10
Jan 13

Zero-Day Java Exploit Debuts in Crimeware

facebooktwittergoogle_plusredditpinterestlinkedinmail

The hackers who maintain Blackhole and Nuclear Pack – competing crimeware products that are made to be stitched into hacked sites and use browser flaws to foist malware — say they’ve added a brand new exploit that attacks a previously unknown and currently unpatched security hole in Java.

The curator of Blackhole, a miscreant who uses the nickname “Paunch,” announced yesterday on several Underweb forums that the Java zero-day was a “New Year’s Gift,” to customers who use his exploit kit. Paunch bragged that his was the first to include the powerful offensive weapon, but shortly afterwards the same announcement was made by the maker and seller of Nuclear Pack.

According to both crimeware authors, the vulnerability exists in all versions of Java 7, including the latest — Java 7 Update 10. This information could not be immediately verified, but if you have Java installed, it would be a very good idea to unplug Java from your browser, or uninstall this program entirely if you don’t need it. I will update this post as more information becomes available.

Update, 8:47 a.m. ET: Alienvault Labs say they have reproduced and verified the claims of a new Java zero-day that exploits a vulnerability (CVE-2013-0422) in fully-patched versions of Java 7.

Update, 11:46 a.m. ET: As several readers have noted, Java 7 Update 10 ships with a feature that makes it far simpler to unplug Java from the browser than in previous. Oracle’s instructions for using that feature are here, and the folks at DHS’s U.S.-CERT are now recommending this method as well.

Tags: , , , ,

73 comments

  1. Unplugging Java from the browser…just so happens that this kind of breaks the web.

    How about putting the browser in a containerized malware airlock – segregating it and other targeted applications from the host? Then how about putting advanced behavioral detection capabilities in that environment so you can spot and kill exploits regardless of signature?

    That’s what we do here at Invincea…invite folks out there to hit us up for a trial…www.invincea.com

    • Unplugging Java breaks the Web? That seems like hyperbole to me. I haven’t had Java plugged into any of the browsers I use for surfing the Web for the past two years, and I haven’t missed it once.

      Now, if we’re talking about Javascript, I’d agree with you that, unfortunately, turning off Javascript completely breaks the Web.

      A happy medium is Noscript, Notscripts or some kind of script control environment, but really, regular users should not have Java installed unless they have a specific need for it.

      • I fully agree to Brian…as a private User I do not necessarily need Java at all…but if corporate uses web apps based on Java, disabling Java in general is no option…unfortunately. And I do not see any solution for using Java reg. Internal web apps, but not using it when surfing the Internet…

        Well, we could use 2 different browsers, one for each part…or does anyone see an easy to be configured alternative?

      • I also don’t consider Java Applets as relevant for any web user experience.

        BUT certain vendors rely on Java Applet technology, and – guess what – even certain security authentication mechanisms. One such authentication mechanism is the national SSO-solution in Denmark, called NemID (EasyID). It is used for 95% of banks and almost all interactions with public authorities, including the IRS.

        To make matters worse, NemID has told us all *not* to follow the advise of turning off JVM browser plugins – simply because noone would be able to logon anywhere if we did.

        Denmark is now officially sitting ducks for drive-by applet attacks.

        What we need to do asap is getting rid of JVMs as browser plugins. Java, Silverlight, Flash, etc altogether.

      • I think there is still a lot of confusion when it comes to Java(JRE) and JavaScript. People get it mixed up a lot ;). Personally, i haven’t seen a Java applet used in a very long time on any consumer/end user site.

    • I never install Java on any of my systems and I practically never run across a website that needs it. It happens maybe once or twice a year and then it usually is a very old site that uses Java to do things that other sites do using Flahs or jquery.

      Unlike JavaScript, using Java in the browser has become something of the past.

  2. Is there any reason to unplug Java manually rather than use the new “Enable Java content in browser” setting in Java 7 update 10?

