Posts Tagged: zero day


16
Jan 13

New Java Exploit Fetches $5,000 Per Buyer

Less than 24 hours after Oracle patched a dangerous security hole in its Java software that was being used to seize control over Windows PCs, miscreants in the Underweb were already selling an exploit for a different and apparently still-unpatched zero-day vulnerability in Java, KrebsOnSecurity has learned.

javared

Update, Apr. 2, 2:57 p.m. ET: This sales thread turned out to be an elaborate hoax designed by a cybercrime forum administrator to learn the screen name I was using to browse exclusive sections of his forum. See this story for more information on that.

Original story:

On Sunday, Oracle rushed out a fix for a critical bug in Java that had been folded into exploit kits, crimeware made to automate the exploitation of computers via Web browser vulnerabilities. On Monday, an administrator of an exclusive cybercrime forum posted a message saying he was selling a new Java 0day to a lucky two buyers. The cost: starting at $5,000 each.

The hacker forum admin’s message, portions of which are excerpted below, promised weaponized and source code versions of the exploit. This seller also said his Java 0day — in the latest version of Java (Java 7 Update 11) — was not yet part of any exploit kits, including the Cool Exploit Kit I wrote about last week that rents for $10,000 per month. From his sales pitch:

“New Java 0day, selling to 2 people, 5k$ per person

And you thought Java had epically failed when the last 0day came out. I lol’d. The best part is even-though java has failed once again and let users get compromised… guess what? I think you know what I’m going to say… there is yet another vulnerability in the latest version of java 7. I will not go into any details except with seriously interested buyers.

Code will be sold twice (it has been sold once already). It is not present in any known exploit pack including that very private version of [Blackhole] going for 10$k/month. I will accepting counter bids if you wish to outbid the competition. What you get? Unencrypted source files to the exploit (so you can have recrypted as necessary, I would warn you to be cautious who you allow to encrypt… they might try to steal a copy) Encrypted, weaponized version, simply modify the url in the php page that calls up the jar to your own executable url and you are set. You may pm me.” Continue reading →


13
Jan 13

Oracle Ships Critical Security Update for Java

Oracle has released a software update to fix a critical security vulnerability in its Java software that miscreants and malware have been exploiting to break into vulnerable computers.

javanix2Java 7 Update 11 fixes a critical flaw (CVE-2013-0422) in Java 7 Update 10 and earlier versions of Java 7. The update is available via Oracle’s Web site, or can be downloaded from with Java via the Java Control Panel. Existing users should be able to update by visiting the Windows Control Panel and clicking the Java icon, or by searching for “Java” and clicking the “Update Now” button from the Update tab.

This update also changes the way Java handles Web applications. According to Oracle’s advisory: “The default security level for Java applets and web start applications has been increased from “Medium” to “High”. This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the “High” setting the user is always warned before any unsigned application is run to prevent silent exploitation.”

It’s nice that Oracle fixed this vulnerability so quickly, but I’ll continue to advise readers to junk this program altogether unless they have a specific need for it. For one thing, Oracle tried (and failed) to fix this flaw in an earlier update. Also, it seems malware writers are constantly finding new zero-day vulnerabilities in Java, and I would not be surprised to see this zero-day situation repeat itself in a month or so. Also, most users who have Java installed can get by just fine without it (businesses often have mission-critical operations that rely on Java).

If you need Java for a specific Web site, consider adopting a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site(s) that require(s) it.


27
Nov 12

Java Zero-Day Exploit on Sale for ‘Five Digits’

Miscreants in the cyber underground are selling an exploit for a previously undocumented security hole in Oracle’s Java software that attackers can use to remotely seize control over systems running the program, KrebsOnSecurity has learned.

The flaw, currently being sold by an established member of an invite-only Underweb forum, targets an unpatched vulnerability in Java JRE 7 Update 9, the most recent version of Java (the seller says this flaw does not exist in Java 6 or earlier versions).

According to the vendor, the weakness resides within the Java class “MidiDevice.Info,” a component of Java that handles audio input and output. “Code execution is very reliable, worked on all 7 version I tested with Firefox and MSIE on Windows 7,” the seller explained in a sales thread on his exploit. It is not clear whether Chrome also is affected. “I will only sell this ONE TIME and I leave no guarantee that it will not be patched so use it quickly.”

