August 27, 2012

Attackers have seized upon a previously unknown security hole in Oracle’s ubiquitous Java software to break into vulnerable systems. So far, the attacks exploiting this weakness have been targeted and not widespread, but it appears that the exploit code is now public and is being folded into more widely-available attack tools such as Metasploit and exploit kits like BlackHole.

A Metasploit module developed to target this Java 0-day.

News of the vulnerability (CVE-2012-4681) surfaced late last week in a somewhat sparse blog post by FireEye, which said the exploit seemed to work against the latest version of Java 7, which is version 1.7, Update 6. This morning, researchers Andre’ M. DiMino & Mila Parkour published additional details on the targeted attacks seen so far, confirming that the zero-day affects Java 7 Update 0 through 6, but does not appear to impact Java 6 and below.

Initial reports indicated that the exploit code worked against all versions of Internet Explorer, Firefox and Opera, but did not work against Google Chrome. But according to Rapid 7, there is a Metasploit module in development that successfully deploys this exploit against Chrome (on at least Windows XP).

Also, there are indications that this exploit will soon be rolled into the BlackHole exploit kit. Contacted via instant message, the curator of the widely-used commercial attack tool confirmed that the now-public exploit code worked nicely, and said he planned to incorporate it into BlackHole as early as today. “The price of such an exploit if it were sold privately would be about $100,000,” wrote Paunch, the nickname used by the BlackHole author.

Oracle is not scheduled to release another security update for Java until October. In the meantime, it’s a good idea to either unplug Java from your browser or uninstall it from your computer completely.

Windows users can find out if they have Java installed and which version by visiting java.com and clicking the “Do I have Java? link. Mac users can use the Software Update feature to check for any available Java updates.

If you primarily use Java because some Web site, or program you have on your system — such as OpenOffice or Freemind — requires it, you can still dramatically reduce the risk from Java attacks just by disabling the plugin in your Web browser. In this case, I  would suggest a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (ChromeIE9Safari, etc.) with Java enabled to browse only the site that requires it.

For browser-specific instructions on disabling Java, click here.

If you must use Java, security experts are prepping an unofficial patch for the program that should blunt this vulnerability, but it is being offered on a per-request basis at this point. A number of experts I know and respect have vouched for the integrity of this patch, but installing third-party patches should not be done lightly. Note that regressing to the latest version of Java 6 (Java/JRE 6 Update 34) is certainly an option, but not a very good one either. If you do not need Java, get rid of it, and if you do need it for specific applications or sites, limit your use of Java to those sites and applications, using a secondary browser for that purpose.

If you liked this post, check out my follow-up story, Researchers: Java Zero-Day Leveraged Two Flaws.


70 thoughts on “Attackers Pounce on Zero-Day Java Exploit

  1. John

    Brian, I have Java 6, version 33. Does it help if we use limited user accounts? Which, upon your advice years ago, I’ve been doing ever since.

    Thanks very much for all you do!

    1. BrianKrebs Post author

      John, limited user approach is always a great start, but it’s increasingly ineffective against blocking attacks outright, as many malware types will still install in regular user accounts.

      I would strongly encourage you to adopt the approach I recommend in this column: If you do not need the program, get rid of it. If you need Java, keep it installed in a secondary browser that you don’t use for everyday surfing, and unplug it from your regular browser. Then, use the secondary browser only for those sites that require Java.

      1. mechBgon

        The bad guys’ adaptation to low-rights user accounts is one reason I’m a fan of Software Restriction Policy. For versions of Windows that don’t do SRP (Home versions), applying Parental Controls to one’s Standard User accounts and whitelisting the legit installed software would also help. There’s somewhat of a learning curve involved, and you may discover your software has bad habits (Chrome running .EXEs from the user’s profile, for example).

        Before dabbling with SRP, set a System Restore point in case you paint yourself into a corner with it.

        1. wat0114

          Thanks for this mechBgon! Why is not mentioned anywhere about the effectiveness of an anti-executable approach in preventing the payload from executing?

