dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
10416
share rss forum feed


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS

2 recommendations

Warning: 0-Day vulnerability in Java 7

Heise - The H Security : Warning on critical Java hole
All versions of the 7.x branch of Java are affected.
quote:
The current version of Java contains a serious security hole that allows computers to be infected with malicious code when a specially crafted web page is visited. The hole is already being exploited in the wild – although currently only for targeted attacks. But since an exploit is now in circulation, it shouldn't be long before criminals exploit the vulnerability for large-scale attack waves

The H's associates at heise Security have managed to recreate the problem and have built a proof-of-concept page using information that is publicly available. When the page is accessed, the Java plugin executes a process, in this case calc.exe, without requesting any prior confirmation. Instead of launching the calculator, the web page could have downloaded and executed a malicious program...cont'd

--
Gladiator Security Forum: www.gladiator-antivirus.com/


therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL

1 recommendation

"Small effort with a large security gain: in Firefox, disable Java in the Add-ons menu under Plugins"
»www.h-online.com/security/news/i···m;zoom=2


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
From Brian Krebs
quote:
Attackers have seized upon a previously unknown security hole in Oracle’s ubiquitous Java software to break into vulnerable systems. So far, the attacks exploiting this weakness have been targeted and not widespread, but it appears that the exploit code is now public and is being folded into more widely-available attack tools such as Metasploit and exploit kits like BlackHole.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 recommendation

reply to chachazz
At least it not Adobe Java otherwise we'd have patches every week.
--
Don't feed trolls--it only makes them grow!


sbconslt

join:2009-07-28
Los Angeles, CA
reply to chachazz
Just pulled 6u33 from all machines until patched JRE versions come out.


therube

join:2004-11-11
Randallstown, MD

1 recommendation

6 was not affected.


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless
said by therube:

6 was not affected.

Not poking fun at all but in a very light hearted way...
OOPS!


sbconslt

join:2009-07-28
Los Angeles, CA

1 recommendation

Well now that I uninstalled it screw it anyway.

I'm not going to miss it all the zero times I typically need to run JRE.

There will be another security patchlevel of JRE 6 in a couple weeks anyway.


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to therube
said by therube:

6 was not affected.

And you know this how, therube See Profile ?


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico

4 edits
reply to therube
quote:
New Java zero-day vulnerability has been spotted in the wild. We have seen this unpatched exploit being used in limited targeted attacks. Most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable. In my lab environment, I was able to successfully exploit my test machine against latest version of FireFox with JRE version 1.7 update 6 installed.
According to: »blog.fireeye.com/research/2012/0···yet.html

The Register remarks: in part
quote:
The vulnerability is present in the Java Runtime Environment (JRE) version 1.7 or later, Atif Mushtaq of security firm FireEye reported on Sunday, while PCs with Java versions 1.6 or earlier installed are not at risk.
Edit to add: Secunia Advisory 50133

Edit to add:
»www.kb.cert.org/vuls/id/636312

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

3 edits
siljaline, thanks for the information.. regarding whether or not "java 6" is vulnerable, aside from the "register"-article's saying that it is not vulnerable, i have not seen any confirmation of that..

p.s. if "java 6" actually isn't vulnerable, how come all of the articles regarding this issue say to disable java, or uninstall it, rather than saying to switch from "java 7" to "java 6", to resolve the issue?


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS

1 recommendation

quote:
The current version of Java contains a serious security hole that allows computers to be infected with malicious code
Deep End Research - »www.deependresearch.org/2012/08/···ion.html

Details about the exploited vulnerability, mitigation factors and tips.

1. The javascript in index.html is heavily obfuscated.

2. This vulnerability affects Java 7 (1.7) Update 0 to 6. Does NOT affect Java 6 and below.

3. It works in all versions of Internet Explorer, Firefox, and Opera and Chrome(see notes in article)

3. It does not crash browsers (which does NOT mean it does not work!), the landing page looks like a blank page, sometimes one may see a flash of a rotating Java logo and the word "Loading"

5. The malicious Java applet is downloaded like you see on the picture below. At this point, if your system is not vulnerable or is patched, the attack stops. From the user perspective, it is impossible to tell if the attack was successful or not.

6. If the exploit is successful, it downloads and executes a malicious binary, which calls to another IP address/domain hello.icon.pk / 223.25.233.244

7. Although older Java is not vulnerable to this attack, downgrading is not recommended due to many other vulnerabilities in the older versions of Java.

