Jump to content

Critical Java zero-day bug is being "massively exploited in the wild"


NewsBot

Recommended Posts

A previously unknown and currently unpatched security hole in the latest version of the Java software framework is under attack online, according to security researchers and bloggers.

 

Attack code that exploits vulnerability in Java's browser plugin has been added to the Blackhole, Cool, Nuclear Pack, and Redkit exploit kits, according to the Malware Don't Need Coffee blog, prompting its author to say that the bug is being "massively exploited in the wild." Miscreants use these products to turn compromised websites into platforms for silently installing keyloggers and other types of malicious software on the computers of unsuspecting visitors. KrebsOnSecurity reporter Brian Krebs said the curators of both Blackhole and Nuclear Pack have taken to the underweb to boast of the addition to their wares. It's not yet clear how many websites have been outfitted with the exploits.

 

According to researchers at Alienvault Labs, the exploits work against fully patched installations of Java. Attack files are highly obfuscated and are most likely succeeding by bypassing security checks built in to the program. KrebsOnSecurity said the malware authors say the exploits work against all versions of Java 7.

 

Analysis from antivirus provider Kaspersky Lab indicates the exploits are already deployed on a variety of websites.


View the full article

Link to comment
Share on other sites

Oracle have known about these security vulnerabilities for about half a year now and done nothing.

Recently they released an update to finally fix those vulnerabilities.

 

They only released the update after Apple and Mozilla blacklisted Java.

 

But just some day later, someone is selling a new Java exploit.

Link to comment
Share on other sites

Oracle knew they weren't patching all the vulnerabilities with that update, but at least they raised the default security level to "high". Now the user is always prompted before unsigned applets are allowed to run. Might help a little...

 

The Java plug-in is high risk, should be used with great caution or not at all. Even if they declare it fully patched and secure, don't trust it.

Link to comment
Share on other sites

  • 2 weeks later...

Not only is Java high-risk to use, it's risky to even install it. :realmad:

 

According to Ed Bott on ZDNet

Java is the new king of foistware, displacing Adobe and Skype from the top of the heap.


And it earned that place with a combination of software update
practices that are among the most user-hostile and cynical in the
industry.


In coordination with Ben Edelman,
an expert on deceptive advertising, spyware and adware, I've been
looking at how Oracle delivers Java to its customers and who it has
chosen to partner with. The evidence against Oracle is overwhelming. 


Specifically:


  • When you use Java’s automatic updater to install crucial security updates for Windows , third-party software is always included. The two additional packages delivered to users are the Ask Toolbar and McAfee Security Scanner.
  • With every Java update, you must specifically opt out of
    the additional software installations. If you are busy or distracted or
    naïve enough to trust Java’s “recommendation,†you end up with unwanted
    software on your PC.
  • IAC, which partners with Oracle to deliver the Ask toolbar, uses
    deceptive techniques to install its software. These techniques include
    social engineering that appears to be aimed at both novices and
    experienced computer users, behavior that may well be illegal in some
    jurisdictions.
  • The Ask.com search page delivers inferior search results and uses
    misleading and possibly illegal techniques to deceive visitors into
    clicking paid ads instead of organic search results.

 

 

Some of the sleazy practices include running the foistware installer in the background for 10 minutes, so that no entry appears in "Programs and Features" (a.k.a "Add or Remove Programs" in Windows XP) for 10 minutes after installing Java.

 

Ben Edelman gives a full analysis in his article "IAC Toolbars and Traffic Arbitrage in 2013".

 

.

Link to comment
Share on other sites

And now the new Java update 11 is busted too...

 

... at least they raised the default security level to "high". Now the user is always prompted before unsigned applets are allowed to run. Might help a little...

 

Not any more, because a new exploit announced this week completely bypasses the settings in the Java Control Panel. Malicious Java code can be made to run, without the user being prompted, even if the security setting has been set to the top level of Very High.

 

Java is best completely UNinstalled on Windows. Keeping it on the system, but disabling its use in Internet Explorer is just too complicated to be practical, requiring not only a massive Registry edit to disable BOTH methods of allowing it to run, but actually removing specific files from the Java directory as well.

