November 30, 2011

An exploit for a recently disclosed Java vulnerability that was previously only available for purchase in the criminal underground has now been rolled into the open source Metasploit exploit framework. Metasploit researchers say the Java attack tool has been tested to successfully deliver payloads on a variety of platforms, including the latest Windows, Mac and Linux systems.

On Monday, I disclosed how the Java exploit is being sold on cybercrime forums and incorporated into automated crimeware kits like BlackHole. Since then, security researchers @_sinn3r and Juan Vasquez have developed a module for Metasploit that makes the attack tool available to penetration testers and malicious hackers alike. According to a post on the Metasploit blog today, the Java vulnerability “is particularly pernicious, as it is cross-platform, unpatched on some systems, and is an easy-to-exploit client-side that does little to make the user aware they’re being exploited.

Metasploit also posted the results of testing the exploit against a variety of browsers and platforms, and found that it worked almost seamlessly to compromise systems across the board, from the latest 64-bit Windows 7 machines to Mac OS X and even Linux systems.

This development should not be taken lightly by any computer user. According to Sun’s maker Oracle, more than three billion devices run Java. What’s more, Java vulnerabilities are by some accounts the most popular exploit paths for computer crooks these days. On Monday, Microsoft’s Tim Rains published a blog post noting that the most commonly observed type of exploits in the first half of 2011 were those targeting vulnerabilities in Oracle (formerly Sun Microsystems) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK).

From that blog post:

“During the one year period starting in the third quarter of 2010 (3Q10) and ending in the second quarter of 2011 (2Q11), between one-third and one-half of all exploits observed in each quarter were Java exploits[1]. During this one year period, Microsoft antimalware technologies detected or blocked, on average, 6.9 million exploit attempts on Java related components per quarter, totaling almost 27.5 million exploit attempts during the year.”

The exploit attacks a vulnerability that exists in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier. If you are using Java 6 Update 29, or Java 7 Update 1, then you have the latest version that is patched against this and 19 other security threats. If you are using a vulnerable version of Java, it’s time to update. Not sure whether you have Java or what version you may be running? Check out this link, and then click the “Do I have Java?” link below the big red “Free Java Download” button. Apple issued its own update to fix this flaw and other Java bugs earlier this month.

According to my server logs, close to 80 percent of the readers of this blog in the last month have some version of Java installed, although my stats don’t list version numbers. At the risk of sounding like a broken record, I’ll repeat my advice from earlier this week: If you don’t need Java, get rid of it. Most people who have it won’t miss it. For those who need Java for the occasional site or service, disconnecting it from the browser plugins and temporarily reconnecting when needed is one way to minimize issues with this powerful program. Leaving the Java plugin installed in a secondary browser that is only used for sites or services that require Java is another alternative.

41 thoughts on “Public Java Exploit Amps Up Threat Level

  1. Dandandin

    Also there is no more a java killer app. Web sites that require java to work are like white flies. The only reason to have java is to avoid Openoffice nag you at the start…

  2. Gary

    Unfortunately, Verizon FiOS’s online voicemail retrieval requires Java. I turn it on for that only, then back off when done.

    1. David Chasey

      Thanks for the Verizon information. I’ve never used the e-mail website, and with your information that Java is used with their web email system, I never will use it.

  3. logouter

    “According to my server logs, close to 80 percent of the readers of this blog in the last month have some version of Java installed, although my stats don’t list version numbers. ”

    In other words, when we read your blog, you go snooping around in our computers? Readers beware!

    1. Nathan

      Your Browser automatically sends a Browser User Agent string for EVERY page request. This includes your phones browser, touchpad browser, and the integrated TV browsers… This user agent contains things such as Java, .NET, Silverlight, what browser it is and a couple other informational pieces. Pretty much all web servers log this information so they can not only target the html to popular browsers but to also see how many unique visitors visit. Nothing Nefarious going on.

      1. David Chasey

        You write: “Nothing Nefarious going on.”

        How did you miss the fact of the attacks of the bad guys taking advantage of the these so-called non-nefarious websites that use highly vulnerable software, such as Java? There are very hot ethical issues tangled within this tangled mess of vulnerable software.

        1. Steve

          David, the point Nathan was making is that your browser is sending the information regardless of whether the website downloads Java to your computer. And it’s the nefarious websites that contain the Java you want to avoid.

      2. Brian Krebs

        What Nathan says is exactly right. All Web publishers can see the same thing. More importantly, hacked/malicious sites certainly can see and look for this information, so it’s important that people know the information is in most cases easily checked and advertised by the browser.

        1. Jim Bengtson

          Is it possible to tell your browser NOT to send that information, or to cause it to send false information (i.e., that you don’t have java installed when you actually do)? Sort of like a false banner…

          1. Silemess

            It is possible to fly a false banner, but it isn’t likely to do you any good. Just because you say you aren’t running Java, does not mean that they won’t run the script past you. Removing java, if you don’t use it, is the best way.

