Sophos Cloud Optix
Within days of its discovery it appears that a new zero day flaw in Java could soon be in widespread use.
FireEye first reported on the flaw being used in a targeted attack originating from a Chinese web server. The web page hosting the exploit is timestamped August 22nd, 2012.
The flaw affects all versions of Oracle’s Java 7 (version 1.7) on all supported platforms. Java 6 and earlier are unaffected. No patch is available at this time.
The next scheduled update for Java is October 16th, 2012. Oracle has a bad track record for releasing timely patches for Java exploits, but with all the attention this flaw is getting I would hope it would release an out of cycle fix if for no other reason than to save face.
Early reports suggested that Google Chrome was immune to the problem, but that appears to have been a bug in the attacker’s code. The Metasploit project released proof of concept code that exploits the flaw on all browsers and operating systems (Windows, OS X, Linux).
Michael Schierl has performed a detailed analysis of the bugs and points out that it even disables the Java security manager.
Exploiting the vulnerability appears quite trivial and journalist Brian Krebs has already confirmed it will be added to the Blackhole Exploit kit.
This is very concerning as the Blackhole kit is the most commonly used exploit pack in use by criminals. Considering this is flaw is not patched and is not likely to be patched soon is a very dangerous situation.
In his conversation with the Blackhole author Krebs was told that exploits like this could go for $100,000 on the black market. That shows how effective attacks using this type of vulnerability can be.
I have been encouraging folks to remove Java if they can for years and this is just another reminder to do so. Unfortunately for many of us Java is a necessary evil.
I am a user of Libre/Open Office which requires Java, but there is a good solution to that problem. Disable the Java plugin in your favourite web browser.
Need to access intranet pages that require Java in your browser? Use your client firewall to disallow access to non-intranet resources for javaw.exe (on Windows).
Another solution is to surf the net using your favourite browser with Java disabled, and have an alternate browser available for the occasional site that needs it (Java is not JavaScript, you almost never need it).
Of course installing quality anti-malware software, firewalls and web filters provide a lot of protection as well.
Sophos customers are proactively protected against the malware payload as Troj/Agent-XNE and the malicious Java applet as Mal/JavaKnE-H. Sophos endpoint customers using our web protection will block access to these sites as CXweb/BadDlod-G.
How to disable java in your browser
- How to disable Java in Internet Explorer
- How to disable Java in Firefox
- How to disable Java in Chrome
- How to disable Java in Safari
- How to disable Java in Opera
Does this exploit also apply to the open source “Iced tea” version of Java?
Doesn't seem like it https://bugzilla.redhat.com/show_bug.cgi?format=m…
Agreed, it is related to a specific function added in Java 7. Iced Tea should stay cold and smooth.
hackers and people that right virus should be SHOT or put in JAIL for the rest of there lives.
once we shoot them all or get them off there keyboards for good it might be a lesson to others. that causing criminal damage on a massive scale = life in prison..
we will soon stop it…..
That has to be one of the dumbest comments i have ever seen on the internet.
You underestimate the internet my friend 🙂
Sometimes it's best to keep quiet and not prove oneself to be an idiot, Your comment is one of those times,
Do you need a gun? Sorry but do you need a dictionary as well 🙂
victor:
So, in addition to being illiterate, you're also vicious. And pretty clueless too, if you actually believe that execution or imprisonment is a sufficient disincentive to eliminate crimes of any kind. It hasn't worked yet.
But the most delicious irony in your post is your presumption that legalized murder (execution) justified by arbitrary "laws" is morally acceptable. If that's the philosophy by which you live your life, you'll be lucky to escape a violent end yourself. Those who live by the sword (or advocate it) often die by it.
I agree with victor 100%. And to everyone that doesn't like his comments, either you are a hacker yourself or simply have compromised morals and values. Just because it's not a violent crime, doesn't mean it isn't Evil. A single hacker has the capability to cause hundreds of thousands of man-hours (or more) to be wasted on the repair and remediation of their malicious hi-jinks.