    Unchecking the setting appears to completely remove the Java extension/add-on from IE and Firefox. Is there something it misses that leaves browser vulnerable?

    • If that works, great to hear. I haven’t tried it myself yet. I assume Oracle added the feature because people were finding it hard to figure out how to completely unplug Java from the browser. It was so complicated, in fact, that US-CERT had to publish and republish several times advice for doing so in IE, which is particularly tricky. It would be nice to hear from them again whether this solution from Oracle really does the trick.

      • Hi Brian,

        The new (as of 7u10) checkbox for unplugging Java from web browsers seems to work well. In fact, that’s currently the only guidance that I’ve provided in: http://www.kb.cert.org/vuls/id/625617

        I’d like to think that I was *somewhat* responsible for the motivation to add such a feature, but that’s perhaps just optimistic speculation. :)

      • The setting in the Java Control Panel seems to work well. Do you know if there is a command line/registry method of toggling this? Using the GUI doesn’t scale in a large environment.

        • There is a command-line option for the Java installer called “WEB_JAVA=0″, which configures Java at install time to be disabled for web browsers. It would seem to be a bit redundant to have to re-install Java on systems just to get the change rolled out. I’m still investigating to see if there’s a simpler way to do the same thing that doesn’t require a Java reinstall.

  3. Well here we go again with JRE, i fully removed this pile of crud after a nightmare install of version 1.6.0.19 in April 2010, only to find out a few days later that there was a new unpatched exploit, not missed it one bit!

  4. Here is the latest info on how to disable Java in various browsers:

    http://www.java.com/en/download/help/disable_browser.xml

    • This page says it includes Mac OS at the top, but no step-by-step. I found a Java control panel in System Preferences and turned it off similar to windows.

      FYI

  5. Rabid Howler Monkey

    I’m using Java 6 until the bitter end (sometime in early- to mid-2013 for consumers). It’s had a lot less problems recently than has Java 7.

    For those requiring the Java plug-in on Windows to run Java applets, take Brian’s advice here:

    http://krebsonsecurity.com/tools-for-a-safer-pc/

    And either whitelist your allowed (or ‘trusted’) sites with the NoScript add-on for Firefox or the NotScripts extension for Chrome. Alternatively, download, install and configure Sandboxie to run your browser sandboxed as this will also sandbox the Java plug-in process when it runs.

    I only run Java on one desktop Linux system. In order for my browser to even know that Java exists on this system, I have to create a soft link to the Java plug-in file (as root). At the moment, the soft link doesn’t exist. Thus, there’s no Java plug-in.

    • You do realize that Oracle has reportedly already been automatically updating Java 6 clients to Java 7, right?
      http://www.oracle.com/technetwork/java/javase/documentation/autoupdate-1667051.html

      • Rabid Howler Monkey

        Actually, I was not aware of the automatic upgrade to Java SE 7. But, it doesn’t matter to me as Oracle will provide an updated Java SE 6 JDK next month, February, 2013, which will be the last Java SE 6 update available to the public. I’ll upgrade to Java SE 7 either in June, 2013, or earlier if an exploit surfaces for Java SE 6 Update 39.

        As I stated previously, Java SE 7, has been hit more with zero-days recently than has Java SE 6. And the last two Java SE 7 zero-days have not affected Java SE 6. Also, note this text in the Oracle link you provided:

        “Oracle will start auto-updating Windows 32-bit, Java Runtime Environment (JRE) users from JRE 6 to JRE 7 in December 2012.

        Had I allowed Oracle to automatically upgrade my Java SE 6 to Java SE 7 last month, I would now be running a vulnerable JDK with an exploit-in-the wild. With Java SE 6, I’m not exposed to this.

        P.S. I’m pretty good about keeping my JDK up-to-date. And I do upgrade to the next version when updates are no longer available to the public for the current version.

      • Rabid Howler Monkey

        Here’s a link to an article that provides more perspective on my decision to stay with Java SE 6 to the bitter end:

        http://blogs.computerworld.com/desktop-apps/21298/choosing-between-java-version-6-or-7

        From Michael Horowitz’ Defensive Computing blog at ComputerWorld dated November 07, 2012 . I read the article shortly after it came out and pretty much agreed with it.

        Hope this helps.

        • I could never get Java 6 to work on my Vista x64 system despite using the 32 bit version of IE. I was pleasantly shocked when it suddenly started working for site that needed it, after upgrading to Java 7. I have to have Java anyway, or I’d get rid of it in a heart beat.

  6. Well, I had to resort to clicking on “Manage Add-ons” in the “Tools” button and disabling anything that belongs to Java. I also had to click on “View” in the “Java Runtime Environment Settings” in the Java tab of the JCP and unchecking anything that belongs to Java.

  7. What about users who require java and in many cases old versions? Car Dealership users are forced to use older jre to use franchise maker websites.

  8. When I downloaded Java 7 (10), my icon in the Control Panel mysteriously disappeared, and therefore I cannot find any of the information needed to unplug Java. Can anyone help?

    • I too have seen this behavior. Probably a bug in the Java installer. Search your computer for javacpl.exe and run that. It’s likely in C:\Program Files\Java\jre7\bin

      • I had the same problem with Java 6, and never could get it back even after researching everything I could find on it, and doing everything Oracle said to troubleshoot. I never could get it to work on sites that needed it either. But I only needed it for my router console, and at least that worked. This was true for both XP SP3 and Vista x64, at that time.

        Java 7 finally cured it. Curious? ?:|

  9. Sorry, I forgot to mention I am using Windows XP.

  10. This creates a problem with trying to access my banking account!!! I have to have Java working in order to get into the US Banking account!!!
    The only way out – ICEWEASEL on a stick!! Knoppix Linux on a usb stick and boot from this – then do my banking and get the hell off. This method prevents anyone from addressing the hard drive as the program loads into ram and stays there and disappears when I’m done and, unless you tell it to, it will not store anything.

  11. Do we know if previous versions of Java (like 6) are affected? Or is this vulnerability specific to Java 7?

    • It does not appear to affect Java 6. However since Java 6 will not see any updates after next month (February 2013), it probably wouldn’t be a good idea to stick with it.

      • Rabid Howler Monkey

        Well, I certainly wouldn’t change horses from Java 6 to Java 7 when there’s an exploit for Java 7 in-the-wild and there’s no patch available for the vulnerability(ies) making the exploit possible.

        I will run Java 6 after the planned February, 2013, update until either a vulnerability is disclosed or an exploit surfaces. A number of web sites publish advisories for software including Java SE 6. When disclosed, I will promptly upgrade to Java 7.

        • Well if he uses Secunia PSI; he will probably get away with that, because it will promptly tell him if it is vulnerable or not. Only problem is – it will hound him for having end-of-life applications on board too. :(

      • Rabid Howler Monkey

        Just an example for clarification, Java SE 5 was EOL’d (End of Public Updates) in October, 2009. Vulnerabilities continue to be reported for Java SE 5 because of it’s continued support for enterprises that choose to pay Oracle for premier, extended or sustaining support:

        “Vulnerability Report: Oracle Java JDK 1.5.x / 5.x
        http://secunia.com/advisories/product/4621/?task=advisories

  12. Is this only affecting oracle jre, or is it also affecting java from other vendors, ie IBM or icedtea ?

    • I’ve attempted to reproduce the exploit with icedtea, but without success. Though that’s certainly not enough to conclude that it’s not affected.

