Alert

Warning: Java Zero Day Flaw Under Attack

Discussion is locked
Follow
Reply to: Warning: Java Zero Day Flaw Under Attack
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: Warning: Java Zero Day Flaw Under Attack
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Attackers Pounce on Zero-Day Java Exploit
A BIG thanks to Coryphaeus for stressing this!

Some additional posts from the news thread:

Attackers have seized upon a previously unknown security hole in Oracle's ubiquitous Java software to break into vulnerable systems. So far, the attacks exploiting this weakness have been targeted and not widespread, but it appears that the exploit code is now public and is being folded into more widely-available attack tools such as Metasploit and exploit kits like BlackHole.

News of the vulnerability surfaced late last week in a somewhat sparse blog post by FireEye, which said the exploit seemed to work against the latest version of Java 7, which is version 1.7, Update 6. This morning, researchers Andre' M. DiMino & Mila Parkour published additional details on the targeted attacks seen so far, confirming that the zero-day affects Java 7 Update 0 through 6, but does not appear to impact Java 6 and below.

Initial reports indicated that the exploit code worked against all versions of Internet Explorer, Firefox and Opera, but did not work against Google Chrome. But according to Rapid 7, there is a Metasploit module in development that successfully deploys this exploit against Chrome (on at least Windows XP).

Also, there are indications that this exploit will soon be rolled into the BlackHole exploit kit. Contacted via instant message, the curator of the widely-used commercial attack tool confirmed that the now-public exploit code worked nicely, and said he planned to incorporate it into BlackHole as early as today. "The price of such an exploit if it were sold privately would be about $100,000," wrote Paunch, the nickname used by the BlackHole author.

Continued : http://krebsonsecurity.com/2012/08/attackers-pounce-on-zero-day-java-exploit/

Also:
Warning on critical Java hole
Java zero day vulnerability actively used in targeted attacks
New Java Zero Day Being Used in Targeted Attacks
New Java Exploit Spotted in the Wild
- Collapse -
Care to Disable the Java Plugin?

Near the end of the above post, Brian Krebs writes:

If you primarily use Java because some Web site, or program you have on your system — such as OpenOffice or Freemind — requires it, you can still dramatically reduce the risk from Java attacks just by disabling the plugin in your Web browser. In this case, I would suggest a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it.

For browser-specific instructions on disabling Java see:

How to Unplug Java from the Browser

For Windows users:

Mozilla Firefox: From the main menu select Add-ons, and then disable any plugins with the word "Java" in them. Restart the browser.

Google Chrome: Click the wrench icon in the upper right corner of the browser window, then select Settings. In the search results box to the right in the next screen, type "Java". A box labeled "Content settings" should be highlighted. Click that, and then scroll down to the Plug-ins section. Click the "Disable individual plug-ins" link, find Java in the list, and click the disable link next to it.

Internet Explorer:

Apparently, getting Java unplugged from Internet Explorer is not straightforward. The U.S. Computer Emergency Response Team (USCERT) lists the following steps, which may or may not completely remove Java from IE:

In the Windows Control panel, open the Java item. Select the "Java" tab and click the "View" button. Uncheck "enabled" for any JRE version listed. Note that this method may not work on Vista or newer systems. As an alternative, you may use one of the following techniques:

Click the start key and type "regedit" in the search box. Double-click the regedit program file when it appears.

- Change the HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\\UseJava2IExplorer registry value to 0, where is any version of Java on your system. 10.6.2, for example.

If you are running a 32-bit version of Java on a 64-bit platform, you should set the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in\\UseJava2IExplorer registry value to 0.

- Run javacpl.exe as administrator, click the "Advanced" tab, select "Microsoft Internet Explorer" in the "Default Java for browsers" section, and press the space bar to uncheck it. This will properly set the above registry value, despite the option being greyed out.

US-CERT has some additional suggestions for removing Java from IE if the above steps do not do the trick. See their advisory for more details.

For Mac users:

Safari: Click Preferences, and then the Security tab (uncheck "Enable Java").

Google Chrome: Open Preferences, and then type "Java" in the search box. Scroll down to the Plug-ins section, and click the link that says "Disable individual plug-ins." If you have Java installed, you should see a "disable" link underneath its listing.

Firefox: Click Tools, Add-ons, and disable the Java plugin(s).

https://krebsonsecurity.com/how-to-unplug-java-from-the-browser/

******************
From Zscaler Research : Are you vulnerable to the latest Java 0-day exploit?

- Collapse -
Researchers Identify Second New Java Bug

Researchers who have dug into the exploit for the new Java CVE-1012-4681 vulnerability found that there are actually two previously unknown security bugs in Java 7 and that the exploit, which has been tied to attackers in China, is using both of them to get full control of vulnerable machines.

The Java vulnerability was first disclosed publicly on Sunday and researchers have spent the last couple of days looking at the bug as well as the exploit code that's been used in some of the attacks. What they found is that there are in fact two distinct zero day vulnerabilities in the latest version of Java and that the known exploit uses them both.

"The first bug was used to get a reference to sun.awt.SunToolkit class that is restricted to applets while the second bug invokes the getField public static method on SunToolkit using reflection with a trusted immediate caller bypassing a security check," Esteban Guillardoy of Immunity Inc., wrote in an analysis of the vulnerabilities.

"The beauty of this bug class is that it provides 100% reliability and is multiplatform. Hence this will shortly become the penetration test Swiss knife for the next couple of years.

"There are 2 different zero-day vulnerabilities used in this exploit: one is used to obtain a reference to the sun.awt.SunToolkitclass and the other is used to invoke the public getField method on that class. The exploit is making use of the java.beans.Expression which is a java.beans.Statement subclass. There are 2 Expression instances that are used to trigger these 2 different bugs."

Continued : https://threatpost.com/en_us/blogs/researchers-identify-second-new-java-bug-082812

- Collapse -
OOPS!

Sorry, but any form of java does not go on my system until Oracle is willing to issue out-of-band patches. That has not happened so far. Next scheduled update is in October.

- Collapse -
Oracle releases out of cycle fixes for Java

Out of nowhere Oracle has released an emergency update to address the zero-day vulnerabilities being exploited by many different criminal groups.

Surprisingly they included some previously unknown vulnerabilities that we can only assume may also have been in use in the wild.

The good news is customers who require Java in their environments can now deploy an official fix and proceed with less risk, the bad news is one of the fixes they shipped out affects Java 6, so everyone needs to patch not just those who were running Java 7.

Oracle officially fixed four CVEs, presumably covering five vulnerabilities. It appears that CVE 2012-4681 was actually two vulnerabilities, so it is difficult to tell for sure if they patched four or five flaws.

The first three only affect Java 7 and all have a CVSS score of 10, meaning they are remotely exploitable and result in code execution. That's as bad as it gets folks.

The fourth affects both Java 6 and Java 7, but in and of itself does not result in code execution. Oracle have not stated precisely what kind of flaw it is, but based on its description it sounds like a privilege escalation vulnerability.

The fact that Oracle included this fourth vulnerability implies that they are seeing it used in conjunction with other vulnerabilities in the wild and you would be strongly encouraged to apply the fix right away.

Continued : http://nakedsecurity.sophos.com/2012/08/30/oracle-releases-out-of-cycle-fixes-for-java/

See: Java SE 7u7 and SE 6u35 Release

For additional details from Immunity Products: Java patched at least 4 bugs

CNET Forums