      2. MicrosoftIsABoatOnFireWithAHoleInIt

        How about UAC? Can this specific exploit get in if UAC is on?

        1. Shaquille Freeman

          Anything can get past UAC. UAC is security theatre at it’s finest.

  2. Debbie Kearns

    Thanks for the warning. I disabled Java in Internet Explorer 8 and am waiting until October for the patch so that I can enable Java again.

  3. Rabid Howler Monkey

    FYI. Oracle just completed their quarterly update of Java SE 6 and 7 on August 14, 2012, with update 6 for Java SE 7 and update 34 for Java SE 6. Neither of these two updates included security fixes. More here:

    http://www.oracle.com/us/corporate/press/1735645

    I wonder how long it will take Oracle to update Java SE 7 with a patch for this exploit (assuming that Java SE 6 is not affected)?

    1. Rabid Howler Monkey

      A slight modification to my post. Oracle patches Java every 2 months, with security fixes provided every 4 months and non-security bug fixes and enhancements provided every 4 months. There is an approximate 2 month lag between security updates to Java and non-security updates to Java as shown at Wikipedia:

      http://en.wikipedia.org/wiki/Java_SE_6#Java_6_updates

      http://en.wikipedia.org/wiki/Java_SE_6#Java_7_updates

      Brian is correct in the article that the next *scheduled* security update to Java SE 6 and 7 is in October, 2012.

  4. dreamer77dd

    so will we need to wait 2 months for a security update? Or are they making this a priority?

  5. Jake

    Anyone else notice that screen shot shows MAC OS terminal overlaid on a Windows 7 “programs and features” window?

    1. Brandon

      That is because the devs use Mac OSX and vmware to test exploits on victims in a virtualised environment.

      1. BrianKrebs Post author

        Yes, that probably explains it.

        It’s interesting…I didn’t note this in the story, but it bears stating here for the record: Java vulnerabilities are cross-platform, and this attack could just as easily be used to attack Mac systems (remember Flashback?).

          1. Nick P

            Yikes. I was using Firefox (w/ NoScript) & Java on Ubuntu 10.04 a few months ago. Mostly use Chrome now. Do I breath a sigh of relief or do a long-needed audit of my personal machine?

            Most of my security mindset & energy is aimed at securing others machines & my critical stuff. I honestly don’t put much effort into my personal “whatever” machine by comparison. Still… can’t make it too easy for them… 😉

            1. Rabid Howler Monkey

              Nick P wrote:
              “Do I breath a sigh of relief or do a long-needed audit of my personal machine?

              If you have Oracle’s proprietary Java SE 7 installed on your Linux system, the Java plug-in enabled in Firefox and are using the NoScript add-on, I’d say neither. 🙂

              Just note that 1) most (but, not all) popular Linux distros use Firefox as the default web browser and 2) the only Linux distro that I am aware of that includes the NoScript add-on by default is the U.S. Air Force LPS-Public LiveCD distro. In the case of LPS-Public, the NoScript add-on is *disabled* by default. Also, note that LPS-Public includes Java.

              P.S. An open issue for many desktop Linux users (see the comment below) is whether or not OpenJDK has the same vulnerabilities that are currently being exploited in Oracle’s proprietary Java SE 7. To be safe, I would assume that it does until I hear otherwise.

              1. Nick P

                I appreciate it. A friend of mine also told me that NoScript should prevent it. As for OpenJDK or maybe Harmony, I’d tend to agree. Other Java platforms might reduce risk in that their code should be different & hopefully different people didn’t make the same coding errors. Hard to say which are the safest: Oracle benefits from much scrutiny & white hat contribution, while the others benefit from obscurity. (Kaffe & JX also have a safer design, but they’re not mainstream.)

    2. Datz

      No that is the terminal window of Metasploit Framework. Notice the msf prompt?

  6. ED

    Brian,

    In the past you have recommended the use of Microsoft EMET.

    Would it help in this instance if installed with default settings, or with elevated settings?

