all businesses: Disable Java now, and keep it disabled.

That's their advice message after the discovery Thursday of yet another zero-day Java vulnerability, as well as a number of attacks that are already exploiting the flaw to run arbitrary code on PCs.

"It looks like this exploit is being used in at least four different active exploit kits -- Blackhole, Cool Exploit Kit, Nuclear Pack and Redkit," said research engineer Nick Randolph, who's part of the Sourcefire Vulnerability Research Team (VRT), in a blog post. "Source code has popped up on pastebin as well, and the VRT has been able to compile it and confirm that it is functional." An exploit module has also been developed for the open source Metasploit penetration testing toolkit.

The Java zero-day vulnerability, dubbed CVE-2013-0422, "allows remote attackers to execute arbitrary code via unknown vectors, possibly related to 'permissions of certain Java classes,'" according to the National Vulnerability Database. The flaw affects all versions of Java 7, including Oracle Java 7 Update 10, which is the most recent version. With some estimates suggesting that 34% of all PCs currently run a version of Java 7, the zero-day vulnerability may now be present on over 400 million systems.

Attackers have been rushing to exploit the vulnerability, which in the past 24 hours has become one of the most-seen exploits by antivirus software. "Java exploit is trending: our generic detection Exploit:Java/Majava.C already in TOP10 for the past 24 hours (with 2 other Java detections)," said Timo Hirvonen, an anti-malware analyst at antivirus vendor F-Secure, in a Friday Twitter post. Earlier this week, a security researcher who goes by the moniker "@Kafeine" -- and who's detailed some of the current attacks that exploit the vulnerability -- reported seeing hundreds of thousands of hits on just a single website that was hosting the exploit.

Those attacks are just the beginning. "We anticipate that ... this will be very wildly exploited in the field in the coming days via a variety of different vectors," said Sourcefire's Randolph.

With that in mind, what's the quickest way to disable Java? On systems running recent versions of Java, the Java control panel can be used to immediately disable the plug-in for all installed browsers.

Technology giant Oracle, which maintains Java, has yet to issue an official response regarding the latest zero-day Java flaw, which suggests that a fix won't be immediately forthcoming. "Unless they have previous intelligence regarding this vulnerability, a patch will likely be at least days in the making," said Randolph. "Anyone who can continue to do their job with Java disabled in their browser is strongly encouraged to do so immediately, as that's the only way to ensure complete safety against this attack or others like it -- which, based on the history of Java 0-days over the last 12 months, are likely to happen at some point within the not-too-distant future."

Indeed, this is far from the first time that security experts have sounded warnings over Java. Last year, the discovery of a zero-day flaw in Java 7 affecting Windows, OS X, and Linux led also led to calls that Java should be immediately disabled in all browsers.

Some companies have been pursuing stronger measures. Last year, after attackers reverse-engineered a Windows Java vulnerability to create the Flashback malware, which successfully infected over 600,000 Macs, Apple updated recent versions of OS X to disable Java, if not used for more than 35 days. In October, meanwhile, Apple got tougher, issuing an update that excised Java from all Apple browsers. To run Java, users would need to download the software from Oracle.

Taking a page from Adobe's approach to Flash -- which previously enjoyed the attentions of zero-day attackers who recently have been embracing Java flaws -- Oracle last year finally released an automatic updater for Java. As a result, Java security fixes can be pushed directly to users when ready.

But with Java users facing yet another zero-day threat, might more businesses now ban the plug-in, which has already put an unknown number of Java users at risk? While researchers reported discovering the bug on Jan. 10, it was apparently being used by attackers to exploit systems beginning at least several weeks before then. "We first observed the new Java 0-day on Dec 17th, very low rates until the morning of Jan 9th when detection rate surged," said Costin Raiu, a senior security researcher at Kaspersky Lab, via Twitter.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Johnnythegeek
50%
50%
Johnnythegeek,
User Rank: Apprentice
1/11/2013 | 3:11:27 PM
re: Java Under Attack Again, Disable Now
I think Java is a plugin who's time has come to say bye. I uninstalled it months ago and never have any issues or sites wanting it. What I find disturbing is how many PC makers still have it installed on a new PC. Besides the fact its a older version! Kudo's to Apple for not including it on Safari browser anymore. What I would like to see is web sites take a stand and protect their users better and start dropping Java ASAP. Oricle does not appear to give a crap about Java anymore as they hardly address these security problems with any great urgency.
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
1/11/2013 | 11:48:53 PM
re: Java Under Attack Again, Disable Now
IE is under attack! Disable now! Or is this the typical doubletalk? Diss Java and claim that IE zero days are nothing?
Kiranpal Pendyala
50%
50%
Kiranpal Pendyala,
User Rank: Apprentice
1/12/2013 | 12:59:19 AM
re: Java Under Attack Again, Disable Now
I doubt we are there yet... at least in the corporate world where I work, we can't get thru a day without it. So much of what we do is built using java and quite a bit still relies on the java plugin for the browser.
Patrick Dacre
50%
50%
Patrick Dacre,
User Rank: Apprentice
1/12/2013 | 8:53:18 AM
re: Java Under Attack Again, Disable Now
This link, courtesy of computerhelpers4good, shows how to temporarily disable in o/s and browsers. http://www.java.com/en/downloa...
Flying Goat
50%
50%
Flying Goat,
User Rank: Apprentice
1/12/2013 | 3:42:51 PM
re: Java Under Attack Again, Disable Now
The issue with Java is that it increases the attack surface area of browsers, and is rarely used by most users. It's not uniquely vulnerable, but most users can disable it and not notice any difference, while protecting themselves against exploits.
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
1/12/2013 | 4:11:56 PM
re: Java Under Attack Again, Disable Now
Get a clue. This issue doesn't just affect IE. All browsers (except newer Safari) are affected. There are two aspects of Java at play. Javascript is used by just about every website and cannot be dispensed with easily. Java applets are infrequently used and the Java 6 and 7 platforms they run on are where the vulnerability exists. Disable them.
Philip Steiner
50%
50%
Philip Steiner,
User Rank: Apprentice
1/12/2013 | 5:52:01 PM
re: Java Under Attack Again, Disable Now
Point of order: JavaScript is not Java. The exploit affects only Java.
tridus
50%
50%
tridus,
User Rank: Apprentice
1/12/2013 | 8:36:09 PM
re: Java Under Attack Again, Disable Now
At this point, having Java's browser plugin enabled on a home machine is negligence. It's such a popular attack vector with so little actual use that it's reached absurd levels to continue to support it at all.

Kill it with fire. In the corporate world, the firewall/web proxy should be stripping it out except from whitelisted corporate sites.
Dirty Harry
50%
50%
Dirty Harry,
User Rank: Apprentice
1/12/2013 | 9:40:09 PM
re: Java Under Attack Again, Disable Now
This is getting old! When is Java going to get it's act together regarding security issues? By the way, do I need to disable Java in the Java Control Panel or just as a Plug in?
Todd
50%
50%
Todd,
User Rank: Apprentice
1/13/2013 | 1:27:19 AM
re: Java Under Attack Again, Disable Now
People bottom line with viruses if your using Microsoft Windows your about 99.9% chance to get any virus on the internet. If you use Mac OS X your about 50% chance to get a virus. If you use Linux or Ubuntu your about 10% chance or lower to get a virus on the internet. I say do the math people.......
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.