August 29, 2012

New analysis of a zero-day Java exploit that surfaced last week indicates that it takes advantage of not one but two previously unknown vulnerabilities in the widely-used software. The latest figures suggest that these vulnerabilities have exposed more than a billion users to attack.

Esteban Guillardoy, a developer at the security firm Immunity Inc., said the underlying vulnerability has been around since July 28, 2011.

“There are 2 different zero-day vulnerabilities used in this exploit,” Guillardoy wrote in a lengthy analysis of the exploit. “The beauty of this bug class is that it provides 100% reliability and is multi-platform. Hence this will shortly become the penetration test Swiss knife for the next couple of years (as did its older brother CVE-2008-5353).”

ONE BILLION USERS AT RISK?

How many systems are vulnerable? Oracle Corp., which maintains Java, claims that more than 3 billion devices run Java. But how many of those systems run some version of Java 7 (all versions of Java 7 are vulnerable; this flaw does not exist in Java 6 versions).

To get an idea, I asked Secunia, whose Personal Software Inspector program runs on millions of PCs. Secunia said that out of a random sampling of 10,000 PSI users, 34.2 percent had some version of Java 7 installed. In the same data set, 56.4 percent of users had an update of Java 6 installed. Assuming that Secunia’s 10,000 user sample is representative of the larger population of computer users, more than a billion devices could be vulnerable to attack via this exploit.

EXPLOIT WORKS AGAINST OS X, LINUX

Not long after news broke that miscreants were exploiting an unpatched security hole in Java to break into PCs, I began seeing tweets from non-Windows users urging people to switch to Mac OS X or Linux. Unfortunately, this latest Java exploit has been shown to work flawlessly to compromise browsers on all three operating systems.

According to Rapid7, the Java exploit found being used in targeted attacks (CVE-2012-4681) is now available as a plug-in to Metasploit, a free software tool built to test the security of networks. Rapid7 said the exploit has been successfully tested to work against nearly all browser configurations on Windows systems, and against Safari on OS X 10.7.4 and Mozilla Firefox on Ubuntu Linux 10.04.

WHO BURNS THROUGH TWO-ZERO DAYS IN ONE SHOT?

On Monday, I interviewed the author of the BlackHole exploit kit, an extremely popular software package sold in the underground that is designed to be stitched into hacked sites and use browser exploits to drop malware on visiting PCs. The BlackHole author said he intended to (and did, it appears) fold the exploit into his kit, but said he was surprised that someone would just leak such a reliable exploit, which he said would fetch at least $100,000 if sold privately in the criminal underground.

This stats page, shared by researchers at Seculert, comes from a working BlackHole exploit panel. The success rate of this kit — 21 percent — is roughly double the normal rate thanks to the inclusion of this Java zero-day.

But lost in all of the coverage of this vulnerability is the growing body of evidence suggesting this Java exploit was first wielded in targeted espionage attacks of the sort used to extract corporate and government secrets. So who burns through two zero day flaws to execute a targeted attack? In all likelihood, an individual or group motivated by a non-materialistic ideology, or at least a certainty that what will be gained is worth far more than the vulnerability itself.

Experts at Silicon Valley-based AlienVault published an analysis that highlighted some interesting text strings in the exploit (“xiaomaolv” and conglaiyebuqi”) which suggest the initial attacks were paired with Chinese crimeware known as the Gondad Exploit Kit.

Other curious markers in the exploit code indicate that the targeted attacks were carried out using Internet servers that have been connected with other targeted espionage attacks traced back to Chinese threat actor groups. Among the control servers used in this latest attack was “domain.rm6.org,” an Internet address that played a central role in the Nitro attacks of 2011, which according to Symantec and other security firms was a series of Chinese-based espionage attacks directed against at least 48 chemical and defense companies.

Unfortunately, the miscreants involved in these targeted attacks have been finding success using the same resources and tools well into 2010 and earlier. That’s according to a presentation given in 2010 by researchers exploit and malware researchers Val Smith and Anthony Lai, called “Balancing the Pwn Deficit” (PDF).

The paper details the history and methods of Chinese hacking groups, and notes that the two strings found in the most recent Java exploit are a favorite invocation for script variables that are re-used in various attack tools of Chinese origin. The terms “xiaomaolv” and conglaiyebuqi” and several others used, they found, come from lyrics from songs by the artist known as Jay Zhou.

“The fact that there are embedded song lyrics, potentially tells us several things,” they wrote. “One, it helps to confirm that this attack was created in the geographic region assumed. It is unusual for attackers from one country and language, to take lyrics from a popular song in another country and language and embed them in their attacks.”