8. Disable Java in your browser, apply the patch (see below), or use Chrome.. Chrome is vulnerable.
--
Gladiator Security Forum: www.gladiator-antivirus.com/


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS
Part II Java 7 0-Day vulnerability analysis
quote:
Considering that Rapid 7 posted a working exploit and addition to the exploit packs is imminent (Attackers Pounce on Zero-Day Java Exploit by Brian Krebs), plus other analysis articles are being published such as New Java 0day exploited in the wild -by Alienvault, we decided that witholding details of the exploit will not offer additional protection but only hinder development of protection and signatures.

As we mentioned earlier, we contacted Michael Schierl,, the Java expert who discovered a number of Java vulnerabilities and asked him to have a look. He sent back his detailed analysis, exploit source, the interim patch with the source code of the patched class.
... info for requesting the patch ...

quote:
~ The real vulnerability seems to be inside the new Java7 class com.sun.beans.finder.ClassFinder which seems to make it possible for untrusted code to get access to classes in restricted packages (i. e. packages that are part of the security implementation itself and where usually untrusted code cannot get either access or call it).

~This method of abusing restricted package permissions is new to me (it does not work in Java 6 either as GetField was private there); but it is not unique - there are several ways you can use to get out of the sandbox if you have access to restricted packages - usually they need abit more code though.

The Analysis - »www.deependresearch.org/2012/08/···sis.html
--
Gladiator Security Forum: www.gladiator-antivirus.com/

redwolfe_98
Premium
join:2001-06-11
kudos:1

1 edit

1 recommendation

reply to chachazz
thanks chachaz..

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to chachazz
I have Java 6 update 7 (still says "Sun" on the about tab).

I don't see how all these security folks can say that Java is not needed. Do all internet users except myself have perfect speed at all times from their ISP? If not, then Java is needed as the ONLY decent speed tests are Java based. Plus, I have an application that I bought that requires it. I'm sure envious of all these folks with perfect speed all the time...wow.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


KodiacZiller
Premium
join:2008-09-04
73368
kudos:2
reply to chachazz
Just tested this with Metasploit against Ubuntu 12.04 in a VM. It worked. However, when I enabled the default AppArmor profile for Firefox, it stopped the exploit cold. This profile is included in Ubuntu but is *not* activated by default. Of course even if the exploit succeeded it wouldn't have root, thus would probably be detected eventually by a discerning user.

What it does is try to run an executable from /tmp, but the AppArmor profile denies it access so it stops there.

Also, it doesn't appear to work against OpenJDK (the open source version of Java). Ubuntu does not package regular Oracle Java by default, so most people are probably using OpenJDK anyway.

Same thing on Chromium browser. The exploit works until I activated the AppArmor profile (and made some tweaks to it of my own). I suppose Java doesn't run in Chromium's built-in chroot sandbox.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999

jp10558
Premium
join:2005-06-24
Willseyville, NY
reply to chachazz
It's like Java is the new ActiveX.


trparky
Apple... YUM
Premium,MVM
join:2000-05-24
Cleveland, OH
kudos:2
So would disabling the Java browser plugin stop this exploit?

Also, would putting Microsoft EMET to work on the browser help mitigate the exploit?


nolz

@acanac.net
reply to chachazz
Curious as to how Chrome is vulnerable if it doesn't even allow java to run unless manually given permission


JALevinworth

@embarqhsd.net
reply to Mele20
said by Mele20:

I have Java 6 update 7 (still says "Sun" on the about tab).

I'm curious, Mele. Why are you still using version 6? and also update 7? The last update to 6 was 34. Between there (7-34) there have been a boat load of security fixes. I'm sure you have a reason but can't figure it out.

-Jim

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

3 edits
reply to trparky
said by trparky:

So would disabling the Java browser plugin stop this exploit?

yes.. if you want to disable "java", to do that, go into windows "control panel", click "java" and, in the settings, there, find the option for disabling java and disable it.. you could also disable the java plugins/addons in the browsers that you use, from within the browsers' settings-options..

if you use the "chrome" browser, which comes with its own version of "java", i think that the only way that you can disable "java" in it is from within chrome's settings-options..

Also, would putting Microsoft EMET to work on the browser help mitigate the exploit?

my guess is that EMET would not mitigate the vulnerability since, from what i read, the vulnerability does not involve crashing "java" or the browser, which is the type of thing that EMET is intended to prevent..


