1. Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

New Java Exploit!

Discussion in 'Networking & Security' started by silkstone, Jan 11, 2013.

  1. silkstone

    silkstone

    Joined:
    Nov 1, 2008
    Messages:
    2,890 (1.33/day)
    Thanks Received:
    501
    I read this on Ars the other day and i thought i would re-post the information here as it seems like a pretty big exploit:

    "A previously unknown and currently unpatched security hole in the latest version of the Java software framework is under attack online, according to security researchers and bloggers.

    Attack code that exploits vulnerability in Java's browser plugin has been added to the Blackhole, Cool, Nuclear Pack, and Redkit exploit kits, according to the Malware Don't Need Coffee blog, prompting its author to say that the bug is being "massively exploited in the wild." Miscreants use these products to turn compromised websites into platforms for silently installing keyloggers and other types of malicious software on the computers of unsuspecting visitors. KrebsOnSecurity reporter Brian Krebs said the curators of both Blackhole and Nuclear Pack have taken to the underweb to boast of the addition to their wares. It's not yet clear how many websites have been outfitted with the exploits.

    According to researchers at Alienvault Labs, the exploits work against fully patched installations of Java. Attack files are highly obfuscated and are most likely succeeding by bypassing security checks built in to the program. KrebsOnSecurity said the malware authors say the exploits work against all versions of Java 7.

    Update: Analysis from antivirus provider Kaspersky Lab indicates the exploits are already deployed on a variety of websites.

    "There appears to be multiple ad networks redirecting to Blackhole sites, amplifying the mass exploitation problem," Kaspersky Lab expert Kurt Baumgartner wrote. "We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course, adult sites."

    People who don't use Java much should once again consider unplugging Java from their browser, while those who don't use it at all may want to uninstall it altogether. The release notes for Java 7 Update 10—the most recent version—say users can disable the program from the browser by accessing the Java Control Panel. KrebsOnSecurity has instructions here for other ways to do this."

    - Dan Goodin - Jan 10 2013
    Source: http://arstechnica.com/security/201...bug-is-being-massively-exploited-in-the-wild/
     
  2. MxPhenom 216

    MxPhenom 216 Corsair Fanboy

    Joined:
    Aug 31, 2010
    Messages:
    10,044 (6.64/day)
    Thanks Received:
    2,263
    Location:
    Seattle, WA
    and theres my queue to uninstall Java.
     
  3. silkstone

    silkstone

    Joined:
    Nov 1, 2008
    Messages:
    2,890 (1.33/day)
    Thanks Received:
    501
    This is the scariest part: "We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course, adult sites."

    I'm using Chrome and it's quite easy to set up so that you need to click to allow java to run on each site. I haven't uninstalled it yet, but i'm not going to be allowing it to run until an update comes out.
     
  4. OneMoar

    OneMoar

    Joined:
    Apr 9, 2010
    Messages:
    3,579 (2.16/day)
    Thanks Received:
    1,048
    Location:
    Rochester area
    a security hole in JAVA NOWAI
     
    AsRock says thanks.
  5. Drone

    Drone

    Joined:
    Sep 1, 2010
    Messages:
    2,725 (1.80/day)
    Thanks Received:
    1,416
    Wouldn't that be awesome if flash and java go away and never come back and get replaced with something more reliable and less buggy...
     
  6. 3870x2

    3870x2

    Joined:
    Feb 26, 2008
    Messages:
    4,875 (2.01/day)
    Thanks Received:
    689
    Location:
    Joplin, Mo
    Java itself is a great idea, but it has terrible security flaws.

    in the last two years I have helped about a dozen friends and family members where, through a Java exploit, their computers were completely locked down, usually with programs that acted like anti-virus and wanted you to purchase their program to remove the virus that it in itself caused.

    These exploits are very serious and renders a computer useless, I am almost surprised Java hasn't been sued or gotten into some kind of trouble for this. The process to remove this malware is usually quite extensive, and varies from one instance to another.
     
  7. Aquinus

    Aquinus Resident Wat-man

    Joined:
    Jan 28, 2012
    Messages:
    6,432 (6.44/day)
    Thanks Received:
    2,167
    Location:
    Concord, NH
    EULA. Gotta love the things you agree to when you install software. :p

    In other words, they're not liable and if the courts disagree they attempt to impose a maximum limit of 1,000 USD. That's all disputable in court, but you (or whoever installed it,) did agree to if you're using Java or have it installed. This really says if Java itself sans any code that Java executes damages your machine, then you might have grounds to sue but other than that, good luck.
     
  8. Frick

    Frick Fishfaced Nincompoop

    Joined:
    Feb 27, 2006
    Messages:
    10,769 (3.41/day)
    Thanks Received:
    2,331
    Doesnt pretty much all software has similiar clauses in the EULAs? If i made software i would have one.
     
  9. FordGT90Concept

    FordGT90Concept "I go fast!1!11!1!"

    Joined:
    Oct 13, 2008
    Messages:
    13,745 (6.25/day)
    Thanks Received:
    3,643
    Location:
    IA, USA
    FYI, Update 11 apparently takes care of the vulnerability.
     
    LAN_deRf_HA says thanks.
    Crunching for Team TPU
  10. Drone

    Drone

    Joined:
    Sep 1, 2010
    Messages:
    2,725 (1.80/day)
    Thanks Received:
    1,416
    I never quite understood the real purpose of Java. There are c/c++, .net and other programming languages. What's up with java? Yes in some cases some applications written on java work faster than others but in many other cases java apps are much slower.
    Not sure but I think c/c++ and .net could handle it all.
     