PATCH AVAILABLE?

As I noted earlier this week, Oracle has moved Java to a patch cycle of every four months, and its next security update is not scheduled until October. On Tuesday, I contacted Oracle to find out if they intended to address this problem separately before then, but I have not yet received a response. Nor could I find any mention of this problem on any of the various Java blogs that Oracle inherited when it took control of Java from Sun a few years ago. In fact, most of those Java blogs seem to have gone missing.

In the meantime, it’s a good idea to either unplug Java from your browser or uninstall it from your computer completely.

Windows users can find out if they have Java installed and which version by visiting java.com and clicking the “Do I have Java? link. Mac users can use the Software Update feature to check for any available Java updates.

If you primarily use Java because some Web site, or program you have on your system — such as OpenOffice or Freemind — requires it, you can still dramatically reduce the risk from Java attacks just by disabling the plugin in your Web browser. In this case, I  would suggest a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (ChromeIE9Safari, etc.) with Java enabled to browse only the site that requires it.

For browser-specific instructions on disabling Java, click here. If you want to test whether you’ve successfully disabled Java, check out Rapid7’s page, isjavaexploitable.com.


60 thoughts on “Researchers: Java Zero-Day Leveraged Two Flaws

  1. JimV

    Since a high proportion of websites in normal use by many users are effectively rendered dysfunctional by disabling Java (many without non-Java versions), I’m inclined to think that Oracle’s Java team is likely working overtime toward an emergency patch. No matter how beneficial the use of Java might be in design of a site to deliver any company’s services or wares, those 3rd-party entities have come to rely upon Sun/Oracle for their sites’ basic functionality in their user interface.

    If the tech-savvy users can’t get the site to work because Java has been disabled as a proactive security measure, those companies lose business; if less-savvy users haven’t disabled Java but get tagged by a site which has been compromised before the site owner recognizes that and takes it down, those 3rd-party entities not only get pilloried in the media afterwards but risk serious financial exposure through litigation. How quickly Oracle might move in issuing a corrective patch for the flaws discovered would have some bearing on whether and how much of the litigation risks and ultimate responsibility for any losses could be transferred from the compromised site owners to Oracle. It would certainly have even more impact on how willing the large market they’ve built over the past decade will continue to tolerate lackadaisical response in the face of exposure to a serious, known threat in active exploit, and Oracle certainly wants to protect that market it’s built.

    1. BrianKrebs Post author

      Hrm. I’m not sure I’d agree that so many sites use Java. You might be thinking of Javascript, which is a different beast and is indeed used on a majority of Web sites.

      I haven’t had Java plugged into any of my browsers for months, and haven’t yet found a need to plug it back in.

      1. shinki-itten

        Actual Java (not Javascript) is required for many legal reference sites ranging from on-line treatises to government document and ordinance repositories.

          1. shinki-itten

            I have to take it back. A pay site I often use for legal treatises (CEB.com) has just switched from “powered by Java” to “powered by Rocket Folio/NXT.” The Java icon no longer appears when the treatise is retreived. Two governmental document repository sites I checked have also switched to non-Java engines since I last used them.

        1. Stefan

          Which still does not rely on Java on the CLIENT side.

        2. Stefan

          Sorry for double post. But the “rather HTML” is completely wrong. JSP/Servlets still produce HTML/XHTML (or in case of Servlets potentially any type of content) and not “Java Code”.

      2. JimV

        Brian, I was perhaps a little confused although I knew Java was the programming language and JavaScript was the Netscape-derived scripting process (what I sorta think of as a pseudo-language), but before I’d posted the above I reviewed the Wikipedia articles for both and the statement in the JavaScript article under the “Scripting engine” section made me think there had been a much stronger association established with Java v6:

        “The Java programming language, in version SE 6 (JDK 1.6), introduced the javax.script package, including a JavaScript implementation based on Mozilla Rhino. Thus, Java applications can host scripts that access the application’s variables and objects, much like web browsers host scripts that access the browser’s Document Object Model (DOM) for a webpage.”

        Thanks for the clarification and gentle response — the intent of my comment (that Oracle would move quickly with a patch) seems to have been borne out though, as Oracle has today released both 32-bit and 64-bit versions of update 7, which reportedly is not vulnerable to the exploit that generated such widespread advice among security professionals to disable or remove Java.

  2. JTK

    So how do we defend against something that some companies choose to use that is so difficult to defend against? It seems like we are chasing our tails.

    1. Jim

      The defense is actually pretty simple. Be proactive. I have all of my browsers set only run Java when I specifically tell them to. That means running NoScript in Firefox, enabling Click-To-Play in Chrome, and setting “Scripting of Java Applets” in IE to Prompt instead of Allow.