The seller was not terribly specific on the price he is asking for this exploit, but set the expected offer at “five digits.” The price of any exploit is ultimately whatever the market will bear, but this is roughly in line with the last Java zero-day exploit that was being traded and sold on the underground. In August, I wrote about a newly discovered Java exploit being folded into the BlackHole exploit kit, quoting the author of that crimeware tool as saying that “the price of such an exploit if it were sold privately would be about $100,000.”

Continue reading →


1
Oct 12

In a Zero-Day World, It’s Active Attacks that Matter

The recent zero-day vulnerability in Internet Explorer caused many (present company included) to urge Internet users to consider surfing the Web with a different browser until Microsoft issued a patch. Microsoft did so last month, but not before experts who ought to have known better began downplaying such advice, pointing out that other browser makers have more vulnerabilities and just as much exposure to zero-day flaws.

This post examines hard data that shows why such reasoning is more emotional than factual. Unlike Google Chrome and Mozilla Firefox users, IE users were exposed to active attacks against unpatched, critical vulnerabilities for months at a time over the past year and a half.

Attackers exploited zero-day holes in Internet Explorer for at least 89 days over the past 19 months.

The all-browsers-are-equally-exposed argument was most recently waged by Trend Micro‘s Rik Ferguson. Ferguson charges that it’s unfair and unrealistic to expect IE users to switch — however briefly — to experiencing the Web with an alternative browser. After all, he says, the data show that other browsers are similarly dogged by flaws, and switching offers no additional security benefits. To quote Ferguson:

“According to this blog post, in 2011 Google’s Chrome had an all time high of 275 new vulnerabilities reported, the current peak of an upward trend since its day of release. Mozilla Firefox, while currently trending down from its 2009 high, still had a reported 97 vulnerabilities. Microsoft’s Internet Explorer has been trending gradually down for the past five years and 2011 saw only 45 new vulnerabilities, less than any other browser except Apple’s Safari, which also had 45. Of course raw numbers of vulnerabilities are almost meaningless unless we consider the respective severity, but there again, of the ‘big three’ the statistics favour Internet Explorer. If zero-day vulnerabilities have to be taken into consideration too, they don’t really do much to change the balance, Google Chrome 6, Microsoft Internet Explorer 6 and Mozilla Firefox 4. Of course different sources offer completely different statistics, and simple vulnerability counts are no measure of relative (in)security of browsers, particularly in isolation. However, it cannot be ignored that vulnerabilities exist in every browser.”

Looking closer, we find that this assessment does not hold water. For one thing, while Ferguson acknowledges that attempting to rate the relative security of similar software products by merely comparing vulnerabilities is not very useful, he doesn’t offer much more perspective. He focuses on unpatched, publicly-highlighted vulnerabilities, but he forgets to ask and answer a crucial question: How do browser makers rate in terms of unpatched vulnerabilities that are actively being exploited?

Part of the problem here is that many security pundits rank vulnerabilities as “zero-day” as long as they are both publicly identified and unfixed. Whether there is evidence that anyone is actually attacking these vulnerabilities seems beside the point for this camp. But I would argue active exploitation is the most important qualifier of a true zero-day, and that the software flaws most worthy of worry and action by users are those that are plainly being exploited by attackers.

To that end, I looked back at the vulnerabilities fixed since January 2011 by Google, Microsoft and Mozilla, with an eye toward identifying true zero-day flaws that were identified publicly as being exploited before the vendor issued a software patch. I also queried both Mozilla and Google to find out if I had missed anything in my research.

As Ferguson mentioned, all browser makers had examples over the past 19 months of working or proof-of-concept exploit code available for unpatched flaws in their products. However, both my own investigation and the public record show that of the three browsers, Internet Explorer was the only one that had critical, unpatched vulnerabilities that were demonstrably exploited by attackers before patches were made available. According to Microsoft’s own account, there were at least six zero-days actively exploited in the past 18 months in IE. All but one of them earned Microsoft’s most dire “critical” rating, leaving IE users under zero-day attack for at least 152 days since the beginning of 2011.