  11. 3870x2

    3870x2

    Joined:
    Feb 26, 2008
    Messages:
    4,875 (2.01/day)
    Thanks Received:
    689
    Location:
    Joplin, Mo
    Java is slower in almost all cases. People use Java because of easier portability, and the fact that Java has many of their own libraries that are also portable.

    I find programming in Java a bit easier than c#.

    c++ / c# can handle it all.
     
    Aquinus says thanks.
  12. Aquinus

    Aquinus Resident Wat-man

    Joined:
    Jan 28, 2012
    Messages:
    6,432 (6.44/day)
    Thanks Received:
    2,167
    Location:
    Concord, NH
    Java byte code will run on any machine that has implemented the JVM. Therefore you can write one application with one code base and have it work on multiple platforms. C/C++ libraries differ from OS to OS so code written in C/C++ for one platform may not work in another because the core libraries may be different or behave differently or not exist at all.

    Java is good if your intent is to hit the largest audience you can. Newer ARM processors have Jazelle as well, which allows java byte code run in hardware as a third execution mode. So it doesn't have to be slow, it's just slow because of how its implemented. Java can be made to run fast and a lot of the time it does.
    +1: This too.
     
  13. Drone

    Drone

    Joined:
    Sep 1, 2010
    Messages:
    2,725 (1.80/day)
    Thanks Received:
    1,416
    Generally speaking most high-level programming languages are more or less portable
     
  14. DarkOCean

    DarkOCean

    Joined:
    Jan 28, 2009
    Messages:
    1,618 (0.77/day)
    Thanks Received:
    350
    Location:
    on top of that big mountain on mars(Romania)
    Seeing this now i feel better that i dont use java from quite some time now knowing its weakness for exploits.
     
  15. erixx

    erixx

    Joined:
    Mar 24, 2010
    Messages:
    3,436 (2.06/day)
    Thanks Received:
    486
    Sadly i have business software that requieres Java :(
     
  16. Drone

    Drone

    Joined:
    Sep 1, 2010
    Messages:
    2,725 (1.80/day)
    Thanks Received:
    1,416
    And there's already a zeroday bug for update 11 which is selling for 5000$
     
    FordGT90Concept says thanks.
  17. LAN_deRf_HA

    LAN_deRf_HA

    Joined:
    Apr 4, 2008
    Messages:
    4,555 (1.90/day)
    Thanks Received:
    952
    This is good actually. Holes like this exist for just about everything. They're traded in very tight circles with people highly motivated to keep them secret. If someone gets a hold of one and wants to make a quick buck selling it instead of exploiting it then it's pretty much the end of that exploit. It will get identified and patched.

    Honestly the best possible way to root out these long standing exploits in browsers/flash/java is to offer rewards for those exploits. Big ones.
     
  18. erixx

    erixx

    Joined:
    Mar 24, 2010
    Messages:
    3,436 (2.06/day)
    Thanks Received:
    486
    Defender report of earlier today:

    containerfile:C:\Users\...\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\6aee21d4-46ec4b49
    file:C:\Users\...\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\6aee21d4-46ec4b49->h.class
    file:C:\Users\...\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\6aee21d4-46ec4b49->r.class
    file:C:\Users\...\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\6aee21d4-46ec4b49->van.class
    file:C:\Users\...\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\6aee21d4-46ec4b49->zou.class


    Just now I installed Java update 11
     
    Last edited: Jan 18, 2013
  19. FordGT90Concept

    FordGT90Concept "I go fast!1!11!1!"

    Joined:
    Oct 13, 2008
    Messages:
    13,745 (6.25/day)
    Thanks Received:
    3,643
    Location:
    IA, USA
    Well that sucks. :(


    That defies logic. :p
     
    Crunching for Team TPU
  20. kn00tcn

    kn00tcn

    Joined:
    Feb 9, 2009
    Messages:
    692 (0.33/day)
    Thanks Received:
    122
    Location:
    Toronto
    just disable the browser plugin, not remove java from the OS entirely (since obviously minecraft, jdownloader, all kinds of things need java)

    how many SITES still use java when they can just make their thing in flash or by now webgl & unity
     
  21. Drone

    Drone

    Joined:
    Sep 1, 2010
    Messages:
    2,725 (1.80/day)
    Thanks Received:
    1,416
  22. Drone

    Drone

    Joined:
    Sep 1, 2010
    Messages:
    2,725 (1.80/day)
    Thanks Received:
    1,416
    If anyone cares java is gonna release its cumulative patch. It will arrive February 19.
     
    silkstone says thanks.
  23. Drone

    Drone

    Joined:
    Sep 1, 2010
    Messages:
    2,725 (1.80/day)
    Thanks Received:
    1,416
    Another Java Zero-Day Found

    FireEye said that there'll be more zero days
     
    Chevalr1c and silkstone say thanks.
  24. Wrigleyvillain

    Wrigleyvillain PTFO or GTFO

    Joined:
    Oct 13, 2007
    Messages:
    7,667 (2.99/day)
    Thanks Received:
    1,775
    Location:
    Chicago
    Ffs
     
  25. 95Viper

    95Viper

    Joined:
    Oct 12, 2008
    Messages:
    4,415 (2.01/day)
    Thanks Received:
    1,614
    Location:
    στο άλφα έως ωμέγα
    Java update to fix two security exploits.

    Java SE Downloads

    Oracle Security Alert for CVE-2013-1493
     

Currently Active Users Viewing This Thread: 1 (0 members and 1 guest)

Share This Page