  3. ECH

    Disable Java in Opera: View>developers tools>plug-ins> Java(TM) Platform SE 7 U6 – 10.6.2.24 >>>>>>>>>>[button] clik to disable/enable

  4. huh?

    There have been some discrepancies in what we are seeing on the rapid7 site.
    1. it is reporting some users are on Java version 1.6.31 when they are on 34.
    2. it reports that the users are susceptible to vulnerabilities. it does not specify this specific vuln. which may result in people running out and updating to the latest and “greatest”(?) version of java thus making them susceptible.

    1. SusanB

      I’ve also noticed some discrepancies on the Rapid7 site. With both Chrome and Safari for Mac, it is reporting a non vulnerable version of Java is installed, even though I have specifically turned off Java in both of those Browsers. For my Firefox on Mac, it reports no plugin found.

  5. muffin

    i took java off my computer several years ago as a result of reading your column, brian. in those years, there has been only one time when i needed java to visit a website–it was the verizon computer speed test. i simply used another speed test website that did not require java. so, i’m doing fine without java. thanks, brian for all that you do for the many novice computers users like me.

  6. Rabid Howler Monkey

    From the article:
    “As I noted earlier this week, Oracle has moved Java to a quarterly patch cycle

    Brian, Oracle’s schedule for Java SE security updates is on a 4-month cycle:

    http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html

    Search for “Oracle Java SE Critical Patch Update Schedule” at the above link and you will find the following:

    “The next three dates for Oracle Java SE Critical Patch Updates are:
    16 October 2012
    19 February 2013
    18 June 2013

  7. bob

    Always worth mentioning…

    If you’re an OpenOffice fan but would like a version that’s updated a little more recently and doesn’t require any java at all, try the LibreOffice* fork.

    * libreoffice.org

    1. Rabid Howler Monkey

      Neither OpenOffice nor LibreOffice require that a Java Runtime Environment (JRE) is installed on the user’s system. With no JRE installed, one loses the functionality of Base (a single-user, relational database management system similar to Microsoft Access) and some Wizards. Base, on both OpenOffice and LibreOffice, is built with the Java-based HSQLDB:

      http://hsqldb.org/web/openoffice.html

      1. Solo Owl

        You can use Base with engines other than HSQLDB. There is at least one without any Java code. See
        http://www.libreoffice.org/get-help/faq/general-faq/does-libreoffice-require-java/

        However, Java and the Java Access Bridge are *required* for OpenOffice and LibreOffice to “expose” their accessibility APIs to the major accessibility applications — e.g., for blind or legally blind users. This is unfortunate, especially because there is an undocumented trick involved in enabling JAB in OOo or LibO (after enabling Java, you should restart OOo or LibO before enabling JAB; or reboot).

        1. Rabid Howler Monkey

          Solo Owl wrote:
          “You can use Base with engines other than HSQLDB

          A very good point (I was looking from the perspective of a personal database for non-geek users). One can use Base as a front-end to external databases on multi-user database management systems such as MySQL, PostgreSQL, etc. as Base provides both ODBC and direct (along with JDBC) access as connection options.

          In addition, geeks can install and configure MySQL, PostgreSQL, etc. for use as their personal database. Just like on Windows, geeks can install and configure Microsoft SQL Server Express for their personal database and use MS Access as a front-end.

  8. gtodon

    I do need Java for certain websites (mostly Yahoo Games), and I’ve followed Brian’s advice to use a “two-browser approach.” Most of the time, I run Firefox with the Java plugin disabled. And then I run Chrome with Java enabled for a couple of hours every evening.

    I understand that this is still dangerous, but I’m wondering: how dangerous is it? Fellow commenters, I’m not as tech-savvy as most of you are, so could you please explain to me: Is doing as I’ve described truly dangerous? And if so, what exactly are the risks?

    1. JCitizen

      If you were to download or get a driveby that could activate on your system, it would still find Java installed and attack the system. That is how I understand it. But having the plugin enabled makes a driveby easier to pull off. I assume most limited user accounts could fend off some malware attempts, but the browser is easier to pwn through the plug-in.

      Someone please correct me if I’m wrong.

      1. mechBgon

        Security researcher Dino Dai Zovi has a slideshow he named “Attacker Math,” available in PDF form here:

        trailofbits.com/resources/attacker_math_101_slides.pdf

        Page 9 shows the general train of security mitigations of some browsers. Page 10 adds Java. Not to overgeneralize, but the idea is that a Java exploit may simply take an end-run around the browsers’ security gameplans.