      With the last Java vul from August, it was concluded that OpenJDK was indeed affected as well, but I seem to recall having a similar experience just attempting to run the PoC as-is. Perhaps it needs a tweak or there are other factors at play. http://www.kb.cert.org/vuls/id/636312

      • Redhat has confirmed that OpenJDK is affected. Part of the confusion of whether or not it was affected are because 1) The exploit takes advantage of more than one weakness in Java to achieve code execution. 2) The PoC sample is crafted to work with Oracle Java, but the fact that it doesn’t work with OpenJDK doesn’t mean that OpenJDK isn’t vulnerable.
        https://bugzilla.redhat.com/show_bug.cgi?id=894172

  13. Do you have any suggestions for disabling the plugin en masse, that is on several hundred machines? That checkbox seems to change quite a few registry keys and a simpler way of doing it would be nice. A single registry key toggle or single command line to execute would be my ideal.

  14. Hi Brian, I saw a link saying it affects all versions of Java. some of my environment is version 6 and some is 7. So I am confused about what to do.

    http://www.csoonline.com/article/726227/java-zero-day-prompts-calls-again-to-disable-it

    thanks
    JS

    • Good thing the update is out now js; and you won’t have to worry – for a while – anyway. *

  15. I got a question regarding Chrome.
    Say, when I visit java.com and press “Do I have Java”, I have to verify that I want java to run. “run this time” or “run always for this website”.
    Doesn’t this work on malicious websites as well?

  16. You got a really useful blog I have been here reading for about an hour.Best of luck and waiting for some new ideas.

  17. Brian, would you be so kind as to fix your link to US-CERT? It’s missing the hyphen.

  18. The included “disable Java within browsers” did not work for me – I am currently running Java 7 Update 10 – but opening my Java Control Panel did not reveal the browser safety settings… my “About” reveals that the control panel is Java 7 Update 1 – kind of worrying really…. I am removing Java completely and doing a full Java reinstall at J7U10 to see if that changes – if not, Java is gone for the time being…

  19. OK – got to the bottom of this – my Win7 64-bit system had Java 7 Update 10 (32-bit) and Java 7 Update 1 (64-bit) – if you have a similar situation, probably a good idea to remove the 64-bit version at J7U1 and restart – as I am doing now…

    • It seems odd to reply to my own post – but this is an update – J7U1-64-bit removed – restarted – CP reports J7R10 properly – but browser removal part of the CP is just NOT THERE. I am removing this Java completely and going a full install of J7U10 – will update again if I get the browser removal option within the CP after that has completed – also removing Java fx 2.1.1

  20. update: after removing all Java – restarting the computer – downloading the FULL installer of J7U10 – my Java control panel now shows the “enable Java content in the browser” option under the Security tab.

    With an installation that had incrementally updated through releases – the control panel did not show those option on my machine. What is the point of upgrading if not every piece of the software gets upgraded?!?

  21. It seems completely unclear whether the issue exists in Java 6. Does anyone know?

    • Steven, read the story and the comments. There are *no* indications that this vulnerability exists in Java 6. It is Java 7 specific.

      That said, Oracle will stop supporting Java 6 next month, and is already in the process of pushing Java 6 users to Java 7

      • Allow me to put a finer point on it: There are no indications that bad guys/malware are exploiting this in anything but Java 7 right now.

        • Brian: we are experiencing confusion in preparing our response because the associated CVE (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422) shows versions back to 1.4 as vulnerable to this — that would mean a huge difference to us in what response requires this week, so can you provide any insight on why the CVE says more are vulnerable?

          • I hope this answers your question of whether older versions of Java are vulnerable

            http://krebsonsecurity.com/2013/01/what-you-need-to-know-about-the-java-exploit/

            From that Q&A

            Q: I’m using Java 6. Does that mean I don’t have to worry about this?
            A: There have been conflicting findings on this front, but all indications are that this particular flaw does not exist in anything older than Java 7. The description of this bug at the National Vulnerability Database (NVD), for example, states that the vulnerability is present in Java versions going back several years, including version 4 and 5. But Will Dormann, a security expert who’s been examining this flaw closely for CERT, said the NVD’s advisory is incorrect: CERT maintains that this vulnerability stems from a component that Oracle introduced with Java 7. Dormann points to a detailed technical analysis of the Java flaw by Adam Gowdiak of Security Explorations, a security research team that has alerted Java maker Oracle about a large number of flaws in Java. Gowdiak says Oracle tried to fix this particular flaw in a previous update but failed to address it completely.