Just think how much farther ahead human society would be right now if we weren't constantly dealing with criminals and malcontents. (and corrupt politicians for that matter.) I think the reason our justice system doesn't work is because the punishment rarely fits the crime. What's wrong with an eye-for-an-eye for murderers? Why do we spend tax dollars keeping them clothed and fed? Freaking get rid of them. (Especially if the evidence is overwhelming and there is no chance of them being innocent!)
Oh, and Nigel, get off your high-hippie-horse and realize that you are simply 'justifying' something in your head, just like everyone else does, including me.
But that doesn't make Victor wrong with his ideas. I've spent TOO MUCH time cleaning up after and preparing for viruses and other malware. It is G D annoying, and when I think of a hacker trying to steal money from innocent people in their mom's basement, I kinda want to walk up behind them and pull the trigger. But go ahead and tell me I'm wrong to think that…..whatever dude….whatever.
On a side note: I also think that code developers need to get their heads out of their collective @ss3s, especially people writing code that is on 90% of all computers worldwide. So I can see it from both sides.
Oh, and Arbitrary or not, laws generally exist to define the line between good and evil. (At least they are supposed to….) I think modern society stinks, as it is dotted with little piles of poo amongst the greater good. Watch your step….and hold your nose, and you might survive.
-end Rant.
An eye for an eye and the whole world ends up blind!
I don't think this exploit will go for a 100k since it's already in Metasploit and such. Maybe if they keep it quiet next time that they could sell it 😉
I think only certain components within LibreOffice/OpenOffice need Java, I don’t have it on my PC and LibreOffice works OK for what I need to do with it.
Java is only required for the database and the accessibility/assistive component of OpenOffice. If you don't use those, you shouldn't notice the difference. See http://www.openoffice.org/download/common/java.ht… for more details.
Thanks for that. My Linux distro lists it as a requirement, but good to hear it isn't always necessary.
For those on OS X, NeoOffice 3.3 has just completed replacing the Java components with native equivalents.
I was surprised the article didn't include instructions on how to disable Java on various browsers:
In Firefox: http://support.mozilla.org/en-US/kb/How%20to%20tu…
In Chrome:
– Type chrome://plugins/ into the URL bar.
– Find the plug-in that you’d like to disable and click Disable. You can also reenable disabled plug-ins on this page.
In Safari: http://support.apple.com/kb/HT5241
"Java is not JavaScript, you almost never need it."
I'm confused; do I almost never need to have Java or do I almost never need to have Javascript? What would happen to my Firefox browser if I were to disable both from my Mac?
The author meant you almost never need Java.
Lots of websites require JavaScript. If you want to control the use of JavaScript in Firefox, you may wish to try an addon like NoScript.
The differences between the Java and JavaScript.
1. Java is an OOP programming language while Java Script is an OOP scripting language.
2. Java creates applications that run in a virtual machine or browser while JavaScript code is run on a browser only.
3. Java code needs to be compiled while JavaScript code are all in text.
4. They require different plug-ins.
5. JavaScript, does not create applets or stand-alone applications.
6. JavaScript resides inside HTML documents, and can provide levels of interactivity to web pages that are not achievable with simple HTML.
@Chester: When you recommend to remove Java for years already – have you also recommended to remove IE, MS Office, PowerShell, Lotus Notes/Domino, Firebird, QuickTime, and Adobe Reader, too?
Not? Why not?
I wonder if Java based phones are susceptible?
I don't believe most mobile phone OSs are using Java 7 as a platform.
There is no mention to IE. Is that not affected?
It is. See US-CERT's Vulnerability Note VU#63612 for IE, Safari, Firefox & Chrome: http://www.kb.cert.org/vuls/id/636312
All browsers on all OSs which have Java 7 installed.
please don't uninstall Java if you are using Sophos Mobile Control
SMC requires the JDK for the backend application. I would recommend disabling the Java plugin for the browser on all servers, including those running SMC.
Finally, an excuse to NOT play Minecraft for a few months! 😉
Would it be possible to get a step-by-step guide on some rules recommendations for those of us with Sophos Enterprise? I would feel safer blocking Java via client firewall, given their history for slow updates.
Hi Mike
It might be better to ask about that in our product support community over at http://community.sophos.com/ – as that's where the tech support guys hang out.
Hope that helps