Vulnerabilities / Threats
8/26/2013
11:21 AM
50%
50%

Hackers Target Java 6 With Security Exploits

Security experts spot code that attacks vulnerability in Java 6, urge users to upgrade to Java 7 immediately.

Warning to anyone still using Java 6: Upgrade now to Java 7 to avoid being compromised by active attacks.

That alert came via F-Secure anti-malware analyst Timo Hirvonen, who reported finding an in-the-wild exploit actively targeting an unpatched vulnerability in Java 6 following the recent publication of related proof-of-concept (POC) attack code. The Java runtime environment (JRE) bug (CVE-2013-2463), was publicly revealed when Oracle released Java 7 update 25 in June 2013, which remains the most recent version of Java.

"PoC for CVE-2013-2463 was released last week, now it's exploited in the wild," tweeted Hirvonen. "No patch for JRE6 ... Uninstall or upgrade to JRE7 update 25." He added,"At least [the] Neutrino exploit kit seems to have added [an] exploit for [the vulnerability]."

The Neutrino crimeware kit was first spotted in March 2013, when it was identified as the source of a series of attacks that were exploiting Java vulnerabilities to install ransomware on victims' PCs, freezing them until users paid a fine that was supposedly being levied by the FBI and other law enforcement agencies. According to security vendor AVG, Neutrino exploit kit attacks have spiked in the last few days.

[ Is Anonymous losing its mojo? Read FBI: Anonymous Not Same Since LulzSec Crackdown. ]

The reason that Java 7, but not Java 6, was patched against the vulnerability is because Java 6 was officially retired in February. After that, Oracle did issue one final public release in April -- Java 6 update 45 -- to counteract an active attack.

The safe bet now is to expect no new Java 6 updates. Oracle's Java 6 download page reads: "Updates for Java 6 are no longer available to the public. Oracle offers updates to Java 6 only for customers who have purchased Java support or have Oracle products that require Java 6."

According to statistics released in March 2013, at least 47% of all Java users in the United States were still running Java version 6.

What risk do Java 6 users now face from the new vulnerability that's being exploited? According to vulnerability information provider Secunia, the bug could be "exploited by malicious local users to disclose certain sensitive information, manipulate certain data, and gain escalated privileges and by malicious people to conduct spoofing attacks, disclose certain sensitive information, manipulate certain data, cause a DoS (denial of service), bypass certain security restrictions, and compromise a vulnerable system."

While Java 6 is now under the gun, the latest version of Java 7 also sports at least one serious unpatched vulnerability. Fortunately, however, no technical details about that vulnerability have been publicly released. The bug, dubbed "issue 69," was discovered by veteran Java bug hunter Adam Gowdiak, CEO of Polish research firm Security Explorations, and reported to Oracle on July 18, 2013.

In a related post to the Full Disclosure mailing list, Gowdiak said that the vulnerability, which makes it possible to implement a very classic attack against Java Virtual Machine (VM), stemmed from yet another reflection API flaw that he found in Java. "The code allows [an attacker] to violate a fundamental feature of Java VM security -- the safety of its type system," he said. That refers to Java's system for restricting the range of allowed operations, which serves as a first line of defense against attacks and is critical to the correct functioning of the Java sandbox. "As a result, a complete and reliable Java security sandbox bypass can be gained on a vulnerable instance of Oracle's Java SE software," Gowdiak said.

Oracle told Gowdiak that it plans to patch the bug next month. The fix will come in the form of "a back-ported (from JDK 8) implementation of the affected component in JDK 7 update 40," Gowdiak said. Earlier this year, Oracle announced that it would delay the release of Java 8 (aka JDK or JRE 8) while it redeployed developers to strengthen Java 7 security.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9651
Published: 2015-08-28
Buffer overflow in CHICKEN 4.9.0.x before 4.9.0.2, 4.9.x before 4.9.1, and before 5.0 allows attackers to have unspecified impact via a positive START argument to the "substring-index[-ci] procedures."

CVE-2015-1171
Published: 2015-08-28
Stack-based buffer overflow in GSM SIM Utility (aka SIM Card Editor) 6.6 allows remote attackers to execute arbitrary code via a long entry in a .sms file.

CVE-2015-2987
Published: 2015-08-28
Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.

CVE-2015-6266
Published: 2015-08-28
The guest portal in Cisco Identity Services Engine (ISE) 3300 1.2(0.899) does not restrict access to uploaded HTML documents, which allows remote attackers to obtain sensitive information from customized documents via a direct request, aka Bug ID CSCuo78045.

CVE-2015-6267
Published: 2015-08-28
Cisco IOS XE before 2.2.3 on ASR 1000 devices allows remote attackers to cause a denial of service (Embedded Services Processor crash) via a crafted L2TP packet, aka Bug IDs CSCsw95722 and CSCsw95496.

Dark Reading Radio
Archived Dark Reading Radio
Another Black Hat is in the books and Dark Reading was there. Join the editors as they share their top stories, biggest lessons, and best conversations from the premier security conference.