Samker's Computer Forum - SCforum.info

World TOP Headlines: => Latest Security News & Alerts => Topic started by: Samker on 12. January 2013., 08:24:25

Title: Disable or Uninstall JAVA, Warning from The U.S. Department of Homeland Security
Post by: Samker on 12. January 2013., 08:24:25
(http://1.bp.blogspot.com/-XGM9svXkw58/UPCofSsshWI/AAAAAAAAbmk/Of-75fsxgZ4/s1600/2010-10-15-dhs.jpg)

The U.S. Department of Homeland Security is warning users to disable or uninstall Oracle Corps’ Java software on their computers because of a flaw that would allow hackers to install malicious software: http://www.kb.cert.org/vuls/id/625617

Java is used by hundreds of millions of Windows, Mac and Linux computers along with mobile devices, reported ZDNet.

It’s rare for a government agency to recommend users completely disable a software program because of a security threat. Typically warnings will recommend taking steps to reduce risk while manufactures work on a security update.

According to ZDNet, hackers have discovered a weakness in Java 7 security that could allow the installation of malicious software and malware on machines.

These programs could increase the chance for identity theft, or force your computer to participate in a botnet — where a group of computers cede control to a hacker who uses them to carry out attacks against websites.

“We are currently unaware of a practical solution to this problem,” said the DHS’ Computer Emergency Readiness Team (CERT) in a post on its Web site on Thursday evening. “This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available”: http://www.us-cert.gov/current/#us_cert_releases_oracle_java

DHS recommends Java users disable Java immediately to mitigate any damage: http://www.java.com/en/download/help/disable_browser.xml

Oracle declined comment Friday.

Java is used by programmers to write software using just one set of code. It runs on virtually any type of computer through Java programs called modules or plug-ins, that run Java software on top of browsers such as Internet Explorer and Firefox.  It is not the same as JavaScript, which is used to write the coding of websites.

(wtvr)

Update: As detailed in the National Vulnerability Database, the issue affects not only the Java 7 plug-in, but all versions from 4 through 7: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422
Title: Re: Disable or Uninstall JAVA, Warning from The U.S. Department of Homeland Security
Post by: Fintech on 12. January 2013., 18:28:29
Thanx Sam.. :bih:
I told this just yesterday for you and I haven't Java in use any longer! Also Firefox plugin is disabled and all Java is removed  at least for the present!
:thumbsup:

-F  :up:
Title: Re: Disable or Uninstall JAVA, Warning from The U.S. Department of Homeland Security
Post by: jheysen on 13. January 2013., 22:06:20
Bad for me, since Introduction to Programming in my University is thaught in Java.. :/
Any words of this exploit being also on Dalvik VM? (Android)
Title: Re: Disable or Uninstall JAVA, Warning from The U.S. Department of Homeland Security
Post by: Fintech on 14. January 2013., 08:39:51
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html#117164  ::)

-F  :up:
Title: Re: Disable or Uninstall JAVA, Warning from The U.S. Department of Homeland Security
Post by: Samker on 14. January 2013., 18:58:08
Bad for me, since Introduction to Programming in my University is thaught in Java.. :/
Any words of this exploit being also on Dalvik VM? (Android)

I found this information on one of provided links:

Quote

...

"This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available. We have confirmed that Windows, OS X, and Linux platforms are affected. Other platforms that use Oracle Java 7 may also be affected."

...

IMO, Android is also vulnerable if use Java v.7.
Title: Re: Disable or Uninstall JAVA, Warning from The U.S. Department of Homeland Security
Post by: Fintech on 14. January 2013., 20:05:18
Here is the latest vesion:
Recommended Version 7 Update 11 (filesize: 854 KB)  ???
http://java.com/en/download/inc/windows_new_xpi.jsp?locale=en (http://java.com/en/download/inc/windows_new_xpi.jsp?locale=en)


Title: More Info ! : Java Zero-Day Vulnerability Pushes Out Crimeware
Post by: Pez on 15. January 2013., 09:29:01
More Info: Java Zero-Day Vulnerability Pushes Out Crimeware

This blog was updated on January 14. See the end of the file.

A new Java zero-day vulnerability is spreading malicious files to infect unprotected users. The threat is dangerous: Just browsing a malicious page or clicking a malicious link in spam is enough to cause an infection when combined with a vulnerable Java version.

Because most browsers enable Java by default, this vulnerability can be used by attackers to easily spread malwares using various exploit kits available in the market.


Exploit Analysis

The vulnerability is triggered by abusing restricted package permissions, which makes it possible for untrusted code to get access to classes that are part of restricted packages. Hence this can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

This vulnerability in Java is very similar in characteristics to Exploit CVE2012-4681 (https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24040/en_US/McAfee_Labs_Threat_Advisory_Exploit_CVE2012_4681.pdf), though not completely similar to it.

Generally, the Java Virtual Machine first checks the privilege/permission of the class file or object before allowing it to execute in the Java applet sandbox environment. Any applet that does not have the required credentials will not execute. The goal of attackers is to exploit this vulnerability in order to escalate privileges, which enable the Java applet code to run outside the sandbox.

(http://blogs.mcafee.com/wp-content/uploads/2013/01/0-Day1.jpg)
Larger image (http://blogs.mcafee.com/wp-content/uploads/2013/01/0-Day1.jpg)

Figure 1: A typical vulnerability flow for this Java zero-day attack.

As shown in the preceding image, the victim first visits a compromised website link, which in turn loads the malicious Java applet in the vulnerable Java environment and executes the downloaded malicious payload on the compromised user system.

(http://blogs.mcafee.com/wp-content/uploads/2013/01/0-day2.jpg)
Larger image (http://blogs.mcafee.com/wp-content/uploads/2013/01/0-day2.jpg)

Figure 2: The main exploit code.

The preceding image shows how the attack works. It exploits the vulnerability using “MBeanInstantiator,” which allows the loading of a restricted class by exploiting the “findClass” method of the “com.sun.jmx.mbeanserver.MBeanInstantiator” class. By doing this, we can retrieve the class references of any package.

Steps in exploiting the vulnerability:

1. First the call to the vulnerable “com.sun.jmx.mbeanserver.MBeanInstantiator.findClass” is made

2. This will then call the “LoadClass” and “Class.forName,” which allow us to load any package in any classes available

3. However, the “MBeanInstantiator” constructor is a private member. First, it has to get a reference to an instance of this object so that it can be used to load a class to be used later.

4. This is achieved by calling a public static method, which in turn returns the “com.sun.jmx.mbeanserver.JmxMBeanServer” instance.

5. The “JmxMBeanServer” class has a public method called “getMBeanInstantiator” [Figure 3], which returns the “MBeanInstantiator” instance. Using this we can find any class that we require using the “findClass” method.

6. Then, the attack uses the new reflection API to obtain and call MethodHandle objects [Figure 4].

7. This MethodHandle point to methods and constructors of restricted classes that were retrieved earlier, as mentioned above. This is achieved by the “invokeWithArguments” method call of java.lang.invoke.

(http://blogs.mcafee.com/wp-content/uploads/2013/01/0-day3.jpg)
Larger image (http://blogs.mcafee.com/wp-content/uploads/2013/01/0-day3.jpg)

Figure 3: A JmxMBeanServer code snippet.

(http://blogs.mcafee.com/wp-content/uploads/2013/01/0-day4.jpg)
Larger image (http://blogs.mcafee.com/wp-content/uploads/2013/01/0-day4.jpg)

Figure 4:  The attack uses the new reflection API.

Affected Java Versions

This exploit targets the vulnerability in Java Version 7 Update 10 and earlier.

An initial threat vector may be hosted on a compromised website in the form of an applet that contains code to exploit this vulnerability. The intent of the exploit is to surreptitiously download and execute additional malware on the infected system. An indication of this may be the presence of unusual traffic to unknown domains.

Exploit Kit Seizes the Opportunity

In our analysis, we have seen this vulnerability use various exploit kits, including Blackhole, Red Kit (http://scforum.info/index.php/topic,7947.0.html), Cool, Nuclear, and Sakura. These exploit kits appear to push out PWS-Zbot, ransomware (http://blogs.mcafee.com/mcafee-labs/trojan-locks-computers-demands-ransom-for-bogus-offense), and ZeroAccess as payloads.

McAfee products detect this malware in our latest DATs as Exploit CVE2013-0422 (http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=1628498).

Mitigation

Because this is a zero-day attack there is no patch yet for the vulnerability. Hence our recommendation is to completely disable Java until the patch for this vulnerability is released.

If you cannot disable Java, you can take any of the following steps:

• In the Java Control panel under the Security tab, set the security level to “Very High.” By doing this, unsigned (sandboxed) apps and local applets will not run.

• Keep your McAfee antimalware definitions updated. We detect this attack as Exploit CVE2013-0422 as well as the payloads it downloads.
Meanwhile, we will continue to monitor this threat closely for new malware payloads and update that information here.

Update, January 14

Oracle has released patch for this vulnerability that is available here. Java users should update their software immediately.


Orginal article: Monday, January 14, 2013 at 12:47pm by Arun Sabapathy (http://blogs.mcafee.com/mcafee-labs/java-zero-day-vulnerability-pushes-out-crimeware)