dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
17
share rss forum feed


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS

1 recommendation

reply to redwolfe_98

Re: Warning: 0-Day vulnerability in Java 7

quote:
The current version of Java contains a serious security hole that allows computers to be infected with malicious code
Deep End Research - »www.deependresearch.org/2012/08/···ion.html

Details about the exploited vulnerability, mitigation factors and tips.

1. The javascript in index.html is heavily obfuscated.

2. This vulnerability affects Java 7 (1.7) Update 0 to 6. Does NOT affect Java 6 and below.

3. It works in all versions of Internet Explorer, Firefox, and Opera and Chrome(see notes in article)

3. It does not crash browsers (which does NOT mean it does not work!), the landing page looks like a blank page, sometimes one may see a flash of a rotating Java logo and the word "Loading"

5. The malicious Java applet is downloaded like you see on the picture below. At this point, if your system is not vulnerable or is patched, the attack stops. From the user perspective, it is impossible to tell if the attack was successful or not.

6. If the exploit is successful, it downloads and executes a malicious binary, which calls to another IP address/domain hello.icon.pk / 223.25.233.244

7. Although older Java is not vulnerable to this attack, downgrading is not recommended due to many other vulnerabilities in the older versions of Java.

8. Disable Java in your browser, apply the patch (see below), or use Chrome.. Chrome is vulnerable.
--
Gladiator Security Forum: www.gladiator-antivirus.com/


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS
Part II Java 7 0-Day vulnerability analysis
quote:
Considering that Rapid 7 posted a working exploit and addition to the exploit packs is imminent (Attackers Pounce on Zero-Day Java Exploit by Brian Krebs), plus other analysis articles are being published such as New Java 0day exploited in the wild -by Alienvault, we decided that witholding details of the exploit will not offer additional protection but only hinder development of protection and signatures.

As we mentioned earlier, we contacted Michael Schierl,, the Java expert who discovered a number of Java vulnerabilities and asked him to have a look. He sent back his detailed analysis, exploit source, the interim patch with the source code of the patched class.
... info for requesting the patch ...

quote:
~ The real vulnerability seems to be inside the new Java7 class com.sun.beans.finder.ClassFinder which seems to make it possible for untrusted code to get access to classes in restricted packages (i. e. packages that are part of the security implementation itself and where usually untrusted code cannot get either access or call it).

~This method of abusing restricted package permissions is new to me (it does not work in Java 6 either as GetField was private there); but it is not unique - there are several ways you can use to get out of the sandbox if you have access to restricted packages - usually they need abit more code though.

The Analysis - »www.deependresearch.org/2012/08/···sis.html
--
Gladiator Security Forum: www.gladiator-antivirus.com/


nolz

@acanac.net
reply to chachazz
Curious as to how Chrome is vulnerable if it doesn't even allow java to run unless manually given permission

SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Houston, TX
kudos:4
reply to chachazz
said by chachazz:

6. If the exploit is successful, it downloads and executes a malicious binary, which calls to another IP address/domain hello.icon.pk / 223.25.233.244

I would assume that my Faronics Anti-Executable would deny execution of the malicious code, but would my Anti-Executable also interfere with legitimate Java activity ? ( sorry for the hijack...)
--
Breaker One Nine.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to nolz
Click for full size
said by nolz :

Curious as to how Chrome is vulnerable if it doesn't even allow java to run unless manually given permission

Exactly..

Test page to see if you are vulnerable..but even if it lists your version ..java will not run in chrome unless you give it specific permission.
»zulu.zscaler.com/research/java_version.html

By default java is a blocked plugin for Chrome.

Google Chrome now blocks plug-ins that are not widely used. When this happens, you will see a message such as the following:

"The Java plug-in needs your permission to run."

You should only run the plug-in if you trust the website you are visiting (for example, your banking website might legitimately use a Java applet).

To let the plug-in run on the site, follow these steps:

To run the plug-in just this once, click Run this time in the message. The plug-in will run, but if you re-visit the site, you'll be asked for permission to run the plug-in again.
To always allow the current site to run the plug-in, click Always run on this site. Subsequent visits to the site will run the plug-in without asking again.
To always allow this type of plug-in to run, go to chrome://plugins, find the plug-in and select the Always allowed checkbox.
»support.google.com/chrome/bin/an···d_plugin
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

mysec
Premium
join:2005-11-29
kudos:4
reply to SipSizzurp
said by SipSizzurp:

I would assume that my Faronics Anti-Executable would deny execution of the malicious code, but would my Anti-Executable also interfere with legitimate Java activity ? ( sorry for the hijack...)


I have JAVA whitelisted for just one site, and Anti-Executable doesn't interfere at all, because in legitimate JAVA activity, a non-whitelisted executable doesn't come into the picture, so there is nothing for Anti-Executable to alert to.


----
rich