If we count just the critical zero-days, there were at least 89 non-overlapping days (about three months) between the beginning of 2011 and Sept. 2012 in which IE zero-day vulnerabilities were actively being exploited. That number is almost certainly conservative, because I could find no data on the window of vulnerability for CVE-2011-0094, a critical zero-day flaw fixed in MS11-018 that Microsoft said was being attacked prior to releasing a patch for it. This analysis also does not include CVE-2011-1345, a vulnerability demonstrated at the Pwn2Pwn contest in 2011.

Continue reading →


21
Sep 12

Microsoft Fixes Zero-Day, Four Other Flaws in IE

Microsoft has released an emergency update for Internet Explorer that fixes at least five vulnerabilities in the default Web browser on Windows, including a zero-day flaw that miscreants have been using to break into vulnerable systems.

The patch, MS12-063, is available through Windows Update or via Automatic Update. If you installed the stopgap “fix it” tool that Microsoft released earlier this week to blunt the threat from the zero-day bug, you need not reverse or remove that fix it before applying this update. The vulnerability resides in IE 7, 8, and 9, on nearly all supported versions of Windows, apart from certain installations of Windows Server 2008 and Windows Server 2012.

Separately, Microsoft issued an update for vulnerabilities in Adobe Flash Player in Internet Explorer 10 on all supported versions of Windows 8 and Windows Server 2012. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10. Adobe addressed these in two separate Flash updates last month, including a fix for Flash zero-day that has been under active attack.


18
Sep 12

Internet Explorer Users: Please Read This

Microsoft is urging Windows users who browse the Web with Internet Explorer to use a free tool called EMET to block attacks against a newly-discovered and unpatched critical security hole in IE versions 7, 8 and 9. But some experts say that advice falls short, and that users can better protect themselves by surfing with an alternative browser until Microsoft issues a proper patch for the vulnerability.

The application page of EMET.

EMET, short for the Enhanced Mitigation Experience Toolkit, is a tool that can help Windows users beef up the security of commonly used applications, whether they are made by a third-party vendor or by Microsoft. EMET allows users to force applications to use one or both of two key security defenses built into Windows Vista and Windows 7 — Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).

Put very simply, DEP is designed to make it harder to exploit security vulnerabilities on Windows, and ASLR makes it more difficult for exploits and malware to find the specific places in a system’s memory that they need to do their dirty work.

Before I get into the how-tos on EMET, a few caveats. EMET is a great layer of security that Windows users can and should use to enhance the security of applications. But EMET may not block the exploit code now publicly available through the Metasploit framework. In fact, Tod Beardlsey, an engineering manager with Rapid7, the security firm that manages Metasploit, told The Associated Press that EMET does not appear to be completely effective against this exploit.

I asked Metasploit founder HD Moore what he thought was the best way to block this exploit, and he pointed out that the exploit available through Metasploit requires the presence of Java on the host machine in order to execute properly on IE 8/9 on Windows 7 and Vista systems (the exploit works fine without Java against IE7 on XP/Vista and IE8 on XP). Obviously, while the lack of Java on a Windows machine may not prevent other exploits against this flaw, it is a great first start. I have consistently urged computer users of all stripes to uninstall Java if they have no specific use for it.

Continue reading →


17
Sep 12

Exploit Released for Zero-Day in Internet Explorer

A working exploit that takes advantage of a previously unknown critical security hole in Internet Explorer has been published online. Experts say the vulnerability is being actively exploited in the wild, and that it appears to be connected to the same group of Chinese hackers responsible for unleashing a pair of Java zero-day exploits late last month.

Researchers at security vulnerability testing firm Rapid7 have added a new module to the company’s free Metasploit framework that allows users to successfully attack the vulnerability on Internet Explorer versions 7, 8 and 9 on Windows XP, Vista and 7.

“Computers can get compromised simply by visiting a malicious website, which gives the attacker the same privileges as the current user,” Rapid7 researcher “sinn3r” wrote on the firm’s blog. “Since Microsoft has not released a patch for this vulnerability yet, Internet users are strongly advised to switch to other browsers, such as Chrome or Firefox, until a security update becomes available. The exploit had already been used by malicious attackers in the wild before it was published in Metasploit. The associated vulnerability puts about 41% of Internet users in North America and 32% world-wide at risk.”

