Jump to content
Sign in to follow this  
NewsBot

Critical Java zero-day bug is being "massively exploited in the wild"

Recommended Posts

A previously unknown and currently unpatched security hole in the latest version of the Java software framework is under attack online, according to security researchers and bloggers.

 

Attack code that exploits vulnerability in Java's browser plugin has been added to the Blackhole, Cool, Nuclear Pack, and Redkit exploit kits, according to the Malware Don't Need Coffee blog, prompting its author to say that the bug is being "massively exploited in the wild." Miscreants use these products to turn compromised websites into platforms for silently installing keyloggers and other types of malicious software on the computers of unsuspecting visitors. KrebsOnSecurity reporter Brian Krebs said the curators of both Blackhole and Nuclear Pack have taken to the underweb to boast of the addition to their wares. It's not yet clear how many websites have been outfitted with the exploits.

 

According to researchers at Alienvault Labs, the exploits work against fully patched installations of Java. Attack files are highly obfuscated and are most likely succeeding by bypassing security checks built in to the program. KrebsOnSecurity said the malware authors say the exploits work against all versions of Java 7.

 

Analysis from antivirus provider Kaspersky Lab indicates the exploits are already deployed on a variety of websites.


View the full article

Share this post


Link to post
Share on other sites

Oracle have known about these security vulnerabilities for about half a year now and done nothing.

Recently they released an update to finally fix those vulnerabilities.

 

They only released the update after Apple and Mozilla blacklisted Java.

 

But just some day later, someone is selling a new Java exploit.

Share this post


Link to post
Share on other sites

Oracle knew they weren't patching all the vulnerabilities with that update, but at least they raised the default security level to "high". Now the user is always prompted before unsigned applets are allowed to run. Might help a little...

 

The Java plug-in is high risk, should be used with great caution or not at all. Even if they declare it fully patched and secure, don't trust it.

Share this post


Link to post
Share on other sites

Not only is Java high-risk to use, it's risky to even install it. :realmad:

 

According to Ed Bott on ZDNet

Java is the new king of foistware, displacing Adobe and Skype from the top of the heap.


And it earned that place with a combination of software update
practices that are among the most user-hostile and cynical in the
industry.


In coordination with Ben Edelman,
an expert on deceptive advertising, spyware and adware, I've been
looking at how Oracle delivers Java to its customers and who it has
chosen to partner with. The evidence against Oracle is overwhelming. 


Specifically:


  • When you use Java’s automatic updater to install crucial security updates for Windows , third-party software is always included. The two additional packages delivered to users are the Ask Toolbar and McAfee Security Scanner.
  • With every Java update, you must specifically opt out of
    the additional software installations. If you are busy or distracted or
    naïve enough to trust Java’s “recommendation,†you end up with unwanted
    software on your PC.
  • IAC, which partners with Oracle to deliver the Ask toolbar, uses
    deceptive techniques to install its software. These techniques include
    social engineering that appears to be aimed at both novices and
    experienced computer users, behavior that may well be illegal in some
    jurisdictions.
  • The Ask.com search page delivers inferior search results and uses
    misleading and possibly illegal techniques to deceive visitors into
    clicking paid ads instead of organic search results.

 

 

Some of the sleazy practices include running the foistware installer in the background for 10 minutes, so that no entry appears in "Programs and Features" (a.k.a "Add or Remove Programs" in Windows XP) for 10 minutes after installing Java.

 

Ben Edelman gives a full analysis in his article "IAC Toolbars and Traffic Arbitrage in 2013".

 

.

Share this post


Link to post
Share on other sites

And now the new Java update 11 is busted too...

 

... at least they raised the default security level to "high". Now the user is always prompted before unsigned applets are allowed to run. Might help a little...

 

Not any more, because a new exploit announced this week completely bypasses the settings in the Java Control Panel. Malicious Java code can be made to run, without the user being prompted, even if the security setting has been set to the top level of Very High.

 

Java is best completely UNinstalled on Windows. Keeping it on the system, but disabling its use in Internet Explorer is just too complicated to be practical, requiring not only a massive Registry edit to disable BOTH methods of allowing it to run, but actually removing specific files from the Java directory as well.

 

.

Share this post


Link to post
Share on other sites

Java is best completely UNinstalled on Windows. Keeping it on the system, but disabling its use in Internet Explorer is just too complicated to be practical, requiring not only a massive Registry edit to disable BOTH methods of allowing it to run, but actually removing specific files from the Java directory as well.

