New Java 0day exploited in the wild

[MowGreen]

http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/

Researchers: Java Zero-Day Leveraged Two Flaws
http://krebsonsecurity.com/2012/08/java-exploit-leveraged-two-flaws/

" “There are 2 different zero-day vulnerabilities used in this exploit,”
Guillardoy wrote in a lengthy analysis of the exploit. “The beauty of
this bug class is that it provides 100% reliability and is
multi-platform. Hence this will shortly become the penetration test
Swiss knife for the next couple of years (as did its older brother
CVE-2008-5353).”

Not long after news broke that miscreants were exploiting an unpatched
security hole in Java to break into PCs, I began seeing tweets from
non-Windows users urging people to switch to Mac OS X or Linux.
Unfortunately, this latest Java exploit has been shown to work
flawlessly to compromise browsers on all three operating systems.

According to Rapid7, the Java exploit found being used in targeted
attacks (CVE-2012-4681) is now available as a plug-in to Metasploit, a
free software tool built to test the security of networks. Rapid7 said
the exploit has been successfully tested to work against nearly all
browser configurations on Windows systems, and against Safari on OS X
10.7.4 and Mozilla Firefox on Ubuntu Linux 10.04. "

The vulnerabilities ONLY exist in Java 1.7 .
Reverting to JRE 1.6 and/or disabling web brower java plugins are the
only mitigation steps available at present.

Oracle updates their JREs on a quarterly schedule. The next update is
due October 16th. According to their Security Fixing Policies web page -
http://www.oracle.com/us/support/assurance/fixing-policies/index.html

" Oracle may issue a Security Alert in the case of a unique or dangerous
threat to our customers. In this event, customers will be notified of
the Security Alert by email notification through My Oracle Support and
Oracle Technology Network. The fix included in the Security Alert will
also be included in the next Critical Patch Update. "



MowGreen
================
*-343-* FDNY
Never Forgotten
================

 

[MowGreen]

Java 7 0-Day vulnerability information and mitigation.
http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html

See: Details about the exploited vulnerability, mitigation factors and
tips.


MowGreen
================
*-343-* FDNY
Never Forgotten
================

 

[Robin Bignall]

Java 7 0-Day vulnerability information and mitigation.
http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html

See: Details about the exploited vulnerability, mitigation factors and
tips.

How does one disable Java?

 

[Andy Burns]

How does one disable Java?

Control panel, Programs and Features, Java, Uninstall

is one way, if you just want to disable it within your web browser there
are other ways that will vary from browser to browser such as disabling
plugins.

 

[Nil]

How does one disable Java?

Instructions can be found here:

http://www.slate.com/blogs/future_t..._disable_java_on_your_browser_right_now_.html

Apparently it's a little difficult to disable it in Internet Explorer.

You can also uninstall it entirely. Unless you have a particular need to
use a Java program, it's there's little need for Java.

You could also uninstall ver. 1.7 and use 1.6 instead, which can be found
here (scroll down to JRE 6):

http://www.oracle.com/technetwork/java/javase/downloads/index.html

 

[Robin Bignall]

Instructions can be found here:

http://www.slate.com/blogs/future_t..._disable_java_on_your_browser_right_now_.html

Apparently it's a little difficult to disable it in Internet Explorer.

You can also uninstall it entirely. Unless you have a particular need to
use a Java program, it's there's little need for Java.

You could also uninstall ver. 1.7 and use 1.6 instead, which can be found
here (scroll down to JRE 6):

http://www.oracle.com/technetwork/java/javase/downloads/index.html

Andy, Nil, thanks. I've reverted to 1.6.

 

[MowGreen]

Andy, Nil, thanks. I've reverted to 1.6.

Published 2012-August-30

Oracle Security Alert for CVE-2012-4681
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html#AppendixJAVA

" Due to the severity of these vulnerabilities, the public disclosure of
technical details and the reported exploitation of CVE-2012-4681 "in the
wild," Oracle strongly recommends that customers apply the updates
provided by this Security Alert as soon as possible.

Users running Java SE with a browser can download the latest JRE 7
release from http://java.com/. Users on the Windows platform can also
use automatic updates to get the latest JRE 7 and 6 releases "

The link to manually download the latest JRE 7 release is here:

http://www.oracle.com/technetwork/java/javase/downloads/index.html

" Java SE 7u7
This releases address security concerns. Oracle strongly recommends
that all Java SE 7 users upgrade to this release.

