Unpatched Java exploit spreads like wildfire

Filed Under: Featured, Java, Malware, Oracle, Vulnerability

Java logoWithin days of its discovery it appears that a new zero day flaw in Java could soon be in widespread use.

FireEye first reported on the flaw being used in a targeted attack originating from a Chinese web server. The web page hosting the exploit is timestamped August 22nd, 2012.

The flaw affects all versions of Oracle's Java 7 (version 1.7) on all supported platforms. Java 6 and earlier are unaffected. No patch is available at this time.

The next scheduled update for Java is October 16th, 2012. Oracle has a bad track record for releasing timely patches for Java exploits, but with all the attention this flaw is getting I would hope it would release an out of cycle fix if for no other reason than to save face.

Early reports suggested that Google Chrome was immune to the problem, but that appears to have been a bug in the attacker's code. The Metasploit project released proof of concept code that exploits the flaw on all browsers and operating systems (Windows, OS X, Linux).

Michael Schierl has performed a detailed analysis of the bugs and points out that it even disables the Java security manager.

Exploiting the vulnerability appears quite trivial and journalist Brian Krebs has already confirmed it will be added to the Blackhole Exploit kit.

This is very concerning as the Blackhole kit is the most commonly used exploit pack in use by criminals. Considering this is flaw is not patched and is not likely to be patched soon is a very dangerous situation.

In his conversation with the Blackhole author Krebs was told that exploits like this could go for $100,000 on the black market. That shows how effective attacks using this type of vulnerability can be.

I have been encouraging folks to remove Java if they can for years and this is just another reminder to do so. Unfortunately for many of us Java is a necessary evil.

I am a user of Libre/Open Office which requires Java, but there is a good solution to that problem. Disable the Java plugin in your favourite web browser.

Firewall configuration for JavaNeed to access intranet pages that require Java in your browser? Use your client firewall to disallow access to non-intranet resources for javaw.exe (on Windows).

Another solution is to surf the net using your favourite browser with Java disabled, and have an alternate browser available for the occasional site that needs it (Java is not JavaScript, you almost never need it).

Of course installing quality anti-malware software, firewalls and web filters provide a lot of protection as well.

Sophos customers are proactively protected against the malware payload as Troj/Agent-XNE and the malicious Java applet as Mal/JavaKnE-H. Sophos endpoint customers using our web protection will block access to these sites as CXweb/BadDlod-G.

How to disable java in your browser

, , , ,

You might like

31 Responses to Unpatched Java exploit spreads like wildfire

  1. Athol · 783 days ago

    Does this exploit also apply to the open source "Iced tea" version of Java?

  2. victor · 783 days ago

    hackers and people that right virus should be SHOT or put in JAIL for the rest of there lives.
    once we shoot them all or get them off there keyboards for good it might be a lesson to others. that causing criminal damage on a massive scale = life in prison..
    we will soon stop it.....

    • TheMo · 783 days ago

      That has to be one of the dumbest comments i have ever seen on the internet.

    • PasserBy · 783 days ago

      Sometimes it's best to keep quiet and not prove oneself to be an idiot, Your comment is one of those times,

    • Moses · 782 days ago

      Do you need a gun? Sorry but do you need a dictionary as well :)

    • Nigel · 782 days ago

      victor:

      So, in addition to being illiterate, you're also vicious. And pretty clueless too, if you actually believe that execution or imprisonment is a sufficient disincentive to eliminate crimes of any kind. It hasn't worked yet.

      But the most delicious irony in your post is your presumption that legalized murder (execution) justified by arbitrary "laws" is morally acceptable. If that's the philosophy by which you live your life, you'll be lucky to escape a violent end yourself. Those who live by the sword (or advocate it) often die by it.

    • SocietyStinks · 781 days ago

      I agree with victor 100%. And to everyone that doesn't like his comments, either you are a hacker yourself or simply have compromised morals and values. Just because it's not a violent crime, doesn't mean it isn't Evil. A single hacker has the capability to cause hundreds of thousands of man-hours (or more) to be wasted on the repair and remediation of their malicious hi-jinks.

      Just think how much farther ahead human society would be right now if we weren't constantly dealing with criminals and malcontents. (and corrupt politicians for that matter.) I think the reason our justice system doesn't work is because the punishment rarely fits the crime. What's wrong with an eye-for-an-eye for murderers? Why do we spend tax dollars keeping them clothed and fed? Freaking get rid of them. (Especially if the evidence is overwhelming and there is no chance of them being innocent!)