 

.

However, in Firefox, Chrome, or Opera, disabling Java is simple. If you absolutely must keep Java around for some off-line app or something, I would suggest you don't use Internet Explorer at all, or any browser based on IE.

 

To avoid the foistware (you really don't want the Ask toolbar, it can be hard to get rid of), you should disable the Java auto-updater. I use HijackThis! to remove it, it's called jusched.exe ; that makes sure it's disabled. Then, you have to be very careful when manually updating Java, make sure you uncheck all the options to install extra software.

 

Uninstalling Java is the best plan, though.

Share this post


Link to post
Share on other sites

I never run with Java installed here, either. Though I will say, it's sad that you need it for Minecraft.

It would be pretty cool if they could automatically port it to C# / .NET.

 

The guys at Ximian developed a tool that automatically converted Android from Java to C# / .NET, pretty cool.

Source to source translation.

Share this post


Link to post
Share on other sites

New versions of Firefox will use click-to-play on all versions of Java.

 

So Java will not be automatically ran in the browser, it will explicitly require the user's consent.

Ah, yes; that will definitely reduce your exposure to exploits, since the browser won't be running every random Java applet it encounters. From reports I've read, it appears that these exploit kits insert malicious applets into websites - those would be blocked. Not sure if pre-existing Java content is safe or not, however.

 

I've long used the NoScript extension, which provides configurable click-to-play functionality for plugins already; and there's another extension that does nothing but provide click-to-play. Now every Firefox user will get this functionality without needing any extension. Mozilla should be applauded. :clap:

Share this post


Link to post
Share on other sites

Oracle have released a Java update, update 13, ahead of schedule which is listed as having  50 (fifty) security fixes. I counted 39 Security fixes in the JRE alone in Oracle's list.

 

If you absolutely must have Java, then update to Java 7 update 13 as soon as possible.

Make sure you are not installing deceptive stuff like the Ask toolbar as well, by UNchecking the option during the Java install.

 

.

Share this post


Link to post
Share on other sites

Best way to update your Java to be more secure...

  • Control Panel
  • Programs and Features
  • Select Java
  • Uninstall
  • Done

Now you never have to worry about any more Java exploits, which are sadly so common now.

Share this post


Link to post
Share on other sites

Well, they had better update that notice.

 

Two new Java exploits were announced yesterday (25th-February).

 

In the meantime, Twitter, Apple, Microsoft and Facebook have all been attacked, using Java exploits, after the iPhone developer forums were compromised.

 

.

Share this post


Link to post
Share on other sites

Two new Java exploits were announced yesterday (25th-February).

 

 

 

.

These new holes affect Update 15, which is what they're up to now...Oracle keeps patching, but the exploits just keep popping up.

Share this post


Link to post
Share on other sites

Oracle uses odd-numbered updates for security fixes, which is why the last three updates have been 11, 13 & 15.
When update 15 was released on Feb 19th, Oracle scheduled the next update for April 16th. They might have to rechedule that.

 

.

Share this post


Link to post
Share on other sites

It's YAJ0* time! :shocking:

 

Yes, it's Yet Another Java 0-day exploit -- this one is out in the wild and being exploited against Java 7 update 15 and Java 6 update 41.

 

Time to update the "It has been [ ] days since the last new Java exploit" notice.

 

Time to remove Java from all your computers, too.

 

 

* the YAJ0 acronym was coined by FireEye to report this new exploit on their blog

 

.

Share this post


Link to post
Share on other sites

To their credit Oracle is actually patching the security vulnerabilities now.

 

Their previous modus operandi was to just ignore the security vulnerabilities for another six months until their next bi-annual Java update release.

Share this post


Link to post
Share on other sites

Another new exploit to Java yesterday, at the Pwn2Own contest in Vancouver, so it's back to 1 per day still being discovered/announced.

Which means that Update 17 is also vulnerable (you were correct that they might have to move up their scheduled next update, but that was an easy call to make).

Share this post


Link to post
Share on other sites

Apparently I spoke too soon.

 

Because Java was PWNED not just once but three times, yesterday.  :whoa:

All three exploits were in the afternoon, the first at 1:30pm, the second at 2:30pm and the third at 5:31pm

 

And Java has been successfully PWNED again (for the 4th time) today, at 2pm.

 

Oracle must be feeling pretty bruised by now, as they've already fixed over 60 vulnerabilities so far this year and the above 4 aren't the only new ones still outstanding.

 

.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×