Java SE 6 Update 35
This releases address security concerns. Oracle strongly recommends
that all Java SE 6 users upgrade to this release. "

For the typical Users ("consumers" ), the downloads are under the JRE
heading or, just head to http://java.com.
Be sure that NO additional toolbars/anti-malware scanners/ or other
assorted "fluff" is checked or it will piggy back on the java installation.


MowGreen
================
*-343-* FDNY
Never Forgotten
================

 

[Robin Bignall]

Published 2012-August-30

Oracle Security Alert for CVE-2012-4681
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html#AppendixJAVA

" Due to the severity of these vulnerabilities, the public disclosure of
technical details and the reported exploitation of CVE-2012-4681 "in the
wild," Oracle strongly recommends that customers apply the updates
provided by this Security Alert as soon as possible.

Users running Java SE with a browser can download the latest JRE 7
release from http://java.com/. Users on the Windows platform can also
use automatic updates to get the latest JRE 7 and 6 releases "

[..]
Thanks. I clicked on 'update' in the Java control panel and down it
came. This would have happened automatically tomorrow, I think.

 

[MowGreen]

Published 2012-August-30

Oracle Security Alert for CVE-2012-4681
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html#AppendixJAVA

" Due to the severity of these vulnerabilities, the public disclosure of
technical details and the reported exploitation of CVE-2012-4681 "in the
wild," Oracle strongly recommends that customers apply the updates
provided by this Security Alert as soon as possible.

Users running Java SE with a browser can download the latest JRE 7
release from http://java.com/. Users on the Windows platform can also
use automatic updates to get the latest JRE 7 and 6 releases "

[..]
Thanks. I clicked on 'update' in the Java control panel and down it
came. This would have happened automatically tomorrow, I think.

You're most welcome Robin. But, now -

Researchers find critical vulnerability in Java 7 patch hours after release
http://www.cio.com/article/715219/R...erability_in_Java_7_patch_hours_after_release

" Security researchers from Poland-based security firm Security
Explorations claim to have discovered a vulnerability in the Java 7
security update released Thursday that can be exploited to escape the
Java sandbox and execute arbitrary code on the underlying system.

Security Explorations sent a report about the vulnerability to Oracle on
Friday together with a proof-of-concept exploit, Adam Gowdiak, the
security company's founder and CEO said Friday via email.

The company doesn't plan to release any technical details about the
vulnerability publicly until Oracle addresses it, Gowdiak said.
<snip>

Based on the experience of Security Explorations researchers with
hunting for Java vulnerabilities so far, Java 6 has better security than
Java 7. "Java 7 was surprisingly much easier for us to break," Gowdiak
said. "For Java 6, we didn't manage to achieve a full sandbox
compromise, except for the issue discovered in Apple Quicktime for Java
software."

Gowdiak has echoed what many security researchers have said before: If
you don't need Java, uninstall it from your system. "


Ouch !


MowGreen
================
*-343-* FDNY
Never Forgotten
================

 

[Robin Bignall]

Gowdiak has echoed what many security researchers have said before: If
you don't need Java, uninstall it from your system. "


Ouch !

Ouch! indeed. Thanks again.

 

[Paul]

Gowdiak has echoed what many security researchers have said before: If
you don't need Java, uninstall it from your system. "


Ouch !


MowGreen
================
*-343-* FDNY
Never Forgotten
================

To add insult to injury, I was testing Java here (by coincidence),
and I could install 6U24 in Win2K, but 6U35 would not install. The
installer seemed to be broken, and even looking at the verbose "log"
(500KB worth), I couldn't tell exactly what step was breaking. Something
attempted to "elevate", and then the installer started backing out the install.
Of course, when 6U35 would run, it would remove 6U24 from the machine
first, so when 6U35 would die, I was left with nothing (hardly "backing
out", more like making a mess).

So if a person was hoping that their older machine, could have some
patch like that applied, it would not necessarily be so. In Win2K,
I was not able to install 7U7, or 6U35, and eventually I had to
settle for 6U24. That VM was not used for anything web related -
I was testing "serviio" media server, and accessing it from
another virtual machine.

At least the uninstall was uneventful (the automatic removal of 6U24
by the other installer).