Packeteers
Premium
join:2005-06-18
Forest Hills, NY
kudos:1
Reviews:
·Time Warner Cable
reply to chachazz
i disabled java in chrome first thing this morning cause i saw this news on reddit. does anyone know what link is the best place to watch for a true official fix from either oracle or google so i can get back to using a shopping cart - lot's of labor day sales coming up you know


therube

join:2004-11-11
Randallstown, MD
What kind of shopping cart uses Java ?


Packeteers
Premium
join:2005-06-18
Forest Hills, NY
kudos:1
If you see this message, your web browser doesn't support JavaScript or JavaScript is disabled. Please enable JavaScript in your browser settings so Newegg.com can function correctly.

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable
said by Packeteers:

If you see this message, your web browser doesn't support JavaScript or JavaScript is disabled. Please enable JavaScript in your browser settings so Newegg.com can function correctly.

packeteers, apparently you disabled "javascript" rather than disabling "java".. they are not the same thing.. you can go ahead and re-enable "javascript", though some of us have javascript restricted from running except on webpages where we want to allow it to run..

so, if you want to disable "java", you need to to go back and disable it, but that doesn't mean disabling "javascript"..

SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Houston, TX
kudos:4
said by redwolfe_98:

..packeteers, apparently you disabled "javascript" rather than disabling "java"..

What is the difference ? What / where is "Javascript" ? My control panel and add/remove programs only show "Java" as downloaded from here ;
»www.java.com/en/download/index.jsp
--
Breaker One Nine.


Packeteers
Premium
join:2005-06-18
Forest Hills, NY
kudos:1
Reviews:
·Time Warner Cable
reply to chachazz
OK thanks guys for helping me see that distinction. so i went into the java control panel from my desktop and disabled v1.7 of java, and enabled javascript in chrome so i am now back to spending money on items i can live without

so back to my original question...

what link can i watch to see when the fix is out from oracle on v1.7 of java?


therube

join:2004-11-11
Randallstown, MD
reply to SipSizzurp
It is Java that this vulnerability is concerned with.
And it would be Java that you would want to disable.

JavaScript is not Java

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

2 recommendations

reply to SipSizzurp
Click for full size
Firefox
Click for full size
Java 6 on XP
Javascript is enabled/disabled in your browser's options/preferences. Java's control panel is where you enable/disable it and it is located in the Windows Control Panel. You access the advanced tab and, if you have both IE and plugin browsers Java installed, you can enable just for one type of browser and not the other or, enable for both, or disable for both, and then when you need it you can temporarily enable it.

I have an early version of Java 6, so the Java Control Panel may look different in Java 7 but you can the idea from my screenshot.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to JALevinworth
said by JALevinworth :

said by Mele20:

I have Java 6 update 7 (still says "Sun" on the about tab).

I'm curious, Mele. Why are you still using version 6? and also update 7? The last update to 6 was 34. Between there (7-34) there have been a boat load of security fixes. I'm sure you have a reason but can't figure it out.

-Jim

Over the years, I have had a lot of trouble with Java installations/uninstallations. Probably more trouble with them than problems with Flash. (Years ago, I really liked Microsoft's stolen version of Java because it worked so much better than Sun's -which would be expected since Microsoft made it to run on their software - and installed properly so I always used it).

I have Process Guard and I have never told it to "Always Allow" Java to run. Thus, I get a popup from Process Guard if I go to a web page where Java is needed. Since the only time I need Java is when I have deliberately gone to a Web 100 server site to do a Java speed test or, more likely, opened my owned MySpeed software to run speed tests every so many minutes, or gone to VusualWare's web based Java speed tests (which are the best and most accurate of all speed tests), I am not about to say "yes" to Process Guard's popup about starting Java if I got a popup unexpectedly. So, I feel reasonably safe to use an old version. I think I recall it wouldn't uninstall. I have had that problem umpteen times on XP and on 98SE before that so I left it at that early version of Java 6. I suppose a Web 100 test server could become compromised, but unlikely. I belong to the Web100 list serv. I don't always read all the messages but that group of IT people are conscientious about the tests and keeping their servers up to date and it is unlikely one of their servers would become compromised. Plus, they are involved in the FCC broadband tests for which I am a panelist, hence another reason for them to not have compromised servers.

I rarely do dslr speed tests these days (used to do them a lot) but there again the Java ones here are much better than the flash ones.

This is probably the best speed test on the net. It is NOT a capacity test as almost all other speed tests Java or Flash are. It is a quality test. The site owner is a member here. It requires Java because it is a VisualWare test. He has dedicated high quality servers in several Mainland locations and recently put one in Los Angeles which is perfect for me in Hawaii.

»www.ispgeeks.com/wild/modules.ph···lityTest
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson