November 27, 2012

Miscreants in the cyber underground are selling an exploit for a previously undocumented security hole in Oracle’s Java software that attackers can use to remotely seize control over systems running the program, KrebsOnSecurity has learned.

The flaw, currently being sold by an established member of an invite-only Underweb forum, targets an unpatched vulnerability in Java JRE 7 Update 9, the most recent version of Java (the seller says this flaw does not exist in Java 6 or earlier versions).

According to the vendor, the weakness resides within the Java class “MidiDevice.Info,” a component of Java that handles audio input and output. “Code execution is very reliable, worked on all 7 version I tested with Firefox and MSIE on Windows 7,” the seller explained in a sales thread on his exploit. It is not clear whether Chrome also is affected. “I will only sell this ONE TIME and I leave no guarantee that it will not be patched so use it quickly.”

The seller was not terribly specific on the price he is asking for this exploit, but set the expected offer at “five digits.” The price of any exploit is ultimately whatever the market will bear, but this is roughly in line with the last Java zero-day exploit that was being traded and sold on the underground. In August, I wrote about a newly discovered Java exploit being folded into the BlackHole exploit kit, quoting the author of that crimeware tool as saying that “the price of such an exploit if it were sold privately would be about $100,000.”

I have repeatedly urged readers who have no use for Java to remove it from their systems entirely. This is a very complex  program that is widely installed (Oracle claims that some 3 billion devices run Java), and those two qualities make it a favorite target for attackers. What’s more, Java is a cross-platform technology, meaning that applications written to run in Java can run seamlessly across multiple operating systems. Indeed, some 650,000 Mac users discovered this the hard way earlier this year, when the Flashback worm took advantage of an unpatched vulnerability that was present in Apple’s version of Java.

Apple has since taken steps to unplug Java from the browser in OS X, and this is the very approach I’ve recommended for users who need Java for specific Web sites or applications (see: How to Unplug Java from the Browser).  If you need Java for specific Web sites, I would suggest a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (ChromeIE9Safari, etc.) with Java enabled to browse only the site that requires it.


18 thoughts on “Java Zero-Day Exploit on Sale for ‘Five Digits’

  1. Rabid Howler Monkey

    These Java plug-in-based exploits are getting out of hand, both zero-day and patched. And *none* of the web browsers sandbox the Java plug-in on *any* operating system.

    Brian, since you have made a recommendation for Sandboxie in your “Tools for a Safer PC” article (towards the end):

    http://krebsonsecurity.com/tools-for-a-safer-pc/

    Why not recommend that Windows users needing to run the Java plug-in in their browser for a select number of web sites install Sandboxie and run their browser of choice in Sandboxie? This way, the Java plug-in process will be sandboxed along with the browser. ‘Trusted’ web sites get hacked too and most users don’t whitelist sites to restrict plug-ins.

    Alternatively, and even more restrictive, one could use the U.S. Air Force Lightweight Portable Security (LPS) LiveCD for visiting web sites that require the Java plug-in. The LiveCD iso is updated approximately quarterly and includes both Firefox and Java with the Java plug-in enabled in the browser by default. The iso also includes the Firefox NoScript add-on (disabled by default).

    P.S. Sandboxing the Java plug-in is a defense-in-depth measure and I am not suggesting that sandboxes, using Sandboxie or otherwise, can’t be escaped.

    1. rb

      As an aside, I am not able to access the LPS website. It displays a “Forbidden” error message.

      1. Rabid Howler Monkey

        Just tried the U.S. Air Force Lightweight Portable Security (LPS) site with both Firefox and Opera and it was working:

        http://www.spi.dod.mil/lipose.htm

        P.S. One can optionally sign up to be notified when a new version of LPS is released.

        1. rb

          Interesting – it was still giving me the forbidden error message this morning. I reconfigured my browser to bypass our proxy and I got right in.

    2. rpw

      I heard LPS runs the browser as root and has an outdated Java…

      1. Rabid Howler Monkey

        Remember that this article is warning about a Java zero-day exploit that is for sale. In this particular case, everyone with Java installed on their PCs is running a vulnerable Java version.

        With regard to Java exploits for vulnerabilities that have been patched, remember that there are many computer users that fail to update their Java. For these users, their installed Java version is likely further behind than that on the current LPS LiveCD.

        A CD-R won’t allow infections to persist on reboot. Thus, running as root really isn’t a problem for limited LiveCD sessions. One can enable the NoScript add-on for Firefox (included in the LPS iso) and control the web sites where the Java plug-in is allowed. Financial web sites have been hacked (e.g., Bank of India) with users redirected to malicious sites serving malware.

        More on LiveCD usage from another of Brian’s excellent articles here:

        http://krebsonsecurity.com/2012/07/banking-on-a-live-cd/

        For individuals that don’t need Java installed on their PCs to run Java applications locally, but DO need the Java plug-in to access certain web site(s) with their browser, the LPS LiveCD provides a reasonably safe option. And as I stated in a previous post, one can sign up to be notified when a new version of LPS is released.

    1. meh

      Didn’t google get in trouble for trying to sidestep it? Our patent laws and tangled partnerships make it hard for a more secure replacement to replace it.

  2. guest

    He sells it one time? OK, so Oracle should go and buy it.

    Moreover, if they’d offer, say, $50k for a remote 0day, no one will need to sell 0days on underground forums. Oracle can easily afford it, the real problem is that they don’t give a f*ck.

  3. Chika

    Correct me if I am wrong but doesn’t Java have a sandbox. And if people are bypassing the sandbox this easily what if anything does that tell us about Chrome’s vaunted sandbox?

  4. testman

    Diggin in the source code I don’t see any trace of possible exploit around the Info inner class as it does not have any specific rights like Unsafe. The only odd thing around Midi is some specific thread mechanism to get in sync during Midi message dispatch. If the guy is using a technique such as “in context dispatch” for getting granted (previous exploit disclosed such particular context that enables the exploit to happen), maybe there is something to dig further.

    I’ll continue to look at the code in that area, but sofar, unless there is something specific in Oracle’s version (not the official OpenJDK ones) I am thinking it is a scam base on FUD from recent Java exploits that has happened.

  5. Xentheon

    Not a hoax, but the vulnerability is not in the MidiDevice class

  6. Xentheon

    I bought it and sold it to a whitehat firm & doubled my investment 😉

    Hopefully it will get patched next patch cycle.

    1. Joe

      what white hat firms are paying 5 figures for java exploits. doesn’t seem plausible.

  7. Shinki-itten

    I had the experience today that I had to activate JAVA in my browser in order to load a webinar that used WebEx technology. WebEx is used extensively for webinars hosted by law firms and other education providers. Activation (in Firefox) was bothersome, requiring a few steps — more than I expected.

    1. Jonathan

      You don’t need java to activate Webex; you can download the webex client yourself and install it manually.

  8. christi parks

    Hello, sir i would like to ask that what is the scope of java training, what all topics should be covered and it is kinda bothering me … and has anyone studies from this course http://www.wiziq.com/course/1779-core-and-advance-java-concepts of core and advance java online ?? or tell me any other guidance…
    would really appreciate help… and Also i would like to thank for all the information you are providing on java concepts.

Comments are closed.