Attacks/Breaches
8/28/2012
09:14 AM
Connect Directly
RSS
E-Mail
50%
50%

Java Zero-Day Attack Could Hit Enterprises Hard

In-the-wild exploit targets unpatched Java 7 vulnerability affecting Windows, OS X, and Linux. Security experts advise disabling Java in browsers.

Calling all enterprises: disable Java in your browsers.

That warning has been sounded by numerous information security experts, following the discovery of an in-the-wild exploit that targets a zero-day vulnerability in Java, and for which no patch yet exists.

"We have seen this unpatched exploit being used in limited targeted attacks. Most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable," said Atif Mushtaq, senior staff scientist at FireEye Malware Intelligence Lab, which discovered the attack and identified the Java vulnerability it exploited. "[The] initial exploit is hosted on a domain named ok.XXX4.net. Currently this domain is resolving to an IP address in China," he said in a blog post.

The in-the-wild attack, hosted by a malicious website, currently only targets Windows PCs, via a malicious JAR (Java Archive) applet named "Dropper.MsPMs." If the browser-targeting exploit is successful, the JAR file gets installed on the targeted system. As of Sunday, the website serving the attack remained fully functional, as did the command-and-control servers, which are currently based in Singapore.

The exploited vulnerability exists in all versions of Java 7, and can be used to exploit not just Windows, but also Apple OS X and Linux systems. "I have tested the following operating systems: Windows7, Ubuntu 12.04, OSX 10.8.1 [and] I have tested the following browsers: Firefox 14.0.1 (Windows, Linux, OSX), IE 9, Safari 6. [The] same exploit worked on all of them," said David Maynor, CTO of Errata Security, in a blog post.

[ Most IT security groups are short-handed and can't find good people to hire. Is there a Security Skills Shortage, Or Training Failure? ]

"This exploit is awesome," he said. "[It's] not a buffer overflow or anything like that, it uses a flaw in the JRE design that allows a Java app to change its own security settings with reflection." As a result, an attacker can use the vulnerability to arbitrarily change Java security settings, allowing malware to read, write, and execute code on an infected system.

Oracle has yet to detail when it will release a related Java patch for the vulnerability. "The next scheduled update for Java is October 16th, 2012. Oracle has a bad track record for releasing timely patches for Java exploits, but with all the attention this flaw is getting I would hope it would release an out of cycle fix if for no other reason than to save face," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post.

Until Oracle does patch the vulnerability, "the best way to prevent this attack at the moment is by removing or disabling [the] Java plug-in from your browser settings," said FireEye's Mushtaq. "Once Oracle comes up with a patch you can re-enable this plug-in." Don't, however, roll back to a previous version of Java, since older versions have numerous known vulnerabilities.

An exploit module based on the new vulnerability has already been added to the Metasploit open source penetration testing toolkit, and can be used to exploit the flaw on affected Windows, OS X, and Linux systems. Metasploit developer "sinn3r" said he'd verified that the exploit works against Internet Explorer, Firefox, and Chrome, running on Windows XP, Vista, and 7, as well as Firefox on Ubuntu Linux 10.04 and Safari on OS X Mountain Lion (10.7.4).

"Paunch," the nickname used by the developer of the BlackHole crimeware toolkit, told security journalist Brian Krebs via IM that he planned to immediately integrate the publicly available exploit code into BlackHole, saying that it was a high-quality vulnerability that could have fetched $100,000 if sold privately.

The BlackHole author--or authors--has recently been a devotee of Java vulnerabilities, which have proven easy to exploit, with some Java bugs offering a success rate of up to 80%. Adding in such exploits makes the crimeware toolkit more attractive to would-be buyers.

"Starting at the end of last year, they focused on adding Java exploits--within a month after a patch is released by Oracle," said Jason Jones, lead for the advanced security intelligence team at HP's DVLabs, speaking last month by phone about the BlackHole exploit toolkit. "They did this at the end of last year, and we saw an extremely high success rate for exploitation, then they added another one at the beginning of this year, had another same high level of exploitation rates, then they did it again recently."

Earlier this year, that increasing use of Java exploits led Apple to automatically disable Java in OS X, if it hasn't been used for 35 days. Apple made that change after a Java exploit--first detailed for Windows--was reverse-engineered by malware developers, who created the Flashback malware that infected an estimated 600,000 OS X systems.

In the wake of the latest Java vulnerability, which is difficult to spot, the prevailing security advice has been to disable Java altogether. "The configuration I used to test [the exploit] would be caught by [an] IPS with good rules [but] if you just enable the Metasploit built-in SSL options, an IPS would be blinded to this," said Maynor at Errata Security. "I have tried two different desktop protection suites from McAfee and Symantec. Neither stopped the threat, but then again, they really aren't designed to. This is a perfect exploit to use for phishing, or [targeting] social media users."

The new exploit may have already been used against your business. "Remember to search your logs for connections to the Domains/IPs related to this attack," said Jaime Blasco, a malware researcher at AlienVault Labs, in a blog post.

For businesses that can't disable Java, for example because they need to support functionality on intranet pages, here's a temporary workaround: "Use your client firewall to disallow access to non-intranet resources for javaw.exe (on Windows)," said Wisniewski at Sophos. "Another solution is to surf the net using your favorite browser with Java disabled, and have an alternate browser available for the occasional site that needs it--Java is not JavaScript, you almost never need it," he said.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Roy Working
50%
50%
Roy Working,
User Rank: Apprentice
1/13/2013 | 4:29:55 PM
re: Java Zero-Day Attack Could Hit Enterprises Hard
Oracle as usual is cranking out security hole ridden software and won't/can't fix problems - just like in their database software. Maybe they should spend money on people to review code before they release it to the world instead of letting Larry buy more islands, support racing boats team, fuel for his MiG jet, etc.
BobJones
50%
50%
BobJones,
User Rank: Apprentice
8/28/2012 | 5:17:31 PM
re: Java Zero-Day Attack Could Hit Enterprises Hard
Anyone know if UAC and/or "Standard User" will protect against this one?
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2021
Published: 2014-10-24
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.4.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

CVE-2014-3604
Published: 2014-10-24
Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2014-6230
Published: 2014-10-24
WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.

CVE-2014-6251
Published: 2014-10-24
Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote attackers to have an unspecified impact by sending a mining.subscribe response with a large nonce2 length, then triggering the overflow with a mining.notify request.

CVE-2014-7180
Published: 2014-10-24
Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 uses world-writable permissions for (1) eccert.pl and (2) ecconfigure.pl, which allows local users to execute arbitrary Perl code by modifying these files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.