New Java Exploit!

[silkstone]

I read this on Ars the other day and i thought i would re-post the information here as it seems like a pretty big exploit:

"A previously unknown and currently unpatched security hole in the latest version of the Java software framework is under attack online, according to security researchers and bloggers.

Attack code that exploits vulnerability in Java's browser plugin has been added to the Blackhole, Cool, Nuclear Pack, and Redkit exploit kits, according to the Malware Don't Need Coffee blog, prompting its author to say that the bug is being "massively exploited in the wild." Miscreants use these products to turn compromised websites into platforms for silently installing keyloggers and other types of malicious software on the computers of unsuspecting visitors. KrebsOnSecurity reporter Brian Krebs said the curators of both Blackhole and Nuclear Pack have taken to the underweb to boast of the addition to their wares. It's not yet clear how many websites have been outfitted with the exploits.

According to researchers at Alienvault Labs, the exploits work against fully patched installations of Java. Attack files are highly obfuscated and are most likely succeeding by bypassing security checks built in to the program. KrebsOnSecurity said the malware authors say the exploits work against all versions of Java 7.

Update: Analysis from antivirus provider Kaspersky Lab indicates the exploits are already deployed on a variety of websites.

"There appears to be multiple ad networks redirecting to Blackhole sites, amplifying the mass exploitation problem," Kaspersky Lab expert Kurt Baumgartner wrote. "We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course, adult sites."

People who don't use Java much should once again consider unplugging Java from their browser, while those who don't use it at all may want to uninstall it altogether. The release notes for Java 7 Update 10—the most recent version—say users can disable the program from the browser by accessing the Java Control Panel. KrebsOnSecurity has instructions here for other ways to do this."

- Dan Goodin - Jan 10 2013
Source: http://arstechnica.com/security/2013...d-in-the-wild/

[MxPhenom 216]

and theres my queue to uninstall Java.

[silkstone]

Quote:

Originally Posted by MxPhenom 216

and theres my queue to uninstall Java.

This is the scariest part: "We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course, adult sites."

I'm using Chrome and it's quite easy to set up so that you need to click to allow java to run on each site. I haven't uninstalled it yet, but i'm not going to be allowing it to run until an update comes out.

[OneMoar]

a security hole in JAVA NOWAI

[Drone]

Wouldn't that be awesome if flash and java go away and never come back and get replaced with something more reliable and less buggy...

[3870x2]

Quote:

Originally Posted by Drone

Wouldn't that be awesome if flash and java go away and never come back and get replaced with something more reliable and less buggy...

Java itself is a great idea, but it has terrible security flaws.

in the last two years I have helped about a dozen friends and family members where, through a Java exploit, their computers were completely locked down, usually with programs that acted like anti-virus and wanted you to purchase their program to remove the virus that it in itself caused.

These exploits are very serious and renders a computer useless, I am almost surprised Java hasn't been sued or gotten into some kind of trouble for this. The process to remove this malware is usually quite extensive, and varies from one instance to another.

[Aquinus]

Quote:

Originally Posted by 3870x2

I am almost surprised Java hasn't been sued or gotten into some kind of trouble for this.

EULA. Gotta love the things you agree to when you install software.

Quote:

Originally Posted by Oracle

5. LIMITATION OF LIABILITY. IN NO EVENT SHALL ORACLE BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA OR DATA USE, INCURRED BY YOU OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT, EVEN IF ORACLE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. ORACLE'S ENTIRE LIABILITY FOR DAMAGES HEREUNDER SHALL IN NO EVENT EXCEED ONE THOUSAND DOLLARS (U.S. $1,000).

In other words, they're not liable and if the courts disagree they attempt to impose a maximum limit of 1,000 USD. That's all disputable in court, but you (or whoever installed it,) did agree to if you're using Java or have it installed. This really says if Java itself sans any code that Java executes damages your machine, then you might have grounds to sue but other than that, good luck.

[Frick]

Quote:

Originally Posted by Aquinus

EULA. Gotta love the things you agree to when you install software.

In other words, they're not liable and if the courts disagree they attempt to impose a maximum limit of 1,000 USD. That's all disputable in court, but you (or whoever installed it,) did agree to if you're using Java or have it installed. This really says if Java itself sans any code that Java executes damages your machine, then you might have grounds to sue but other than that, good luck.

Doesnt pretty much all software has similiar clauses in the EULAs? If i made software i would have one.

[FordGT90Concept]

FYI, Update 11 apparently takes care of the vulnerability.

[Drone]

Quote:

Originally Posted by 3870x2

Java itself is a great idea, but it has terrible security flaws.

I never quite understood the real purpose of Java. There are c/c++, .net and other programming languages. What's up with java? Yes in some cases some applications written on java work faster than others but in many other cases java apps are much slower.
Not sure but I think c/c++ and .net could handle it all.