I was not able to find any advice, on which Windows OS Oracle currently
supports. On previous versions of the web page, the names of the
supported Windows OSes were listed, right on the download page.
Now, the download page is simplified and just says "Windows", leaving
you to guess which OSes the installer might not work in.

Paul

 

[Joe Morris]

To add insult to injury, I was testing Java here (by coincidence),
and I could install 6U24 in Win2K, but 6U35 would not install. The
installer seemed to be broken, and even looking at the verbose "log"
(500KB worth), I couldn't tell exactly what step was breaking. Something
attempted to "elevate", and then the installer started backing out the
install.
Of course, when 6U35 would run, it would remove 6U24 from the machine
first, so when 6U35 would die, I was left with nothing (hardly "backing
out", more like making a mess).

So if a person was hoping that their older machine, could have some
patch like that applied, it would not necessarily be so. In Win2K,
I was not able to install 7U7, or 6U35, and eventually I had to
settle for 6U24. That VM was not used for anything web related -
I was testing "serviio" media server, and accessing it from
another virtual machine.

At least the uninstall was uneventful (the automatic removal of 6U24
by the other installer).

I was not able to find any advice, on which Windows OS Oracle currently
supports. On previous versions of the web page, the names of the
supported Windows OSes were listed, right on the download page.
Now, the download page is simplified and just says "Windows", leaving
you to guess which OSes the installer might not work in.

Interesting...the notes on Oracle's web site for JRE have a link to the list
of supported configurations, and W2K (with either SP3 or SP4) is listed.
The notes state that installing it on an unsupported Windows version will
trigger an explicit error message.

I presume that you have a reason for continuing to run Windows 2000, but you
might want to reconsider that. Microsoft some time ago stopped issuing
security patches for that product (Windows XP gets the same treatment on 8
April 2014) and Java 1.6 builds below 35 have known security vulnerabilities
for which attacks are curently found "in the wild" (and don't even *think*
of installing 1.7 until Oracle fixes the major vulnerability in that
version). You're probably the person in the best position to judge both the
risk and the benefits of running a vulnerable system on your computer, but
even if the decision to continue to use W2K was appropriate when originally
made, you should periodically revisit it to see if it still makes sense.

Joe

 

[Paul]

Interesting...the notes on Oracle's web site for JRE have a link to the list
of supported configurations, and W2K (with either SP3 or SP4) is listed.
The notes state that installing it on an unsupported Windows version will
trigger an explicit error message.

I presume that you have a reason for continuing to run Windows 2000, but you
might want to reconsider that. Microsoft some time ago stopped issuing
security patches for that product (Windows XP gets the same treatment on 8
April 2014) and Java 1.6 builds below 35 have known security vulnerabilities
for which attacks are curently found "in the wild" (and don't even *think*
of installing 1.7 until Oracle fixes the major vulnerability in that
version). You're probably the person in the best position to judge both the
risk and the benefits of running a vulnerable system on your computer, but
even if the decision to continue to use W2K was appropriate when originally
made, you should periodically revisit it to see if it still makes sense.

Joe

That setup, was a couple virtual machines, talking to one another. One
was to function as a UPNP media server, the other as a fake "DLNA TV set",
a media player. For the server, I was testing something called Serviio,
written in Java. The intention wasn't to do much in the way of web surfing
on either VM. Unless something comes up, the test is finished now anyway,
so it'll be rm -Rf * time soon. I was just surprised how hard it was
to install Java. You'd think after this much time, Oracle/Sun
would have that all figured out.

Paul

 

[Joe Morris]

Joe Morris wrote:

That setup, was a couple virtual machines, talking to one another. One
was to function as a UPNP media server, the other as a fake "DLNA TV set",
a media player. For the server, I was testing something called Serviio,
written in Java. The intention wasn't to do much in the way of web surfing
on either VM. Unless something comes up, the test is finished now anyway,
so it'll be rm -Rf * time soon. I was just surprised how hard it was
to install Java. You'd think after this much time, Oracle/Sun
would have that all figured out.

Well...a counterargument: the likely population of users of Windows 2000 who
install JRE, coupled with the security problems that W2K presents, probably
doesn't justify much in the way of spending time checking that the JRE
installer still works with it...but that doesn't excuse the continued
presence of "Windows 2000" on the "supported platforms" list if it's not
being tested.

Joe