        For myself, the last valid use I had for Java in a browser was the management software for an APC uninterruptible power supply. In that case, I used the computer’s Local Group Policy to disable Java in Internet Explorer for the Internet Zone, then added the UPS’s management page to the Trusted Sites zone and permitted Java on Trusted Sites.

        For those interested in that Group Policy setting, it’s in:

        Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Internet Zone > Java Permissions. It’s counterintuitive, but you ENABLE the setting to make it apply, then choose DISABLE JAVA as the policy. Duplicate this setting in the Locked-Down Internet Zone as well.

        Since the Internet Zone is the default that applies to sites that haven’t been categorized otherwise, it’s the main concern. Note that the “Java permissions” setting is the effective one here, not “Scripting of Java applets.”

          1. mechBgon

            Cool! Thanks David! I’m surprised they didn’t use their friendly “Fix-It” approach, but that’s still handy.

            I did ask an author on the IE team blog why the Java toggle has disappeared from the Internet Options user interface. It used to be there, now it’s not. They left in the Scripting Of Java Applets option, but it turns out not to be effective. D’oh!

        1. JCitizen

          Excellent mechBgon and David!

          I’ll do that Group Policy fix; and set my UTM gateway page as trusted. It uses java unfortunately.

    2. Solo Owl

      Gaming and gambling sites are dangerous — many are run by sleezeballs, as Brian has documented.

      For what it’s worth, more than half of the infected PCs I have seen have visited multiple game sites and/or shopping bargain sites. They usually have 5 or more “search bars” installed in each browser. My preferred fix is to wipe the hard disk.

  9. Nic

    OpenBSD patches holes within an hour but hardly ever has any.

    Oracle patches holes within 3 months, and has tons of them.

    It would be interesting if OpenBSD had a yearly budget of $10 million, rather than $130,000. Just imagine the breathtaking advancements in security.

    1. Rabid Howler Monkey

      Hopefully, the OpenBSD project would take a good portion of the $10 million and improve its usability.

      When I last ran OpenBSD, it was at version 4.1. Installation was challenging, but I successfully got it installed on 2 laptops and as a guest OS in a virtual machine. The dual-install on one laptop was *very* challenging. Next was kernel updates, which, thankfully, are much less common than on Linux and Windows. However, one had to download the patch, place it in exactly the right location and build either the kernel. And by build, I’m talking about running ‘make’ and ‘make install’ via the CLI. Lastly, OpenBSD is on a 6-month upgrade cycle and each version (e.g., 4.1) is supported for 12 months. Thus, one must upgrade OpenBSD somewhere between every 6 months and every 12 months.

      Back on topic, both Linux and BSD users are waiting to hear from the security community (or Oracle) whether or not OpenJDK has the same vulnerabilities that are currently being exploited in Oracle’s proprietary Java SE 7.

      Finally, for mere mortals that wish to try BSD, there’s PC-BSD (which also offers a LiveDVD) and Debian k-freebsd (experimental, but you get Debian’s package management).

  10. JCitizen

    I followed Brian’s link to the test sight, the report says I have no detectable vulnerable Java versions. The site infers if they can’t detect your Java, they may not attack. Maybe I’m reading too much into this? I use Java and don’t have it disabled to my knowledge.

    I have the following Java products installed:

    Java 7 Update 6 (64-bit) Oracle 8/22/2012 127 MB 7.0.60
    Java(TM) 6 Update 33 Oracle 5/8/2012 95.7 MB 6.0.330
    Java(TM) SE Runtime Environment 6 Update 1 Sun Microsystems, Inc. 10/7/2008

    Secunia PSI has not popped a warning yet. I went to the site using Dragon and IE9 fully updated.

  11. Mike

    On IE 9, does pushing the security slider all the way to the top protect from this Java exploit? I went to the Rapid7 web site, and it said it could not detect my version of Java without JavaScript enabled. The Java web site could not run Java with the slider at the top.

  12. Paul

    I guess, Secunia PSI/CSI users are by no means “representative sample”. Ones using Secunia’s products are security-aware, so real-world vulnerability may be way higher than indicated by CSI/PSI.

    OTOH, Java plugin is not an obligatory component. You may install JRE/JDK without it, still having access to local Java software. However, this approach leaves open other, unmentioned attack vector: JNLP . This attack will succeed even with Java plugin disabled, because it uses native OS mechanizms. To be totally secure, you should unregister/disable .jnlp extension and MIME code recognition in your OS (or don’t install JNLP handler, if it’s an option during install – I don’t remember…)

    1. JCitizen

      That sounds closer to what my foggy memory supports. Thanks!