[3870x2]

Quote:

Originally Posted by Drone

I never quite understood the real purpose of Java. There are c/c++, .net and other programming languages. What's up with java? Yes in some cases some applications written on java work faster than others but in many other cases java apps are much slower.
Not sure but I think c/c++ and .net could handle it all.

Java is slower in almost all cases. People use Java because of easier portability, and the fact that Java has many of their own libraries that are also portable.

I find programming in Java a bit easier than c#.

c++ / c# can handle it all.

[Aquinus]

Quote:

Originally Posted by Drone

I never quite understood the real purpose of Java. There are c/c++, .net and other programming languages. What's up with java? Yes in some cases some applications written on java work faster than others but in many other cases java apps are much slower.
Not sure but I think c/c++ and .net could handle it all.

Java byte code will run on any machine that has implemented the JVM. Therefore you can write one application with one code base and have it work on multiple platforms. C/C++ libraries differ from OS to OS so code written in C/C++ for one platform may not work in another because the core libraries may be different or behave differently or not exist at all.

Java is good if your intent is to hit the largest audience you can. Newer ARM processors have Jazelle as well, which allows java byte code run in hardware as a third execution mode. So it doesn't have to be slow, it's just slow because of how its implemented. Java can be made to run fast and a lot of the time it does.

Quote:

Originally Posted by 3870x2

the fact that Java has many of their own libraries that are also portable.

+1: This too.

[Drone]

Quote:

.. portability ..

Generally speaking most high-level programming languages are more or less portable

[DarkOCean]

Seeing this now i feel better that i dont use java from quite some time now knowing its weakness for exploits.

[erixx]

Sadly i have business software that requieres Java

[Drone]

Quote:

Originally Posted by FordGT90Concept

FYI, Update 11 apparently takes care of the vulnerability.

And there's already a zeroday bug for update 11 which is selling for 5000$

[LAN_deRf_HA]

This is good actually. Holes like this exist for just about everything. They're traded in very tight circles with people highly motivated to keep them secret. If someone gets a hold of one and wants to make a quick buck selling it instead of exploiting it then it's pretty much the end of that exploit. It will get identified and patched.

Honestly the best possible way to root out these long standing exploits in browsers/flash/java is to offer rewards for those exploits. Big ones.

[erixx]

Defender report of earlier today:

containerfile:C:\Users\...\AppData\LocalLow\Sun\Ja va\Deployment\cache\6.0\20\6aee21d4-46ec4b49
file:C:\Users\...\AppData\LocalLow\Sun\Java\Deploy ment\cache\6.0\20\6aee21d4-46ec4b49->h.class
file:C:\Users\...\AppData\LocalLow\Sun\Java\Deploy ment\cache\6.0\20\6aee21d4-46ec4b49->r.class
file:C:\Users\...\AppData\LocalLow\Sun\Java\Deploy ment\cache\6.0\20\6aee21d4-46ec4b49->van.class
file:C:\Users\...\AppData\LocalLow\Sun\Java\Deploy ment\cache\6.0\20\6aee21d4-46ec4b49->zou.class


Just now I installed Java update 11

[FordGT90Concept]

Quote:

Originally Posted by Drone

And there's already a zeroday bug for update 11 which is selling for 5000$

Well that sucks.

Quote:

Originally Posted by 3870x2

I find programming in Java a bit easier than c#.

That defies logic.

[kn00tcn]

just disable the browser plugin, not remove java from the OS entirely (since obviously minecraft, jdownloader, all kinds of things need java)

how many SITES still use java when they can just make their thing in flash or by now webgl & unity

[Drone]

Malware Posing as Java Update 11

The malicious website has the misspelled message "A newer version of Java is require" in large, red letters.

[Drone]

If anyone cares java is gonna release its cumulative patch. It will arrive February 19.

[Drone]

Another Java Zero-Day Found

Quote:

FireEye researchers have uncovered yet another zero-day vulnerability in Java, and attackers are currently exploiting it in the wild. The security flaw, if triggered, leads to arbitrary memory read-and-write. The security flaws are in Java v.1.6 Update 41 and the latest Java v1.7 Update 15, which was just released Feb. 19

FireEye said that there'll be more zero days

[Wrigleyvillain]

Ffs

[95Viper]

Java update to fix two security exploits.

Java SE Downloads

Oracle Security Alert for CVE-2013-1493

Quote:

Description

This Security Alert addresses security issues CVE-2013-1493 (US-CERT VU#688246) and another vulnerability affecting Java running in web browsers. These vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications. They also do not affect Oracle server-based software.

These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. For an exploit to be successful, an unsuspecting user running an affected release in a browser must visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system.