      • As they say, absence of evidence isn’t the same as evidence of absence.

  22. Any indication if this is only a java on Windows issue, or does it affect Mac and Linux users too?

  23. Does this affect Linux or is it confined to just Windows?

    • The bug is in the runtime library of Oracle’s Java, but it only means, that the cracker can run a program as a normal user (the user in it’s name the browser was started). It is also unlike that a hacker cares about linux, the target platforms are mostly windows. But, it does not mean your are invulnerable, only that most likely you won’t have a problem. I suggest however to switch off java in your browser, and if a page requires java (banking operations, etc.) use a separate browser only for that purpose.

  24. According to this site there is no mention of Java 6 Update 36 or 37. I’m not saying that they’re safe but to be specifically not on the list is rather interesting.

    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422

    • We considered that internally… but the decision to patch up internally, etc… and then find out it might be vulnerable with further research.

  25. Great Article.

  26. Given that nearly every other networked program out there including FireFox, Chrome, Outlook, Windows, iTunes, etc. have had recent exploits that allow arbitrary code to be executed, maybe they should all be disabled too! The arguments for removing Java from the machine are specious and reek of fear mongering. Given that Java is open source and has been been reviewed by thousands and used by millions, it should be riddled with far fewer security bugs than the closed source programs.

    In the short term, just configure the Java plug-in using the ControlPanel to request permission to run until Oracle releases a patch, which should be soon.

    • Maybe:

      But from everything I read on many tech sites everywhere; Java and Adobe are the TOP vectors for criminals bent on pwning your stuff!

  27. I am running on a mac 10.5.8 Leopard, on a powerPC, which means that a) I cannot update beyond this operating system because subsequent OS upgrades will not work on my powerPC chipset.

    Also, Adobe, and other software and utility developers have ceased to include my OS and my chipset among their included upgrades, therefore I only have java 6 and is not included among the automatic upgrades.

    So, can I assume from this that my machine would not be impacted from this recently discovered flaw in the Java SE 7?

    • I’m just guessing, but I would speculate that even if the malware could compromise your browser, they wouldn’t be able to do anything with it. I’ve tested some zero day threats that are supposed to work on Mac, only to find they can’t run on RISC architecture. In fact I’ve had some clients who were under attack by what was obviously concerted efforts by corporate espionage groups, who switched to old PowerPCs and have been able to run again. This doesn’t guarantee they aren’t still under surveillance, but at least they can operate their business.

      When you have the big guns after you, that can take over a new Mac Air with your cell phone! I assume using bluetooth. You know you are a target of interest!

  28. A solution to this problem is to install a portable firefox/chrome/etc. on your computer, where you have enabled java, and use this portable browser for accessing pages, which require java (government portal, banking).

    Disable java in the browser you use for regular surfing.

    Not very elegant way, but at least a safe one.

  29. Rabid Howler Monkey

    More on portable apps (mentioned immediately above by Zsolt Sandor, thx Zsolt) and Java. For those that need access to Java applets served on important web sites and/or Java-based applications, portable apps might be a solution for some users. In fact, one might be able to go Java free on their PC.

    The Firefox portable app:

    http://portableapps.com/apps/internet/firefox_portable

    The portable Java Runtime Environment, jPortable:

    http://portableapps.com/apps/utilities/java_portable

    When you need to access a web site serving Java applets, just plug-in the USB stick with your portable apps and do your browsing. When finished, safely remove the USB stick from the PC. And be sure to keep your portable browser and Java up-to-date.

    In addition, all or, perhaps, some of one’s Java-based apps (read JAR files) might also be placed on the USB stick and run via the Java portable launcher (it works with jPortable, above):

    http://portableapps.com/apps/utilities/java_portable_launcher