    I realize that this a question which may go beyond the scope of your column, but it arises each time that I read about a new zero day exploit.

    Thanks
    Ed

    1. BrianKrebs Post author

      EMET is a great tool, and if you’re going to have Java installed, it would be a smart idea to place the application behind EMET’s protection as much as possible. But I would not count on that to stop attacks against a zero-day in Java itself. However, I don’t have any specific knowledge of whether EMET could block this particular attack, sorry.

    2. buherator

      EMET is designed to prevent memory corruption exploits (or their shellcode) from running. Since this is a design weakness, EMET won’t help you. Also, Java with EMET is not very easy.

      1. Nick P

        I agree. A better protection strategy is a very isolated VM dedicated to risky stuff like Java & web surfing. Update the main image periodically. Use snapshots. Either rollback after a suspected incident or load from last safe snapshot before doing a sensitive application. This forces the typical hackers to use social engineering or try to find flaws in the sandboxing scheme. The latter only makes our collective security better as we fix what little low-hanging fruit is there & sandbox more apps. 😉

        Obscurity always helps too. Using a “not no. 1 market share” vendor for the VMM, OS, or browser reduces risk from attackers who cast a wide net looking for popular attack vectors. Other attacks are possible, but even so-called APT’s used common attack vectors most of the time. Something to remember.

        1. Terry Ritter

          @Nick P: “This forces the typical hackers to use social engineering or try to find flaws in the sandboxing scheme. The latter only makes our collective security better as we fix what little low-hanging fruit is there & sandbox more apps.”

          Allow me to recommend the recent article by Roger Grimes in InfoWorld: “9 popular IT security practices that just don’t work”

          http://www.infoworld.com/d/security/9-popular-it-security-practices-just-dont-work-199548

          “Security fail No. 9: Sandboxes provide straight line to underlying system

          “I sigh every time a new security sandbox is announced. These sandboxes are supposed to make exploits against the software they protect impossible or at least significantly harder to pull off. The reality is that every security sandbox developed so far has fallen under hacker attention.

          “Today the biggest security sandboxes are probably best represented by Java and Google’s Chrome browser, and both have suffered over 100 exploits that perforated the sandbox and allowed direct access to the underlying system. However, that doesn’t stop the dreamers who think they’ll find one that will halt all exploits and put down computer maliciousness forever.

          “Unfortunately, a lot of computer security is more security theater than protection.”

          1. Nick P

            Nice. Let’s ignore Java: it’s outdated from a security perspective & barely a sandbox. Let’s focus on things like Chrome, Sandboxie, & security-oriented virtualization. He said over 100 holes perforated the sandbox. Now, knowing what users *really* care about, here’s the million dollar question:

            How many of these holes were found by bad guys & hit by malware that most of us worry about day-to-day?

            He also implies that these sandboxing technologies don’t make system exploitation significantly harder. Can he back that up with hard data compared to non-sandboxed alternatives?

  7. Craig

    I’ve done what you recommended for years, reserving seldom-used IE for Java sites. For about the same length of time I’ve also taken it for granted that restricting Java from storing files on the local disk was also helpful.

    Several weeks ago I got sloppy, and unlucky. Long story short, I ended up having to do a partition restore to get rid of what was biting me.

    DOES restricting Java from saving locally do any good?

  8. Steve

    Professionally I have been a Java developer for over 10 years. I do not have Java enabled in any browser on any operating system. It just isn’t needed. Turn off Javan in all of your browsers and I doubt you will ever need to turn it on again.

    1. GeorgeH

      I agree, I too develop java for 7 years and though I keep Java installed and up to date on my home laptop, I hardly ever found the need for it on the browser.

      It’s a safe bet to keep the java plugin for the browser disabled, but keep java installed on the system if you use it regularly. And I never had to use libreOffice / OpenOffice with Java.

  9. Splendiferous

    How does this affect OpenJDK, assuming the vulnerability will include Linux compromises again?

  10. LHB

    Easiest solution is to remove Java altogether from your system. Problem solved. It’s a dead technology anyway.

