[jon.kiparsky]

Forwarding this from the JavaPosse mailing list. I haven't done any checking on this, so I don't know any more than what you'll find in the link, but it seems worth calling attention to it here.
Any further information or observations would of course be welcome.

Quote

Just a heads-up:

«A vulnerability in the latest version of Oracle's Java software framework is under active attack, and the damage is likely to get worse thanks to the availability of reliable exploit code that works on a variety of browsers and computer platforms, security experts warn.
...
They went on to suggest that users should disable Java until a patch plugging the gaping hole is released.
»

http://arstechnica.c...o-disable-java/

This post has been edited by jon.kiparsky: 27 August 2012 - 10:40 AM

[fromTheSprawl]

I've seen this on the web a month or two back. I've even read articles preaching to ditch Java completely and use other programming languages. Does anyone know if Oracle will address this soon?

[nick2price]

Quote

A new browser-based exploit for a Java vulnerability that allows attackers to execute arbitrary code on client systems has been spotted in the wild – and because of Oracle's Java patch schedule, it may be some time before a fix becomes widely available.

The vulnerability is present in the Java Runtime Environment (JRE) version 1.7 or later, Atif Mushtaq of security firm FireEye reported on Sunday, while PCs with Java versions 1.6 or earlier installed are not at risk.

The vulnerability allows attackers to use a custom web page to force systems to download and run an arbitrary payload – for example, a keylogger or some other type of malware. The payload does not need to be a Java app itself.

In the form in which it was discovered, the exploit only works on Windows machines, because the payload that it downloads is a Windows executable. But the hackers behind the Metasploit penetration testing software say they have studied the exploit and found that it could just as easily be used to attack machines running Linux or Mac OS X, given the appropriate payload.

All browsers running on these systems were found to be vulnerable if they had the Java plugin installed, including Chrome, Firefox, Internet Explorer, Opera, and Safari.

Although the actual source of the exploit is not known, it was originally discovered on a server with a domain name that resolved to an IP address located in China. The malware it installed on compromised systems attempted to connect to a command-and-control server believed to be located in Singapore.

Oracle has yet to comment on the vulnerability or when users should expect a fix, but it might be a while. The database giant ordinarily observes a strict thrice-annual patch schedule for Java, and the next batch of fixes isn't due until October 16.

Downgrading to an earlier version of Java is not advised, because even though earlier versions aren't vulnerable to this particular exploit, they may contain other bugs that expose still other vulnerabilities.

In advance of any official patch, and because of the seriousness of the vulnerability, malware researchers at DeepEnd Research have developed an interim fix that they say seems to prevent the rogue Java code from executing its payload, although it has received little testing.

Because the patch could be used to develop new exploits if it fell into the wrong hands, however, DeepEnd Research is only making it available by individual request to systems administrators who manage large numbers of clients for companies that rely on Java.

For individual users, the researchers say, the best solution for now is to disable the Java browser plugin until Oracle issues an official patch.

Source

Got this from a hacking forum which I still keep an eye on for a security project I am doing. One of the persons on this forum actually posted the code used to implement this exploit. Let me know if you want to explore it.

NOTE: I will not be giving people links to this code as it can be used maliciously. The only people I will give the link to is people I know on this forum WELL, so they can explore the code and better advise you on how to protect yourself against this.

This post has been edited by nick2price: 28 August 2012 - 11:46 AM

[nick2price]

And just found out it has been released as a module now on Metaspoit. Thats not good.... Java is now disabled in my browsers :-)

[jon.kiparsky]

fromTheSprawl, on 28 August 2012 - 12:28 AM, said:

I've seen this on the web a month or two back. I've even read articles preaching to ditch Java completely and use other programming languages. Does anyone know if Oracle will address this soon?

This one is new, just spotted Sunday. There have been various holes in the JVM recently, however. To my knowledge, Oracle has not yet stated any intention to address this. They're probably still trying to figure out how long it'll take to patch.

A bit more research suggests to me that this is really not such a big issue, unless you're still concerned about applets. Shut off java in your browsers, don't run java from dodgy sources - same way you wouldn't run C code that you can't personally validate unless you get it from a known trustworthy source.
Basically, we now have to treat the JVM just about the way we currently treat our regular OS. This doesn't seem such a bother.

nick2price, on 28 August 2012 - 01:47 PM, said:

And just found out it has been released as a module now on Metaspoit. Thats not good.... Java is now disabled in my browsers :-)

I was about to point out that about half a dozen links from the article I cited above lead to the metasploit module.
But thanks for your caution!


Linux users can be happy about this quote from errata security:

Quote

I tried it on Ubuntu 12.04 Linux that is fully patched. I had to remove the default OpenJRE and then downlad and install the Oracle one. The install took longer than the owning (https://sites.google.com/site/easylinuxtipsproject/java).

If it's harder to create the vulnerability than it is to exploit it, you're probably relatively safe.