    2. Uzzi

      From an abusedesk point of view 80% of Java installations date back to system setup and are never updated at all…

  13. Ian Hardie

    Great, so we’re encouraged to install the latest versions as they’re “more secure” and yet this exploit only affects 1.7, good grief……

    Oracle really need to pull their fingers out – are their any contact details so end users can apply pressure to Oracle?

  14. Niels

    how does anti virus mitigate this risk? Can I trust a anti virus solution stopping those attacks?

    1. JCitizen

      No one solution whether AV or AM can stop all attacks. Only a blended defense can come close; and only then will you reach about 97% success. After that – only solutions that can protect in an infected environment do any good.

      If you have much to protect – like banking – then maybe a LiveCD is the solution.

  15. Georg Wicherski

    I highly doubt any sane person pays 100k USD for a Java 0day. Otherwise I could probably make 90k by next week, buying one for 10k and reselling…

    1. JimN

      “sane person” no. Government/Company/Organized Crime, Yes.

  16. Ben H

    Is Java FX 2.1.1 vulnerable like Java7.6 as I noticed it was installed along with Java7.6 when I changed from version 6 a few weeks ago?
    And if I remove Java 7.6 from my system should I also remove FX 2.1.1.

    Can anyone advise a non technical user please?

  17. Christoph

    I highly doubt that the interpretation of ‘1 billion devices’ affected is actually anywhere near correct.

    The ‘3 Billion devices run Java’ message does not mean that 3 billion windows PCs run Java … therefore using the PSI statistics as a baseline is not sound logic.

    If we knew how many Windows PCs run Java, then we could start coming up with estimates about how many Java 7 installs for Windows are out there, based on the PSI stats …..

  18. John

    Can anyone confirm that Java update re-enables a previously disabled browser plugin ?

  19. Bloofinpork

    I’m pretty sure the Rapid7 page is … somewhat incomplete. It doesn’t seem to know the difference between Sun/Oracle Java and the Opensource IcedTea java.

  20. Rabid Howler Monkey

    For OpenJDK users on Linux and BSD, IcedTea 2.3.1 as well as a patch for those needing to rebuild their packages were released on Aug. 29:

    http://gnu.wildebeest.org/blog/mjw/2012/08/30/java-bug-cve-2012-4681/

    This IcedTea update and patch fix the current Java 0-day vulnerabilities. Of special note, the current exploit that is in-the-wild will not work with OpenJDK without modification. However, OpenJDK is vulnerable, so apply the update when it is made available. The various distros should begin rolling this out today.

    P.S. Anyone know where a OpenJDK Windows binary can be downloaded from? Just kidding.

  21. George G.

    “all versions of Java 7 are vulnerable; this flaw does not exist in Java 6 versions”.

    I have Java 6.0.33 on my Firefox (use NoScript, manually enabling sites as needed). However, I disabled it quite a while ago.

    When I run isjavaexploitable.com it tells me :
    “WARNING: Your Java version is exploitable! Java Version 6 Update 33 detected. To secure this system you should disable the browser plugin, uninstall Java, or download an updated version.”

    How come it does not detect that Java is disabled ? How can one trust isjavaexploitable if it cannot detect disabling (I checked – Java is still disabled) ?
    Not to mention that the version is 6.

    1. Bloofinpork

      George, I believe something is amiss in your configuration. If I go to isjavaexploitable with noscript enabled, I get “You’ll need to enable Javascript for us to detect your Java version” — which is what I’d expect.

      1. George G.

        Thanks for the response, Bloofinpork.

        Yes, I got the exact same message as you did.

        Then I manually enabled isjavaexploitable and got the response describe in my comment of Aug.30 (to which you replied).

          1. George G.

            Thanks, Uzzi.

            The URL you provided refers to “Comment on: New Java 7 exploit can potentially affect Macs”
            I use Windows.

            Also, when I try to bring up digitaloffense.net my WOT warns me that “This site has a poor reputation based on
            user ratings.” So I did not go ahead and bring it up.

  22. JCitizen

    Yesterday I finally received the Java 7 update from File Hippo Update Checker; guess it just takes time.

    After installing it, I went back to the site, and this time it detected the old Java 6 version 33 correctly, and marked my browser as vulnerable((Comodo Dragon) So I uninstalled the older version, and isjavaexploitable once again reports the same browser as safe.

    Seems they couldn’t detect the old version without the new Java 7 being on board?! ?:\ (On this Chrome derivative that is)

    1. JCitizen

      Flash is going away on all modern browsers, and Apple pretty much said they were dumping it. If you can’t display flash content now, I’d be surprised. (I guess – not having to play with Apples much)

Comments are closed.