 

.

Link to comment
Share on other sites

Java is best completely UNinstalled on Windows. Keeping it on the system, but disabling its use in Internet Explorer is just too complicated to be practical, requiring not only a massive Registry edit to disable BOTH methods of allowing it to run, but actually removing specific files from the Java directory as well.

 

.

However, in Firefox, Chrome, or Opera, disabling Java is simple. If you absolutely must keep Java around for some off-line app or something, I would suggest you don't use Internet Explorer at all, or any browser based on IE.

 

To avoid the foistware (you really don't want the Ask toolbar, it can be hard to get rid of), you should disable the Java auto-updater. I use HijackThis! to remove it, it's called jusched.exe ; that makes sure it's disabled. Then, you have to be very careful when manually updating Java, make sure you uncheck all the options to install extra software.

 

Uninstalling Java is the best plan, though.

Link to comment
Share on other sites

I never run with Java installed here, either. Though I will say, it's sad that you need it for Minecraft.

It would be pretty cool if they could automatically port it to C# / .NET.

 

The guys at Ximian developed a tool that automatically converted Android from Java to C# / .NET, pretty cool.

Source to source translation.

Link to comment
Share on other sites

New versions of Firefox will use click-to-play on all versions of Java.

 

So Java will not be automatically ran in the browser, it will explicitly require the user's consent.

Ah, yes; that will definitely reduce your exposure to exploits, since the browser won't be running every random Java applet it encounters. From reports I've read, it appears that these exploit kits insert malicious applets into websites - those would be blocked. Not sure if pre-existing Java content is safe or not, however.

 

I've long used the NoScript extension, which provides configurable click-to-play functionality for plugins already; and there's another extension that does nothing but provide click-to-play. Now every Firefox user will get this functionality without needing any extension. Mozilla should be applauded. :clap:

Link to comment
Share on other sites

Oracle have released a Java update, update 13, ahead of schedule which is listed as having  50 (fifty) security fixes. I counted 39 Security fixes in the JRE alone in Oracle's list.

 

If you absolutely must have Java, then update to Java 7 update 13 as soon as possible.

Make sure you are not installing deceptive stuff like the Ask toolbar as well, by UNchecking the option during the Java install.

 

.

Link to comment
Share on other sites

  • Administrator

Best way to update your Java to be more secure...

  • Control Panel
  • Programs and Features
  • Select Java
  • Uninstall
  • Done

Now you never have to worry about any more Java exploits, which are sadly so common now.

Link to comment
Share on other sites

  • 3 weeks later...

Well, they had better update that notice.

 

Two new Java exploits were announced yesterday (25th-February).

 

In the meantime, Twitter, Apple, Microsoft and Facebook have all been attacked, using Java exploits, after the iPhone developer forums were compromised.

 

.

Link to comment
Share on other sites

It's YAJ0* time! :shocking:

 

Yes, it's Yet Another Java 0-day exploit -- this one is out in the wild and being exploited against Java 7 update 15 and Java 6 update 41.

 

Time to update the "It has been [ ] days since the last new Java exploit" notice.

 

Time to remove Java from all your computers, too.

 

 

* the YAJ0 acronym was coined by FireEye to report this new exploit on their blog

 

.

Link to comment
Share on other sites

Another new exploit to Java yesterday, at the Pwn2Own contest in Vancouver, so it's back to 1 per day still being discovered/announced.

Which means that Update 17 is also vulnerable (you were correct that they might have to move up their scheduled next update, but that was an easy call to make).

Link to comment
Share on other sites

Apparently I spoke too soon.

 

Because Java was PWNED not just once but three times, yesterday.  :whoa:

All three exploits were in the afternoon, the first at 1:30pm, the second at 2:30pm and the third at 5:31pm

 

And Java has been successfully PWNED again (for the 4th time) today, at 2pm.

 

Oracle must be feeling pretty bruised by now, as they've already fixed over 60 vulnerabilities so far this year and the above 4 aren't the only new ones still outstanding.

 

.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...