    1. Stefan

      “Easiest solution is to remove Java altogether from your system. Problem solved.” — Agreed

      “It’s a dead technology anyway.” — Wishful thinking?? Java is very much alive on servers.

      1. Nick P

        Closure is also bringing it back on the client. Although I haven’t tried it, I see more people using it all the time. There’s also people targeting Scala for systems programming. Then, some RAD applications like Windev support exporting to Java. Finally, Java is getting more and more popular in the embedded scene as a C++ alternative thanks to the embedded java standards & products like those from Aonix.

        So, it’s very unpopular client-side for most personal app developers, but it’s still alive in quite a few sub-sections of IT & growing in some. I’d personally rather the JVM itself die off, but we need a Java-supporting awesome alternative first. Enterprise, production quality too people! Otherwise, why would they use it? 😉

  11. Richard Steven Hack

    Java a “dead technology”?

    The six to seven million Java programmers in the world would be surprised to hear that…

    Since Java was developed at least partly for the Web, I am surprised at how few Web sites need it. I haven’t tried disabling it in my browsers yet for fear I’ll find one of my most important sites might need it, but perhaps I should try the experiment.

    Since I have NoScript installed in Firefox and ScriptNo in Chrome (which I’m not currently using at all due to stupid design decisions…but I digress) which also blocks Java applets, I suppose I don’t have to.

    It’s more important to disable JavaScript using NoScript and ScriptNo. There are a LOT of attack options via JavaScript.

    1. rb

      I would like to second PC.Tech’s Firefox/NoScript recommendation. It allows you you whitelist sites that will be allowed to run JavaScript/Java and some other things.

      I prefer to give most sites that need JS “temporary” permission as needed – you never know when/if a particular site might get hacked. This is safer than separate browsers, because you might forget you’re using your “unsafe” browser and wander to a site with an exploit.

      1. rb

        Er, sorry; not PC.Tech’s recommendation, but Richard Steven Hack’s.

  12. Bujo

    I haven’t updated MS to get the new JRE exploit, if it’s even live yet, but is it true it doesn’t work on Java 6? My users require Java for everyday work, our call center app uses it for one. I’ve kept them on the current version of Java 6 so far – we’re on 6u33 right now but almost done with 6u34 QA process. Detaching Java from IE would be nice, but is not an option at the moment.

    1. darkphyber

      Aparently it only exploits Java 7. I tried to exploit Java 6.33 with the Metasploit module and it doesn’t work. But you can bet people are working on it.

  13. Dave Michmerhuizen

    The attack is delivered via some heavily obfuscated javascript. Using noscript is a good idea.

    1. BrianKrebs Post author

      Yes, and as someone already commented, Noscript blocks Java applets by default as well.

    1. TJ

      In the Opera address bar, go to opera:plugins and disable the Java plug-in.

  14. Randy

    Does this have any effect on Linux, esp. Ubuntu and Mint?

  15. bruce

    Are these guys DROPOUTS from the cocaine trade? Or do they perhaps think they are somehow otherwise ‘saving the world?’

    They need a few visits from American Special Operations Forces if they think everything should be legal.

    1. anonymous

      are you sure you commented on the right article?

    2. voksalna

      It took me a minute, then I realized… He is referring to metasploit. 😉

  16. PC.Tech

    http://www.kb.cert.org/vuls/id/636312
    Last revised: 28 Aug 2012 – “… Disabling the Java browser plugin may prevent a malicious webpage from exploiting this vulnerability…”

    http://www.symantec.com/connect/blogs/new-java-zero-day-vulnerability-cve-2012-4681
    8.28.2012 – “… attackers have been using this zero-day vulnerability for at least five days, since August 22… we have confirmed that the zero-day vulnerability works on the latest version of Java (JRE 1.7), but it does -not- work on the older version JRE 1.6…”

    JRE 6 Update 34
    http://www.oracle.com/technetwork/java/javase/downloads/jre6-downloads-1637595.html
    August 14, 2012
    .

