Vulnerabilities / Threats
8/26/2013
11:21 AM
50%
50%

Hackers Target Java 6 With Security Exploits

Security experts spot code that attacks vulnerability in Java 6, urge users to upgrade to Java 7 immediately.

Warning to anyone still using Java 6: Upgrade now to Java 7 to avoid being compromised by active attacks.

That alert came via F-Secure anti-malware analyst Timo Hirvonen, who reported finding an in-the-wild exploit actively targeting an unpatched vulnerability in Java 6 following the recent publication of related proof-of-concept (POC) attack code. The Java runtime environment (JRE) bug (CVE-2013-2463), was publicly revealed when Oracle released Java 7 update 25 in June 2013, which remains the most recent version of Java.

"PoC for CVE-2013-2463 was released last week, now it's exploited in the wild," tweeted Hirvonen. "No patch for JRE6 ... Uninstall or upgrade to JRE7 update 25." He added,"At least [the] Neutrino exploit kit seems to have added [an] exploit for [the vulnerability]."

The Neutrino crimeware kit was first spotted in March 2013, when it was identified as the source of a series of attacks that were exploiting Java vulnerabilities to install ransomware on victims' PCs, freezing them until users paid a fine that was supposedly being levied by the FBI and other law enforcement agencies. According to security vendor AVG, Neutrino exploit kit attacks have spiked in the last few days.

[ Is Anonymous losing its mojo? Read FBI: Anonymous Not Same Since LulzSec Crackdown. ]

The reason that Java 7, but not Java 6, was patched against the vulnerability is because Java 6 was officially retired in February. After that, Oracle did issue one final public release in April -- Java 6 update 45 -- to counteract an active attack.

The safe bet now is to expect no new Java 6 updates. Oracle's Java 6 download page reads: "Updates for Java 6 are no longer available to the public. Oracle offers updates to Java 6 only for customers who have purchased Java support or have Oracle products that require Java 6."

According to statistics released in March 2013, at least 47% of all Java users in the United States were still running Java version 6.

What risk do Java 6 users now face from the new vulnerability that's being exploited? According to vulnerability information provider Secunia, the bug could be "exploited by malicious local users to disclose certain sensitive information, manipulate certain data, and gain escalated privileges and by malicious people to conduct spoofing attacks, disclose certain sensitive information, manipulate certain data, cause a DoS (denial of service), bypass certain security restrictions, and compromise a vulnerable system."

While Java 6 is now under the gun, the latest version of Java 7 also sports at least one serious unpatched vulnerability. Fortunately, however, no technical details about that vulnerability have been publicly released. The bug, dubbed "issue 69," was discovered by veteran Java bug hunter Adam Gowdiak, CEO of Polish research firm Security Explorations, and reported to Oracle on July 18, 2013.

In a related post to the Full Disclosure mailing list, Gowdiak said that the vulnerability, which makes it possible to implement a very classic attack against Java Virtual Machine (VM), stemmed from yet another reflection API flaw that he found in Java. "The code allows [an attacker] to violate a fundamental feature of Java VM security -- the safety of its type system," he said. That refers to Java's system for restricting the range of allowed operations, which serves as a first line of defense against attacks and is critical to the correct functioning of the Java sandbox. "As a result, a complete and reliable Java security sandbox bypass can be gained on a vulnerable instance of Oracle's Java SE software," Gowdiak said.

Oracle told Gowdiak that it plans to patch the bug next month. The fix will come in the form of "a back-ported (from JDK 8) implementation of the affected component in JDK 7 update 40," Gowdiak said. Earlier this year, Oracle announced that it would delay the release of Java 8 (aka JDK or JRE 8) while it redeployed developers to strengthen Java 7 security.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6228
Published: 2014-12-28
Integer overflow in the string_chunk_split function in hphp/runtime/base/zend-string.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted arguments to the chunk_split ...

CVE-2014-6229
Published: 2014-12-28
The HashContext class in hphp/runtime/ext/ext_hash.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 incorrectly expects that a certain key string uses '\0' for termination, which allows remote attackers to obtain sensitive information by leveraging read access beyond the end of the string,...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.