      Oh, and Nigel, get off your high-hippie-horse and realize that you are simply 'justifying' something in your head, just like everyone else does, including me.
      But that doesn't make Victor wrong with his ideas. I've spent TOO MUCH time cleaning up after and preparing for viruses and other malware. It is G D annoying, and when I think of a hacker trying to steal money from innocent people in their mom's basement, I kinda want to walk up behind them and pull the trigger. But go ahead and tell me I'm wrong to think that.....whatever dude....whatever.

      On a side note: I also think that code developers need to get their heads out of their collective @ss3s, especially people writing code that is on 90% of all computers worldwide. So I can see it from both sides.

      Oh, and Arbitrary or not, laws generally exist to define the line between good and evil. (At least they are supposed to....) I think modern society stinks, as it is dotted with little piles of poo amongst the greater good. Watch your step....and hold your nose, and you might survive.

      -end Rant.

      • James Littler · 780 days ago

        An eye for an eye and the whole world ends up blind!

  3. Bob Meininger · 783 days ago

    I don't think this exploit will go for a 100k since it's already in Metasploit and such. Maybe if they keep it quiet next time that they could sell it ;)

  4. Maik · 783 days ago

    I think only certain components within LibreOffice/OpenOffice need Java, I don't have it on my PC and LibreOffice works OK for what I need to do with it.

  5. Jeff · 782 days ago

    Java is only required for the database and the accessibility/assistive component of OpenOffice. If you don't use those, you shouldn't notice the difference. See http://www.openoffice.org/download/common/java.ht... for more details.

    • Chester Wisniewski · 782 days ago

      Thanks for that. My Linux distro lists it as a requirement, but good to hear it isn't always necessary.

      • Andrew Ludgate · 782 days ago

        For those on OS X, NeoOffice 3.3 has just completed replacing the Java components with native equivalents.

  6. @dagutierrez · 782 days ago

    I was surprised the article didn't include instructions on how to disable Java on various browsers:

    In Firefox: http://support.mozilla.org/en-US/kb/How%20to%20tu...

    In Chrome:
    - Type chrome://plugins/ into the URL bar.
    - Find the plug-in that you’d like to disable and click Disable. You can also reenable disabled plug-ins on this page.

    In Safari: http://support.apple.com/kb/HT5241

  7. Anonymous · 782 days ago

    "Java is not JavaScript, you almost never need it."

    I'm confused; do I almost never need to have Java or do I almost never need to have Javascript? What would happen to my Firefox browser if I were to disable both from my Mac?

    • Graham Cluley · 782 days ago

      The author meant you almost never need Java.

      Lots of websites require JavaScript. If you want to control the use of JavaScript in Firefox, you may wish to try an addon like NoScript.

    • @TirNaNog3 · 781 days ago

      The differences between the Java and JavaScript.
      1. Java is an OOP programming language while Java Script is an OOP scripting language.
      2. Java creates applications that run in a virtual machine or browser while JavaScript code is run on a browser only.
      3. Java code needs to be compiled while JavaScript code are all in text.
      4. They require different plug-ins.
      5. JavaScript, does not create applets or stand-alone applications.
      6. JavaScript resides inside HTML documents, and can provide levels of interactivity to web pages that are not achievable with simple HTML.

  8. tango266 · 782 days ago

    @Chester: When you recommend to remove Java for years already - have you also recommended to remove IE, MS Office, PowerShell, Lotus Notes/Domino, Firebird, QuickTime, and Adobe Reader, too?

    Not? Why not?

  9. John Mendoza · 782 days ago

    I wonder if Java based phones are susceptible?

    • Chester Wisniewski · 782 days ago

      I don't believe most mobile phone OSs are using Java 7 as a platform.

  10. @tyw7 · 782 days ago

    There is no mention to IE. Is that not affected?

  11. eep · 781 days ago

    please don't uninstall Java if you are using Sophos Mobile Control

    • Chester Wisniewski · 781 days ago

      SMC requires the JDK for the backend application. I would recommend disabling the Java plugin for the browser on all servers, including those running SMC.

  12. @adamjweeden · 781 days ago

    Finally, an excuse to NOT play Minecraft for a few months! ;-)

  13. Mike · 781 days ago

    Would it be possible to get a step-by-step guide on some rules recommendations for those of us with Sophos Enterprise? I would feel safer blocking Java via client firewall, given their history for slow updates.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.