            Unfortunately, not all of us get the choice. As was noted in comments and the article above, a lot of things use java. Meaning that if your job interacts with those devices, you’re probably stuck using it. Disable it when not using it, run No-Script on Firefox, and try to stay away from installing yourself into a corner.

          2. helly

            There is a firefox add-on to manipulate your user-agent which can be handy if you want to simulate an Android browser or something. But really changing your user-agent is going to do nothing for you from a privacy or security perspective.

    2. rgb

      I’ll choose to take youre comment seriously.

      In other words when you visit any website your browser tells the server a LOT of things. Among those its capabilities, including that of executing java applets.

      See for instance

      To give a car anology:
      It’s like a drive-thru opperator saying that 80 percent of his customers drive brand Y and have a car of type X.

      1. Dandandin

        99% of websites do traffic analysis. He did not say “guy with ip x.x.x.x has vulnerabile jvm”.
        He did the right thing, pointing out that the 90% of that 80% of visitors could effectively disable java and don’t miss it

      1. logouter

        Thank you TJ – that’s the most useful information I’ve ever gotten from this blog!

  4. guerilla7

    The exploit is very effective but will require a little bit of social engineering for the target user to click on a link: Un-shorten those tiny URLs, watch out for embedded links on MS Word files, and update your Java.

  5. David Chasey

    I’ve emailed my health care team, urging them to warn other insulin pump patients to beware of Java, if in fact their insulin pumps and the related websites use Java.

    I’ve also urged my health care team to take the issue to the medical organization of which they are a part. The email I used for sending this message was Brian Krebs’ automated email that he sent earlier today. My message at the top of the email, Brian’s critically important message about the metastasizing Java below it.
    – David C.

  6. TJ

    “According to my server logs, close to 80 percent of the readers of this blog in the last month have some version of Java installed…”

    That just boggles the mind! If I were you, Brian, I would wonder, “Are my readers true students or just auditing?” 😉

      1. Jay Wocky

        To quote TJ, I’d venture to say that subscribers to this blog who still use Adobe Reader may be “just auditing.”

        1. mechBgon

          At this point, now that Reader has sandboxing in v.10, I think it’s the PDF reader to stick with. Adobe seems to be getting their act together.

          As Churchill said, “if you’re going through hell… keep going” 🙂

          1. Jay Wocky

            Having abandoned Adobe Reader so many years ago, I was unaware of the “sandboxing” feature in its latest version(s). However, I suspect it is still a monster-sized program, with problematic updating and installation issues not shared by modest-sized alternative readers. Correct me if I’m wrong.

  7. Neej

    “According to my server logs, close to 80 percent of the readers of this blog in the last month have some version of Java installed…”

    Ever get teh feeling your talking to a brick wall … that’s really surprising TBH. Perhaps you could make a script at the top of the page that displays something like “Your computer is at risk due to Java being enabled” or similar and have links leading to how to disable it.

    As I already mentioned I have use a Java app that I cannot find a suitable replacement for (jDownloader) but I run it in a virtual machine on Linux – VMware Player and Ubuntu are both free to use and for anyone not familiar with virtual machines it’s very easy to set up through a wizard interface.

    1. Nic

      “Many don’t have an option but to use Java.”

      Quite true. But a small percentage out of millions is still “many.”

      Only a small percentage of people need Java.

      Since the 80% figure quoted above blows my mind, it should be said that Java and Javascript are separate, unrelated technologies. One can uninstall Java without impacting Javascript in the browser (although js should be controlled with noscript).

      Uninstall Java.

      And next time Brian writes about a dozen Java holes being patched, you can sit back and smile, knowing that circus no longer affects you.

  8. Tim

    I suspect like many enterprises, we are in a real pickle with this update.

    More than anything else in my experience, Java updates have a horrible habit of comprehensively breaking many web-based applications and this one is no exception.

    Our pilot roll-out of update 29 resulted in many apps completely breaking and not only did the roll-out have to be stopped, but the pilot group had to be rolled back.

    We are now in a very vulnerable spot with just about every machine sitting in a vulnerable place…..and yet business requirements are that the roll-out has to stop indefinitely.

    See this link just as an example of other organizations with the same issues.


    1. Dandandin

      Android does not use the Oracle JVM, but a compatible (and safer) one. (That’s why Oracle is demanding Google billions in a lawsuit)

  9. MarkN

    After reading all this about Java, we are exploring disabling the plug-ins only because we have a Windows business application that requires Java. My question is, what about JavaScript? Aren’t there vulnerabilities to be concerned about there as well?

  10. AlphaCentauri

    A hospital our office interacts with to get patient test results not only requires our computers to run Java, it requires them to log in with Internet Explorer 6 or 7, and it requires the security to be set on “low” for all domains in the “Internet zone,” not just trusted ones. And until recently it had a self-signed SSL certificate. We don’t follow all those requirements, but that means several significant features don’t function for us.

