Irrepressible cybercrime investigator and reporter Brian Krebs has written about yet another Java zero-day exploit.
This one, it seems, targets an exploitable vulnerability even in Oracle’s most recent release, Version 7 Update 11, also known as 7u11.
Details of the exploit are sketchy, because the underworld is playing this one very close to its chest.
According to the Krebmeister, the broker who had the exploit up for sale planned to sell it to just two different buyers, rather than leasing it or offering it up widely:
The idea of limiting distribution is obvious: the fewer exploit-delivery sites that actually serve up the exploit, the longer it will take to become widely known, and the longer it is likely to last before being acquired, dissected and patched.
The disadvantage to the criminal who’s brokering the sale, of course, is that he’s limiting his market, though by trusting two fellow-crooks he runs double the risk that his prized possession will get sold on anyway.
It looks as though a second buyer came out of the woodwork, because Krebs reports that the sales pitch subsequently vanished from the underground forum on which it was originally published.
The value the seller is placing on this exploit sounds a bit low to me: he’s expecting total earnings of just $10,000 for a reliable, working and current Java zero-day. (I don’t mean to sound as though I think cybercriminality is glib and workaday. I’d simply have thought that he could have asked and got more.)
There are many possible reasons for that value, not least that I’m ill-informed about competitive pricing in the underground, and two interesting ones spring to mind:
- There isn’t a new exploit. Or it’s not a very good one. It’s just a wind-up.
- The widespread news coverage recommending that you turn off Java is pushing down the price.
Let’s hope that the reason is the latter.
Szappi wondered if there was some factor in the exploit kit itself that favoured Java as a vector.
Perhaps, for example, on a PC vulnerable to multiple exploits, the Java one might trigger fastest, and thus be over-represented in the reports?
Perhaps a bias in the exploit pack code meant that other exploits were tried less often, thus giving Java an unfairly large bite at the cherry?
But that was not the case. To quote Szappi himself:
After evaluating the code it turned out that [there was no bias]. The Blackhole exploit kit is fair with the individual exploit functions and doesn't favour any single one of them... So I was left with the only remaining explanation: Java security fixes are not being installed. Users don't consider Java a direct threat, and don't rush into updating their systems.
And that is the number one security challenge regarding web threats: making users aware that Java is right now the weakest spot. And it is heavily under attack.
The silver lining is that he wrote those words back in December 2012, before the latest outbreak of “turn Java off advice.
Let’s hope that advice pays off.
By all means install Java. (I have it for Android research and development, for instance.) But keep it up-to-date, like any other software package.
By all means turn on Java in your browser, if that is your informed choice. (I have it locked out of my browsers as I simply don’t use any sites that require it.) But don’t enable it unless you actually need it.
I’m not picking on Oracle or on Java here.
This advice holds for any software or browser plugin you don’t need.
Getting rid of functionality you are not using has the trendy name of “reducing your attack surface area”, and it really works.
I have quoted Mr Miagi, from the movie The Karate Kid, before, and I have no doubt I’ll quote him again: “Best way to avoid punch – no be there.”