Unpatched Java exploit spreads like wildfire

Java logoWithin days of its discovery it appears that a new zero day flaw in Java could soon be in widespread use.

FireEye first reported on the flaw being used in a targeted attack originating from a Chinese web server. The web page hosting the exploit is timestamped August 22nd, 2012.

The flaw affects all versions of Oracle’s Java 7 (version 1.7) on all supported platforms. Java 6 and earlier are unaffected. No patch is available at this time.

The next scheduled update for Java is October 16th, 2012. Oracle has a bad track record for releasing timely patches for Java exploits, but with all the attention this flaw is getting I would hope it would release an out of cycle fix if for no other reason than to save face.

Early reports suggested that Google Chrome was immune to the problem, but that appears to have been a bug in the attacker’s code. The Metasploit project released proof of concept code that exploits the flaw on all browsers and operating systems (Windows, OS X, Linux).

Michael Schierl has performed a detailed analysis of the bugs and points out that it even disables the Java security manager.

Exploiting the vulnerability appears quite trivial and journalist Brian Krebs has already confirmed it will be added to the Blackhole Exploit kit.

This is very concerning as the Blackhole kit is the most commonly used exploit pack in use by criminals. Considering this is flaw is not patched and is not likely to be patched soon is a very dangerous situation.

In his conversation with the Blackhole author Krebs was told that exploits like this could go for $100,000 on the black market. That shows how effective attacks using this type of vulnerability can be.

I have been encouraging folks to remove Java if they can for years and this is just another reminder to do so. Unfortunately for many of us Java is a necessary evil.

I am a user of Libre/Open Office which requires Java, but there is a good solution to that problem. Disable the Java plugin in your favourite web browser.

Firewall configuration for JavaNeed to access intranet pages that require Java in your browser? Use your client firewall to disallow access to non-intranet resources for javaw.exe (on Windows).

Another solution is to surf the net using your favourite browser with Java disabled, and have an alternate browser available for the occasional site that needs it (Java is not JavaScript, you almost never need it).

Of course installing quality anti-malware software, firewalls and web filters provide a lot of protection as well.

Sophos customers are proactively protected against the malware payload as Troj/Agent-XNE and the malicious Java applet as Mal/JavaKnE-H. Sophos endpoint customers using our web protection will block access to these sites as CXweb/BadDlod-G.

How to disable java in your browser