dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
12

KodiacZiller
Premium Member
join:2008-09-04
73368

1 edit

KodiacZiller to JohnInSJ

Premium Member

to JohnInSJ

Re: Java 7 0-day

I had a post typed and lost it.

Anyway, I was just going to reiterate what InTheKnow is saying. You don't need root to do some malicious things on a *nix box. The infamous malware for OSX that made headlines a couple months ago didn't get root on Mac's either. It was almost identical to this -- it used a Java exploit in the browser and took over userspace.

Fortunately we already have tools in Linux to make such attacks much more difficult. MAC systems (AppArmor, SELinux, Grsec) for instance. Linux, just like OSX, Solaris, and BSD, uses the traditional Unix DAC model. DAC is fine for separating userspace and root, but it does nothing to control processes *within* user space. This is where MAC's come in -- they can confine user space processes from each other and can even confine the root account (so even if an attacker successfully exploits a root owned process, he can't own the whole box).

I think MAC systems will become more necessary in the future, especially for servers. Actually, it is wise to use them now for servers. Even for desktops, it is smart to use them, at least for the browser. I find AppArmor the simplest to use, so it is my choice. Grsecurity is probably the best, but it is an animal to setup and get tweaked properly.

howardfine
join:2002-08-09
Saint Louis, MO

howardfine

Member

said by KodiacZiller:

You don't need root to do some malicious things on a *nix box. The infamous malware for OSX that made headlines a couple months ago didn't get root on Mac's either. It was almost identical to this -- it used a Java exploit in the browser and took over userspace.

I'm not sure it's the same as this but I think I recall that being more malarky and sky is falling than anything real.

I don't know. I get back from working on the Olympics stuff and now I've got a big project kicking off Monday. I don't remember anything anymore.

JohnInSJ
Premium Member
join:2003-09-22
Aptos, CA

JohnInSJ to KodiacZiller

Premium Member

to KodiacZiller
said by KodiacZiller:

Anyway, I was just going to reiterate what InTheKnow is saying. You don't need root to do some malicious things on a *nix box.

Userspace problems are easier to clean up. Far, far easier.

InTheKnow
@pnap.net

InTheKnow to howardfine

Anon

to howardfine
said by howardfine:

said by KodiacZiller:

You don't need root to do some malicious things on a *nix box. The infamous malware for OSX that made headlines a couple months ago didn't get root on Mac's either. It was almost identical to this -- it used a Java exploit in the browser and took over userspace.

I'm not sure it's the same as this but I think I recall that being more malarky and sky is falling than anything real.

This was dubbed Flashback, and I assure you it was both real and absolutely affected OS X. Were there alarmist news reports on it; no. Was there tangible, measurable, observed infection on a large volume of OS X computers that were seen across multiple industries with specific markers? Absolutely, and I'm speaking authoritatively (PCAPs) here not regurgitating news articles.
said by JohnInSJ:

Userspace problems are easier to clean up. Far, far easier.

If you're aware of them. Gone are the days of severity of threat from 13 year old Filipinos releasing ILoveYou.vbs; sure there are some very clear differences between the Win32 and GNU/Linux security models but please don't be so dismissive of the ease of dropping MiTB fun when I'm looking at ~/.mozilla/.

IF (big IF here, I know your views on Java) you a using vulnerable version of Java instanced, and it dropped a connect-back shell or egress script, how would you know it? How would you know you're doing RFC-violating DNS C2? What about egress C&C check-in over TCP 80/443? You using an explicit proxy, not transparent, with forced auth? You running DNS C2 monitoring code? Tell me about your IDS/NIDS/HIDS setup; OSSEC-HIDS using inotify() watching your filesystem? Where's your egress network tap/span port? Where are you terminating your SSL connections so you can inspect them in the clear. What alerts do you have on self-signed certs? It's easy to say "Userspace is easy cleanup" when you're aware. Tell me about your strict egress firewall; are you using IPv6? If not, are you sure you're not using a fe80 link-local address? 99% of the time the victims of financial fraud aren't aware.

I'm not trying to dismiss your response, matter of fact if anything it highlights that GNU/Linux uses are far more aware of defense-in-depth and intelligent mitigation techniques than our Win32 counterparts, but, as evidenced by others in this thread (whom I also appreciate their thoughts), reality isn't as cut and dry as SOHO or home setups.

KodiacZiller, thanks for backing me up sir.

JohnInSJ
Premium Member
join:2003-09-22
Aptos, CA

JohnInSJ

Premium Member

said by InTheKnow :

IF (big IF here, I know your views on Java) you a using vulnerable version of Java instanced, and it dropped a connect-back shell or egress script, how would you know it?

Yep. You would not, unless you noticed your machine doing unusual things. Or your firewall logging unusual behavior. I forget that my home network isn't run by an average user, and isn't set up like an average home network.

But then, if I'm an average home user I should not need to access enterprise Java apps in my browser. So I should have long ago killed off Java in my browsers.

EUS
Kill cancer
Premium Member
join:2002-09-10
canada

EUS

Premium Member

said by JohnInSJ:

But then, if I'm an average home user I should not need to access enterprise Java apps in my browser. So I should have long ago killed off Java in my browsers.

Unfortunately where I live, us regular tax-paying users require java to interact with our gov's website, so disabling it is a no-go.

JohnInSJ
Premium Member
join:2003-09-22
Aptos, CA

JohnInSJ

Premium Member

said by EUS:

said by JohnInSJ:

But then, if I'm an average home user I should not need to access enterprise Java apps in my browser. So I should have long ago killed off Java in my browsers.

Unfortunately where I live, us regular tax-paying users require java to interact with our gov's website, so disabling it is a no-go.

Java or Javascript?

EUS
Kill cancer
Premium Member
join:2002-09-10
canada

EUS

Premium Member

Java.

JohnInSJ
Premium Member
join:2003-09-22
Aptos, CA

JohnInSJ

Premium Member

Well that's silly. What .gov sites need java?

EUS
Kill cancer
Premium Member
join:2002-09-10
canada

EUS

Premium Member

A section of our provincial gov't tax reporting website.

InTheKnow
@pnap.net

InTheKnow

Anon

Oracle has released another update to address this (hooray, or something):

»blogs.oracle.com/securit ··· ve_20121

For those who like being exploited, don't fret, in a few weeks I'm sure we'll be back to the same level of vulnerability.

JohnInSJ
Premium Member
join:2003-09-22
Aptos, CA

JohnInSJ to EUS

Premium Member

to EUS
said by EUS:

A section of our provincial gov't tax reporting website.

Oh Canada! Well, I would wall that sucker off for sure.