[BetaWar]

More reasons to minimize the plugins on your computers. I (personally) don't have java even installed on my machines, and haven't for some time. Their updater was too buggy for my liking.

[fromTheSprawl]

I'm pretty sure I read something in the lines of this when I was reading stuff on JavaWorld but I can't remember if I read it on that site or some link on another site(ITWorld, for example).

Says here that the next patch might come out on October:
http://www.oracle.co...rts-086861.html

An unofficial patch has been linked here, but no guarantees if it will block all attacks:
http://www.pcworld.c...nerability.html

Correct me if I'm wrong, is this threat limited to Java version 7 only?

[jon.kiparsky]

Oracle's Java 7, that's right.

fromTheSprawl, on 28 August 2012 - 08:32 PM, said:

Says here that the next patch might come out on October:
http://www.oracle.co...rts-086861.html

That's the next scheduled update. Whether they'll have it together by then, or before then, or after then, is anybody's guess.

[nick2price]

Do you know if this has been patched yet? I can find patches from reputable sources such as pcworld, but I cant seem to find an original one from oracle?

[Martyr2]

Well Oracle did recently break from its cycle to patch three vulnerabilities with Java 7 update 7. But apparently there is a new exploit since then so I would just say keep your Java off until they can fix this new one. You can read more about it here.

[nick2price]

Decided to run a scan on my computer today, even though I have not done much browsing since the exploit. And what do you know, 13 trojans and counting, all taking a form similar to "C:\Users\Nick\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\52e57122-67ac9e0f:\a\Test.class";"Trojan horse Exploit.Java_c.CXQ"

I advise everyone to do constant scans.

[GregBrannon]

I've heard a distressing amount of inaccurate reporting on the radio and in the technical media re: this topic lately. The reports rarely mention that the vulnerability is limited to Java 7 or that it's limited to the browser/applet implementation of the language rather than the whole language. To them, Java is Java and it's all crap to be avoided. There's no mitigation other than removing or disabling Java.

Then there's tripe like this that advocates throwing out the baby with the bathwater, removing Java entirely, not shipping new computers with Java installed, etc. The linked article turns the hype over this vunlerability into an apparent "no confidence" vote by Apple when in fact, as I understand it, the opposite is true. After years of insisting on cooking its own version of Java and distributing it through its own update system, Apple turned over responsibility for producing an Apple version of Java to Oracle (with 7u6, I believe). There were some good comments pointing out the article's weaknesses, but it shouldn't have been published under PC World's name in the first place.

There's something more going on here. I'm not a conspiracy nut, and I don't think these inaccuracies are being widely reported because of one, but there is an apparent shared agenda to widely discredit Java, Oracle, or both. The motivations may be different, but the results are similar.

[fromTheSprawl]

Whoa, that was the link I was looking for. I know I've read that article way back.

Quote

There's something more going on here. I'm not a conspiracy nut, and I don't think these inaccuracies are being widely reported because of one, but there is an apparent shared agenda to widely discredit Java, Oracle, or both. The motivations may be different, but the results are similar.

I'm not really sure but I think those who spread the news as if everything Java is at risk, I think they don't have their facts straight. Well, for PCWorld, that may be another story. Are they doing this because Java is reigning supreme in the highly coveted enterprise applications department?

All Oracle needs to do is patch this up and never let this happen again, and I hope everything will be fine from then on.

[jon.kiparsky]

fromTheSprawl, on 06 September 2012 - 08:56 PM, said:

All Oracle needs to do is patch this up and never let this happen again, and I hope everything will be fine from then on.

"Fix everything so it doesn't break" is not a plan. This will happen again, and Oracle has to plan on that, and java users have to plan on that. Java is too big, and touches too many parts of too many machines for breaches to not happen. Oracle needs a strategy for dealing with that, not a fervent desire that everything go right from now on.
The best strategy, I think we've learned, is more openness. As it turns out, I was wrong when I said above that this was a new issue, and in fact Oracle did know about this months ago, and they kept a lid on it until it was made public despite them. And sure enough, there was a patch immediately after the word got out that there was a live exploit. If the only way is gets fixed is when it's made public, it needs to be made public immediately. This only makes sense: surely nobody thinks that the bad guys don't know about breaches, right? So by keeping them under wraps you're only making it easy to exploit them, not preventing them.

[fromTheSprawl]

I guess what I mean is this particular bug never happens again. Like I said before, I've read about this a few months ago then when you posted this I thought it was about the old one but turns out it's a new one. Yes, exploits and bugs could again occur, but hopefully this particular one gets patched up, permanently.

Now yeah, keeping mum about it and only doing something when it's out in the public really is a bad thing to do, even for developers. You should let everyone know that there's something wrong, and what should one do so as not to be vulnerable to these exploits. I have not read anything official from Oracle about this, and yet the internet is making this a very big affair. After all, this is only limited to Java 7 and I haven't read something about it but if this is limited to a particular update then they could still use the ones with the lower updates.