 siljalineI'm lovin' that double widePremium
join:2002-10-12
Montreal, QC
kudos:17
 ·Bell Sympatico
4 edits | reply to therube
Re: Warning: 0-Day vulnerability in Java 7 quote:
New Java zero-day vulnerability has been spotted in the wild. We have seen this unpatched exploit being used in limited targeted attacks. Most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable. In my lab environment, I was able to successfully exploit my test machine against latest version of FireFox with JRE version 1.7 update 6 installed.
According to: »blog.fireeye.com/research/2012/0···yet.html
The Register remarks: in part
quote:
The vulnerability is present in the Java Runtime Environment (JRE) version 1.7 or later, Atif Mushtaq of security firm FireEye reported on Sunday, while PCs with Java versions 1.6 or earlier installed are not at risk.
Edit to add: Secunia Advisory 50133
Edit to add:
»www.kb.cert.org/vuls/id/636312 |
|
3 edits | siljaline, thanks for the information.. regarding whether or not "java 6" is vulnerable, aside from the "register"-article's saying that it is not vulnerable, i have not seen any confirmation of that..
p.s. if "java 6" actually isn't vulnerable, how come all of the articles regarding this issue say to disable java, or uninstall it, rather than saying to switch from "java 7" to "java 6", to resolve the issue? |
|
| quote:
The current version of Java contains a serious security hole that allows computers to be infected with malicious code
Deep End Research - »www.deependresearch.org/2012/08/···ion.html
Details about the exploited vulnerability, mitigation factors and tips.
1. The javascript in index.html is heavily obfuscated.
2. This vulnerability affects Java 7 (1.7) Update 0 to 6. Does NOT affect Java 6 and below.
3. It works in all versions of Internet Explorer, Firefox, and Opera and Chrome(see notes in article)
3. It does not crash browsers (which does NOT mean it does not work!), the landing page looks like a blank page, sometimes one may see a flash of a rotating Java logo and the word "Loading"
5. The malicious Java applet is downloaded like you see on the picture below. At this point, if your system is not vulnerable or is patched, the attack stops. From the user perspective, it is impossible to tell if the attack was successful or not.
6. If the exploit is successful, it downloads and executes a malicious binary, which calls to another IP address/domain hello.icon.pk / 223.25.233.244
7. Although older Java is not vulnerable to this attack, downgrading is not recommended due to many other vulnerabilities in the older versions of Java.
8. Disable Java in your browser, apply the patch (see below), or use Chrome.. Chrome is vulnerable.
--
Gladiator Security Forum: www.gladiator-antivirus.com/
|
|
|
|
| Part II Java 7 0-Day vulnerability analysis
quote:
Considering that Rapid 7 posted a working exploit and addition to the exploit packs is imminent (Attackers Pounce on Zero-Day Java Exploit by Brian Krebs), plus other analysis articles are being published such as New Java 0day exploited in the wild -by Alienvault, we decided that witholding details of the exploit will not offer additional protection but only hinder development of protection and signatures.
As we mentioned earlier, we contacted Michael Schierl,, the Java expert who discovered a number of Java vulnerabilities and asked him to have a look. He sent back his detailed analysis, exploit source, the interim patch with the source code of the patched class.
... info for requesting the patch ...
quote:
~ The real vulnerability seems to be inside the new Java7 class com.sun.beans.finder.ClassFinder which seems to make it possible for untrusted code to get access to classes in restricted packages (i. e. packages that are part of the security implementation itself and where usually untrusted code cannot get either access or call it).
~This method of abusing restricted package permissions is new to me (it does not work in Java 6 either as GetField was private there); but it is not unique - there are several ways you can use to get out of the sandbox if you have access to restricted packages - usually they need abit more code though.
The Analysis - »www.deependresearch.org/2012/08/···sis.html
--
Gladiator Security Forum: www.gladiator-antivirus.com/
|
|
| reply to chachazz
Curious as to how Chrome is vulnerable if it doesn't even allow java to run unless manually given permission |
|
SipSizzurpFo' ShizzlePremium
join:2005-12-28
Houston, TX
kudos:4 | reply to chachazz
said by chachazz:6. If the exploit is successful, it downloads and executes a malicious binary, which calls to another IP address/domain hello.icon.pk / 223.25.233.244 I would assume that my Faronics Anti-Executable would deny execution of the malicious code, but would my Anti-Executable also interfere with legitimate Java activity ? ( sorry for the hijack...)
--
Breaker One Nine. |
|
 Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | reply to nolz
said by nolz :Curious as to how Chrome is vulnerable if it doesn't even allow java to run unless manually given permission
Exactly.. Test page to see if you are vulnerable..but even if it lists your version ..java will not run in chrome unless you give it specific permission. » zulu.zscaler.com/research/java_version.htmlBy default java is a blocked plugin for Chrome. Google Chrome now blocks plug-ins that are not widely used. When this happens, you will see a message such as the following: "The Java plug-in needs your permission to run." You should only run the plug-in if you trust the website you are visiting (for example, your banking website might legitimately use a Java applet). To let the plug-in run on the site, follow these steps: To run the plug-in just this once, click Run this time in the message. The plug-in will run, but if you re-visit the site, you'll be asked for permission to run the plug-in again. To always allow the current site to run the plug-in, click Always run on this site. Subsequent visits to the site will run the plug-in without asking again. To always allow this type of plug-in to run, go to chrome://plugins, find the plug-in and select the Always allowed checkbox. » support.google.com/chrome/bin/an···d_plugin--
Gladiator Security Forum
»www.gladiator-antivirus.com/
|
|
mysecPremium
join:2005-11-29
kudos:4 | reply to SipSizzurp
said by SipSizzurp:I would assume that my Faronics Anti-Executable would deny execution of the malicious code, but would my Anti-Executable also interfere with legitimate Java activity ? ( sorry for the hijack...)
I have JAVA whitelisted for just one site, and Anti-Executable doesn't interfere at all, because in legitimate JAVA activity, a non-whitelisted executable doesn't come into the picture, so there is nothing for Anti-Executable to alert to.
----
rich |
|
