Vulnerabilities / Threats

8/26/2013
11:21 AM
50%
50%

Hackers Target Java 6 With Security Exploits

Security experts spot code that attacks vulnerability in Java 6, urge users to upgrade to Java 7 immediately.

Warning to anyone still using Java 6: Upgrade now to Java 7 to avoid being compromised by active attacks.

That alert came via F-Secure anti-malware analyst Timo Hirvonen, who reported finding an in-the-wild exploit actively targeting an unpatched vulnerability in Java 6 following the recent publication of related proof-of-concept (POC) attack code. The Java runtime environment (JRE) bug (CVE-2013-2463), was publicly revealed when Oracle released Java 7 update 25 in June 2013, which remains the most recent version of Java.

"PoC for CVE-2013-2463 was released last week, now it's exploited in the wild," tweeted Hirvonen. "No patch for JRE6 ... Uninstall or upgrade to JRE7 update 25." He added,"At least [the] Neutrino exploit kit seems to have added [an] exploit for [the vulnerability]."

The Neutrino crimeware kit was first spotted in March 2013, when it was identified as the source of a series of attacks that were exploiting Java vulnerabilities to install ransomware on victims' PCs, freezing them until users paid a fine that was supposedly being levied by the FBI and other law enforcement agencies. According to security vendor AVG, Neutrino exploit kit attacks have spiked in the last few days.

[ Is Anonymous losing its mojo? Read FBI: Anonymous Not Same Since LulzSec Crackdown. ]

The reason that Java 7, but not Java 6, was patched against the vulnerability is because Java 6 was officially retired in February. After that, Oracle did issue one final public release in April -- Java 6 update 45 -- to counteract an active attack.

The safe bet now is to expect no new Java 6 updates. Oracle's Java 6 download page reads: "Updates for Java 6 are no longer available to the public. Oracle offers updates to Java 6 only for customers who have purchased Java support or have Oracle products that require Java 6."

According to statistics released in March 2013, at least 47% of all Java users in the United States were still running Java version 6.

What risk do Java 6 users now face from the new vulnerability that's being exploited? According to vulnerability information provider Secunia, the bug could be "exploited by malicious local users to disclose certain sensitive information, manipulate certain data, and gain escalated privileges and by malicious people to conduct spoofing attacks, disclose certain sensitive information, manipulate certain data, cause a DoS (denial of service), bypass certain security restrictions, and compromise a vulnerable system."

While Java 6 is now under the gun, the latest version of Java 7 also sports at least one serious unpatched vulnerability. Fortunately, however, no technical details about that vulnerability have been publicly released. The bug, dubbed "issue 69," was discovered by veteran Java bug hunter Adam Gowdiak, CEO of Polish research firm Security Explorations, and reported to Oracle on July 18, 2013.

In a related post to the Full Disclosure mailing list, Gowdiak said that the vulnerability, which makes it possible to implement a very classic attack against Java Virtual Machine (VM), stemmed from yet another reflection API flaw that he found in Java. "The code allows [an attacker] to violate a fundamental feature of Java VM security -- the safety of its type system," he said. That refers to Java's system for restricting the range of allowed operations, which serves as a first line of defense against attacks and is critical to the correct functioning of the Java sandbox. "As a result, a complete and reliable Java security sandbox bypass can be gained on a vulnerable instance of Oracle's Java SE software," Gowdiak said.

Oracle told Gowdiak that it plans to patch the bug next month. The fix will come in the form of "a back-ported (from JDK 8) implementation of the affected component in JDK 7 update 40," Gowdiak said. Earlier this year, Oracle announced that it would delay the release of Java 8 (aka JDK or JRE 8) while it redeployed developers to strengthen Java 7 security.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
The Case for a Human Security Officer
Ira Winkler, CISSP, President, Secure Mentem,  12/5/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8651
PUBLISHED: 2018-12-12
A cross site scripting vulnerability exists when Microsoft Dynamics NAV does not properly sanitize a specially crafted web request to an affected Dynamics NAV server, aka "Microsoft Dynamics NAV Cross Site Scripting Vulnerability." This affects Microsoft Dynamics NAV.
CVE-2018-8652
PUBLISHED: 2018-12-12
A Cross-site Scripting (XSS) vulnerability exists when Windows Azure Pack does not properly sanitize user-provided input, aka "Windows Azure Pack Cross Site Scripting Vulnerability." This affects Windows Azure Pack Rollup 13.1.
CVE-2018-8617
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8...
CVE-2018-8618
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8...
CVE-2018-8619
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists when the Internet Explorer VBScript execution policy does not properly restrict VBScript under specific conditions, aka "Internet Explorer Remote Code Execution Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Exp...