Motley Moose – Archive

Since 2008 – Progress Through Politics

Computer Security Warning: Java's Zero Day Vulnerability

Tags:

I came across this tidbit reading the news today.  Sounds pretty scary, so I will rattle your cyber cages with it.

Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Pretty much every web browser in common use allows websites you visit to run programs written in Java.  Most of these programs provide dynamic content and such, but some are malicious.  Java contains a vulnerability called Zero Day that is apparently bad enough that Homeland Security recommends you disable Java in your web browser:

Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.

Solution

We are currently unaware of a practical solution to this problem. Please consider the following workarounds:

Disable Java in web browsers

Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the Java documentation for more details.

Note: Due to what appears to potentially be a bug in the Java installer, the Java Control Panel applet may be missing on some Windows systems. In such cases, the Java Control Panel applet may be launched by finding and executing javacpl.exe manually. This file is likely to be found in C:Program FilesJavajre7bin or C:Program Files (x86)Javajre7bin.

Also note that we have encountered situations where Java will crash if it has been disabled in the web browser as described above and then subsequently re-enabled. Reinstalling Java appears to correct this situation.

I found this info through a ZDNet article.

If you’re using Firefox on windows, you can go to the Tools->Add-Ons menu.  I’ve disabled Java in the Extensions and Plug-Ins.  If you use IE, you’ll have to go to the control panel and disable it through the Java console there.

If somebody finds out that my follicles are aflame, I will delete this post and get back to laughing.

I’m gonna call out to JanF and Chris Blask, both of whom know more about this stuff than do I.


Categories: Uncategorized.

/ 31 Comments

31 comments

  1. kirbybruno

    thanks for this bubba, I’ll be curious to hear others chime in. FWIW I haven’t updated my Java in a while because I always seem to have a problem when I do. If I come across something that says I need to update my Java to see it, I just say fuck it and move on. 🙂

  4. Hey338Too

    It appears that this exploit is in the wild and affects Windows, Mac, and Linux based operating systems.  It also appears that running anti-virus software or firewalls will not prevent this issue from affecting you.  The most likely way of being impacted by this virus is through your web browser.  If you are using Firefox to access the web, it appears that No-Script may provide some protection from this exploit.

    Disabling the Java plug-in for your web browser will make you less vulnerable.  This document from CERT can tell you how to disable Java in your browser:

    http://www.kb.cert.org/vuls/id

    The top of the web page described the situation.  The section marked “Solution” is where you want to pay attention and follow the instructions.

    Not to sound too alarmist here, but please read this quote from UK’s The Register:

    “The beauty of this bug class is that it provides 100 per cent reliability and is multi-platform,” Esteban Guillardoy, a researcher at Argentina-based security outfit Immunity explains in a technically detailed blog post here.

  5. fogiv

    http://reviews.cnet.com/8301-1

    A new Trojan horse called Mal/JavaJar-B has been found that exploits a vulnerability in Oracle’s Java 7 and affects even the latest version of the runtime (7u10).

    The exploit has been described by Sophos as a zero-day attack since it has been found being actively used in malware before developers have had a chance to investigate and patch it. The exploit is currently under review at the National Vulnerability Database and has been given an ID number CVE-2013-0422, where it is still described as relatively unknown:

    “Unspecified vulnerability in Oracle Java 7 Update 10 and earlier allows remote attackers to execute arbitrary code via unknown vectors, possibly related to “permissions of certain Java classes,” as exploited in the wild in January 2013, and as demonstrated by Blackhole and Nuclear Pack.”

    The malware has currently been seen attacking Windows, Linux and Unix systems, and while so far has not focused on OS X, may be able to do so given OS X is largely similar to Unix and Java is cross-platform. Additionally, the exploit is currently being distributed in the competing exploit kits “Blackhole” and “NuclearPack,” making it far more convenient to criminal malware developers to use.

    Even though the exploit has not been seen in OS X, Apple has taken steps to block it by issuing an update to its built-in XProtect system to block the current version of the Java 7 runtime and require users install an as of yet unreleased version of the Java runtime (release b19). Additionally, the U.S. Department of Defense has issued an advisory to disable Java on systems that have it installed.

  6. JanF

    No one is ready for them because they indicate that some knothead found a new way to worm into trusted software to pass on a virus.

    The most famous one was the ILOVEYOU virus that started in an email addressed to people saying that “[person who you know] loves you”. Who wouldn’t click on that? That one wiped out all of a network’s image files. Another one hit in February 2009 and slowly destroyed operating systems. All computers impacted had to be rebuilt from scratch.

    My anti-virus provider, Trend Micro, tells me that the Day Zero for this exploit was actually yesterday and their pushed patch from this morning protects computers using their server based software.

    Java controls its own updating and installation on people’s computers and I hope that Oracle at least shuts down the automatic update.


  7. Chris Blask

    I don’t call out the average user to worry about shit like this.

    There isn’t much the average user can do to fight off the Evil Hacker. Keep automatic updates on, run some reasonable security software if it makes you feel better, and go about your business. For something like this you are aware of, try to follow the advice offered if possible but don’t lose your minds over it.

    There will always be a new Zero Day popping over the horizon – once it is known. In the meantime there will be -Zero Days that folks are not yet aware of out there doing terrible things. “Drive By” hacks like this – hacks embedded in websites unbeknownst to the site owner – are common.

    As Hey says, “safe browsing” is largely impossible just due to the interlinkages of sites these days. It is easy to point to porn sites or other “disreputable” pages as good places to pick up the clap, but your favorite sporting fan site isn’t any more likely to be hypervigilant than a (and less likely than most) porn sites.’

  8. onomastic

    Java platform is disabled. Hope that is enough to keep things safe.

    I’m an idjit when it comes to all things tech and can’t thank you all enough for sharing your expertise in such things.

  9. JanF

    An out-of-band security patch is being released to address problems in all versions of Internet Explorer (6 through 9). Computers which have automatic updates set will pick up these updates tomorrow, January 14. If you don’t have automatic updates turned on you should obtain the updates manually.

    Normally, Microsoft issues patches on Microsoft Patch Tuesday which is the 2nd Tuesday of the month. This month it was the 8th.

    An out-of-band security patch is a BHD and indicates the level of Microsoft’s concern.  

    Microsoft will host a webcast to address customer questions on the out-of-band security bulletin on January 14, 2013, at 1:00 PM Pacific Time (US & Canada).

Comments are closed.