News of the IE exploit surfaced at the blog of security researcher and blogger Eric Romang, who said he discovered the attack code while examining a Web server recently used by Chinese hackers to launch targeted attacks via zero-day Java vulnerabilities that were patched by Oracle last month. Romang and other experts have connected the sites serving those Java exploits to the Nitro attacks of 2011, espionage attacks directed against at least 48 chemical and defense companies.

I pinged Microsoft for a comment but have not yet heard back from them. I suspect they are preparing an advisory about this threat, and will update this post when I receive a response. Until an official fix is available, IE users would be wise to surf with another browser.


29
Aug 12

Researchers: Java Zero-Day Leveraged Two Flaws

New analysis of a zero-day Java exploit that surfaced last week indicates that it takes advantage of not one but two previously unknown vulnerabilities in the widely-used software. The latest figures suggest that these vulnerabilities have exposed more than a billion users to attack.

Esteban Guillardoy, a developer at the security firm Immunity Inc., said the underlying vulnerability has been around since July 28, 2011.

“There are 2 different zero-day vulnerabilities used in this exploit,” Guillardoy wrote in a lengthy analysis of the exploit. “The beauty of this bug class is that it provides 100% reliability and is multi-platform. Hence this will shortly become the penetration test Swiss knife for the next couple of years (as did its older brother CVE-2008-5353).”

ONE BILLION USERS AT RISK?

How many systems are vulnerable? Oracle Corp., which maintains Java, claims that more than 3 billion devices run Java. But how many of those systems run some version of Java 7 (all versions of Java 7 are vulnerable; this flaw does not exist in Java 6 versions).

To get an idea, I asked Secunia, whose Personal Software Inspector program runs on millions of PCs. Secunia said that out of a random sampling of 10,000 PSI users, 34.2 percent had some version of Java 7 installed. In the same data set, 56.4 percent of users had an update of Java 6 installed. Assuming that Secunia’s 10,000 user sample is representative of the larger population of computer users, more than a billion devices could be vulnerable to attack via this exploit.

Continue reading →


27
Aug 12

Attackers Pounce on Zero-Day Java Exploit

Attackers have seized upon a previously unknown security hole in Oracle’s ubiquitous Java software to break into vulnerable systems. So far, the attacks exploiting this weakness have been targeted and not widespread, but it appears that the exploit code is now public and is being folded into more widely-available attack tools such as Metasploit and exploit kits like BlackHole.

A Metasploit module developed to target this Java 0-day.

News of the vulnerability (CVE-2012-4681) surfaced late last week in a somewhat sparse blog post by FireEye, which said the exploit seemed to work against the latest version of Java 7, which is version 1.7, Update 6. This morning, researchers Andre’ M. DiMino & Mila Parkour published additional details on the targeted attacks seen so far, confirming that the zero-day affects Java 7 Update 0 through 6, but does not appear to impact Java 6 and below.

Initial reports indicated that the exploit code worked against all versions of Internet Explorer, Firefox and Opera, but did not work against Google Chrome. But according to Rapid 7, there is a Metasploit module in development that successfully deploys this exploit against Chrome (on at least Windows XP).

Also, there are indications that this exploit will soon be rolled into the BlackHole exploit kit. Contacted via instant message, the curator of the widely-used commercial attack tool confirmed that the now-public exploit code worked nicely, and said he planned to incorporate it into BlackHole as early as today. “The price of such an exploit if it were sold privately would be about $100,000,” wrote Paunch, the nickname used by the BlackHole author.

Oracle is not scheduled to release another security update for Java until October. In the meantime, it’s a good idea to either unplug Java from your browser or uninstall it from your computer completely.

Continue reading →


14
Aug 12

Critical Security Fixes from Adobe, Microsoft

Adobe and Microsoft each issued security updates today to fix critical vulnerabilities in their software. Adobe’s fixes include a patch for a Flash Player flaw that is actively being exploited to break into Windows computers. Microsoft’s Patch Tuesday release includes nine patch bundles — more than half of them rated critical — addressing at least 27 security holes in Windows and related software.

The most pressing of the updates Adobe released today is the Flash Player patch, which fixes a critical flaw (CVE-2012-1535) in the ubiquitous media player software. Adobe says there are reports that the vulnerability is being exploited in the wild in limited targeted attacks, distributed through a malicious Microsoft Word document. The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows.

Continue reading →