  17. Sterling

    I recently reinstalled Windows (I had nothing better to do) and took your advice and have not installed Java. So far, I haven’t ran into any problems with sites needing Java.

  18. dreamer77dd

    What sites do need java?
    Gmail? Google hangout?

    1. SeymourB

      Only sites I know of that are critical for my workplace environment are a couple government websites. However since those sites don’t work with Java 7 I suppose we’re somewhat safe. This time.

    2. TJ

      GoToMeeting web conferencing (which I use several times month) is the only reason I install Java. But I always keep the browser plug-in disabled until needed.

  19. Ken

    I installed java7 on my Mac and it no longer works in Chrome, which is my main browser. That was a lucky coincidence. I don’t think Apple moved their population to Java 7 or intends to. So, no mass Flashback type problem for basic users, right?

  20. Biber

    I was wondering … I unistalled Java from my PC some months ago but I still have the plugin in Firefox. Does the vulnerability affect me?

    I use No Script and AdBlock+, by the way. I believe they are essential.

  21. barn2

    Agree with the noscript and scriptno plugins mentioned already, as well as the methods for disabling java. At the firewall, we’ve already taken what some would say is a rather extreme step, of blocking any outbound traffic to non U.S. networks. 95% of the malware running around today seems to connect to an Asian/EU netblock to do their dirty work.

    1. Uzzi

      You must be kidding?!… (last time I checked threat centers the U.S. was #1 or #2 of everything including spam, malvertising and hacked websites.)

      What you’re looking for is called ‘whitelisting’… you may like to also check http://www.sophos.com/en-us/products.aspx and others that help you to firewall known sources of danger.

      1. barn2

        Not kidding. I’m knee deep in logs and firewall acls day long. In my humble experience, most of our egress malware traffic (once a host is infected) is bound for non US networks.

  22. nelle

    Shutting down Java took away the ability to post to Facebook, like anything there, or on WordPress dot com.

    1. nelle

      Just wished to add that after a day of trying to make do with No Script, about 80% of the pages I visit have some Java Script requirements.

      1. SeymourB

        Then whitelist the sites you use that have Javascript.

        Nobody is saying run NoScript and not use Javascript at all, we’re saying install NoScript, let it disable Java, and selectively enable Javascript for sites that you trust.

        Is that banner ad from a completely different domain trying to load a javascript? Deny. Is the website I’m visiting attempt to load a javascript? Allow.

        As you go along the whitelist will grow and NoScript will intrude on your browsing less and less often.

        Please note that Javascript and Java are two completely different things, and you can post to Facebook & here w/Java disabled but with Javascript enabled.

  23. Chris Thomas

    This reinforces the notion that the Internet is impossible to make safe for private and personal transactions with websites.

    Is Oracle a fit and proper custodian of such an important and vulnerable resource as Java? Clearly Mr Krebs’s assertion that Java should be disabled for web use is hard to argue against. How non-techies can be expected to ensure their online safety beats me.

  24. Saurabh K

    How to disable Java in your Browser::
    If you use Internet Explorer version 7 or above, open Internet Explorer and select Tools | Manage Add-ons then skip to Step 3.

    If you use an older version of Internet Explorer, open Internet Explorer and select Tools | Internet Options and continue to Step 2.
    From the Internet Options window, click the Programs tab and select Manage Add-ons.
    From the Add-ons windows, click once to select (highlight) Java Plug-in then click the Disable button. Click Close and OK to accept the change.

    Alternatively, you can also click Tools | Internet Options | Advanced. If Java is installed in your browser, you will see a listing for Sun Java in the Internet Options menu. Just uncheck it to disable.

    When you encounter a site that requires Java (for example, some small online games and calculators), you can re-enable Java easily by following the same steps above, this time selecting the enable option.

  25. Freddy Merkur

    In case nobody has noticed, Oracle patched this Thursday, Java update is aware of it for version 6 and version 7. Good job Oracle, even if this was 4 months late, at least when the exploit was released you moved to patch quickly.

Comments are closed.