Attacks/Breaches
8/28/2012
09:14 AM
50%
50%

Java Zero-Day Attack Could Hit Enterprises Hard

In-the-wild exploit targets unpatched Java 7 vulnerability affecting Windows, OS X, and Linux. Security experts advise disabling Java in browsers.

Calling all enterprises: disable Java in your browsers.

That warning has been sounded by numerous information security experts, following the discovery of an in-the-wild exploit that targets a zero-day vulnerability in Java, and for which no patch yet exists.

"We have seen this unpatched exploit being used in limited targeted attacks. Most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable," said Atif Mushtaq, senior staff scientist at FireEye Malware Intelligence Lab, which discovered the attack and identified the Java vulnerability it exploited. "[The] initial exploit is hosted on a domain named ok.XXX4.net. Currently this domain is resolving to an IP address in China," he said in a blog post.

The in-the-wild attack, hosted by a malicious website, currently only targets Windows PCs, via a malicious JAR (Java Archive) applet named "Dropper.MsPMs." If the browser-targeting exploit is successful, the JAR file gets installed on the targeted system. As of Sunday, the website serving the attack remained fully functional, as did the command-and-control servers, which are currently based in Singapore.

The exploited vulnerability exists in all versions of Java 7, and can be used to exploit not just Windows, but also Apple OS X and Linux systems. "I have tested the following operating systems: Windows7, Ubuntu 12.04, OSX 10.8.1 [and] I have tested the following browsers: Firefox 14.0.1 (Windows, Linux, OSX), IE 9, Safari 6. [The] same exploit worked on all of them," said David Maynor, CTO of Errata Security, in a blog post.

[ Most IT security groups are short-handed and can't find good people to hire. Is there a Security Skills Shortage, Or Training Failure? ]

"This exploit is awesome," he said. "[It's] not a buffer overflow or anything like that, it uses a flaw in the JRE design that allows a Java app to change its own security settings with reflection." As a result, an attacker can use the vulnerability to arbitrarily change Java security settings, allowing malware to read, write, and execute code on an infected system.

Oracle has yet to detail when it will release a related Java patch for the vulnerability. "The next scheduled update for Java is October 16th, 2012. Oracle has a bad track record for releasing timely patches for Java exploits, but with all the attention this flaw is getting I would hope it would release an out of cycle fix if for no other reason than to save face," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post.

Until Oracle does patch the vulnerability, "the best way to prevent this attack at the moment is by removing or disabling [the] Java plug-in from your browser settings," said FireEye's Mushtaq. "Once Oracle comes up with a patch you can re-enable this plug-in." Don't, however, roll back to a previous version of Java, since older versions have numerous known vulnerabilities.

An exploit module based on the new vulnerability has already been added to the Metasploit open source penetration testing toolkit, and can be used to exploit the flaw on affected Windows, OS X, and Linux systems. Metasploit developer "sinn3r" said he'd verified that the exploit works against Internet Explorer, Firefox, and Chrome, running on Windows XP, Vista, and 7, as well as Firefox on Ubuntu Linux 10.04 and Safari on OS X Mountain Lion (10.7.4).

"Paunch," the nickname used by the developer of the BlackHole crimeware toolkit, told security journalist Brian Krebs via IM that he planned to immediately integrate the publicly available exploit code into BlackHole, saying that it was a high-quality vulnerability that could have fetched $100,000 if sold privately.

The BlackHole author--or authors--has recently been a devotee of Java vulnerabilities, which have proven easy to exploit, with some Java bugs offering a success rate of up to 80%. Adding in such exploits makes the crimeware toolkit more attractive to would-be buyers.

"Starting at the end of last year, they focused on adding Java exploits--within a month after a patch is released by Oracle," said Jason Jones, lead for the advanced security intelligence team at HP's DVLabs, speaking last month by phone about the BlackHole exploit toolkit. "They did this at the end of last year, and we saw an extremely high success rate for exploitation, then they added another one at the beginning of this year, had another same high level of exploitation rates, then they did it again recently."

Earlier this year, that increasing use of Java exploits led Apple to automatically disable Java in OS X, if it hasn't been used for 35 days. Apple made that change after a Java exploit--first detailed for Windows--was reverse-engineered by malware developers, who created the Flashback malware that infected an estimated 600,000 OS X systems.

In the wake of the latest Java vulnerability, which is difficult to spot, the prevailing security advice has been to disable Java altogether. "The configuration I used to test [the exploit] would be caught by [an] IPS with good rules [but] if you just enable the Metasploit built-in SSL options, an IPS would be blinded to this," said Maynor at Errata Security. "I have tried two different desktop protection suites from McAfee and Symantec. Neither stopped the threat, but then again, they really aren't designed to. This is a perfect exploit to use for phishing, or [targeting] social media users."

The new exploit may have already been used against your business. "Remember to search your logs for connections to the Domains/IPs related to this attack," said Jaime Blasco, a malware researcher at AlienVault Labs, in a blog post.

For businesses that can't disable Java, for example because they need to support functionality on intranet pages, here's a temporary workaround: "Use your client firewall to disallow access to non-intranet resources for javaw.exe (on Windows)," said Wisniewski at Sophos. "Another solution is to surf the net using your favorite browser with Java disabled, and have an alternate browser available for the occasional site that needs it--Java is not JavaScript, you almost never need it," he said.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Roy Working
50%
50%
Roy Working,
User Rank: Apprentice
1/13/2013 | 4:29:55 PM
re: Java Zero-Day Attack Could Hit Enterprises Hard
Oracle as usual is cranking out security hole ridden software and won't/can't fix problems - just like in their database software. Maybe they should spend money on people to review code before they release it to the world instead of letting Larry buy more islands, support racing boats team, fuel for his MiG jet, etc.
BobJones
50%
50%
BobJones,
User Rank: Apprentice
8/28/2012 | 5:17:31 PM
re: Java Zero-Day Attack Could Hit Enterprises Hard
Anyone know if UAC and/or "Standard User" will protect against this one?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7241
Published: 2014-12-19
The TSUTAYA application 5.3 and earlier for Android allows remote attackers to execute arbitrary Java methods via a crafted HTML document.

CVE-2014-7249
Published: 2014-12-19
Buffer overflow on the Allied Telesis AR440S, AR441S, AR442S, AR745, AR750S, AR750S-DP, AT-8624POE, AT-8624T/2M, AT-8648T/2SP, AT-8748XL, AT-8848, AT-9816GB, AT-9924T, AT-9924Ts, CentreCOM AR415S, CentreCOM AR450S, CentreCOM AR550S, CentreCOM AR570S, CentreCOM 8700SL, CentreCOM 8948XL, CentreCOM 992...

CVE-2014-7267
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the output-page generator in the Ricksoft WBS Gantt-Chart add-on 7.8.1 and earlier for JIRA allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-7268.

CVE-2014-7268
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the data-export feature in the Ricksoft WBS Gantt-Chart add-on 7.8.1 and earlier for JIRA allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-7267.

CVE-2014-8272
Published: 2014-12-19
The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57 does not properly select session ID values, which makes it easier for remote attackers to execute arbitrary commands via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.