    1. Dandandin

      LOL who programmed that interface must be fired as soon as possible. If you browse the web in that condition, getting infected it’s only a matter of minutes

      1. AlphaCentauri

        It could be tough to replace him/her with someone better, perhaps. The entire medical system is incredibly porous, given how much highly personal information is involved. I just found out one of the provisions of the Obama health reforms is that effective January 1, 2012, doctors’ Medicare billings must now be submitted via secure connections. It’s all been going unencrypted up until now, apparently, just as it did in the days when doctors’ offices used to phone in via modems.

  11. SFdude

    Unless you really need Java in your PC,
    the best advice is:
    just UNinstall it!

    As you know, many people in these Comments section, have spent a lot of time mastering Java,
    and they go ballistic at the simple suggestion.
    Sorry, but you can not hide the truth anymore…

    Java is a real security headache on most PCs…read the article above, and others in Krebs on Security.

    Java on secured-servers is a different story.

  12. Ripcord

    I am a home user running XP-SP3 on an old (10 years?) HP tower. If I had the money, I would upgrade in so many ways but I’ve been able to keep this old beast chugging alone thus far.
    I take Brian’s articles seriously and try to implement many of the safe-guards he suggests. I use NoScript and am currently evaluating WoT and AdBlock Plus.
    Due to this article though, I started looking at what I had on this PC, in terms of JAVA, and tried to learn over the web what I needed to keep and what I could dump.

    What I learned was very confusing! JAVA, Java script, applets and other related terms became a mixture that seemed to want to all be the same thing. Obviously this is not the case but my point is that a home user that isn’t building the next HAL machine can be very easily mislead about what they need to simply browse the ‘net.

    Does one need the JAVA Console (as seen in the Control Panel of XP) in order to have the browser execute applets on the web? Although most of the sources I’ve looked at said no, others indicated it was needed.

    What of the JAVA plugins or extensions? Does removing those break the applet ability of the browser? Again, I found conflicting opinions.

    BTW: I searched not only the Oracle site, which seemed bent on making sure I installed a lot of things, but various PC forums, security sites (aside from Brian’s wonderful one), JAVA help sites (there are many), etc. In all I probably looked at roughly 20 sources.

    Result? I STILL don’t know what I can safely take out and retain the ability to cruise the ‘net while keeping most functions (applets?) working.

    I used to think I was pretty savvy home user. I’m not so sure anymore.

    PS I’m going to uninstall the JAVA console and cross my fingers. I not a developer after all. And yes, I’m the guy family members and friends call on for help with their PC’s, even a server or two.

    1. Neej

      If you really must keep Java installed you should know that NoScript (and other browser addons that serve a similar role) block websites from using Java. The site simply thinks you don’t have it installed.

      However in my experience (which granted has nothing to do with yours) the amount of sites that use applets is very small and in fact I can’t recall the last time I had to make use of it. Uninstall it IMO.

      If you really must have it use it in a virtual machine or a sandbox to seperate it from your OS. Comodo Firewall Free Edition has a sandbox function although choose “custom install” and don’t install Comodo Anti-Virus as it’s so bad as to be basically useless – there’s likely other free sandbox applications I don’t know about.

      VMware player is free and you can run various OS “inside” a virtual machine – a virtual machine as the name suggests is emulating an entire PC for the OS to run on so for your situation is likely not practical in terms of resources.

      Javascript is something completely aside to Java despite the name BTW and is required for many websites to function properly. Java is not required in most cases.

  13. David Chasey

    On November 30th I posted:
    QUOTE ———-
    I’ve emailed my health care team, urging them to warn other insulin pump patients to beware of Java, if in fact their insulin pumps and the related websites use Java.”

    Well-before I posted the above at Krebs on Security I had received an email response from the Metronomic representative in Pittsburgh who had introduced me to the Metronomic insulin pump. His response was a very short and succinct comment, just several words about fixing this Java website problem. Some days later, I forwarded him Brian’s email, with links, “Public Java Exploit Amps Up Threat Level [Krebs on Security].

    The Metronomic representative forwarded Brian’s email to his manager.

    THE IMPORTANT QUESTIONS: Is there other software that can do what Java does without the vulnerabilities? If so, what levels of expense, what work hours would it take to do the fixes?

    – David

  14. Roy

    Totally agree with the conclusion of this article, most home users never use it but nearly 80% of my visitors have it installed too.

    As a repair tech, a little part of me dies inside every time I find J2SE lurking on XP machines…

    Re disabling Java in the browser, it seems impossible to disable Java within IE itself (have to use Java cpl or disable the service). Disabling all IE’s Java add-ons should work but it doesn’t – Java carries on regardless.

  15. MarkN

    You can disable Java in IE by going to Java in the Control Panel, clicking on the ‘Advanced’ tab, expanding ‘Default Java for browsers’, and un-checking the ‘Microsoft Internet Explorer’ checkbox.

    1. Roy

      I know, I said you could use Java control panel (per user) or disable in Services (for all users).

      My point was that disabling it via ‘Manage Addons’ in IE itself doesn’t work which is a security risk as people would think they had disabled it when they hadn’t. Disabling the Java add-ons in FF/Chrome works fine – without needing to resort to control panel or Services so it is a fault in IE’s add-on management process

Comments are closed.