Malicious computer code that leverages a newly-patched security flaw in Oracle’s Java software is set to be deployed later this week to cybercriminal operations powered by the BlackHole exploit pack. The addition of a new weapon to this malware arsenal will almost certainly lead to a spike in compromised PCs, as more than 3 billion devices run Java and many of these installations are months out of date.
I first learned about the new exploit from a KrebsOnSecurity reader named Dean who works in incident response for a financial firm. Dean was trying to trace the source of an infected computer in his network; he discovered the culprit appeared to be a malicious “.jar” file. A scan of the jar file at Virustotal.com showed that it was detected by just one antivirus product (Avira), which flagged it as “Java/Dldr.Lamar.BD”. The description of that threat says it targets a Javas vulnerability tagged as CVE-2012-1723, a critical bug fixed in Java 6 Update 33 and Java 7 Update 5.
The attack may be related to an exploit published for CVE-2012-1723 in mid-June by Michael ‘mihi’ Schierl. But according to the current vendor of the BlackHole exploit pack, the exact exploit for this vulnerability has only been shared and used privately to date. Reached via instant message, the BlackHole author said the new Java attack will be rolled into a software update to be made available on July 8 to all paying and licensed users of BlackHole.
Regardless of which operating system you use, if you have Java installed, I would advise you to update it, neuter it or remove it as soon as possible. The reason I say this is that Java requires constant patching, and it appears to be the favorite target of attackers these days.
Windows users can find out if they have Java installed and which version by visiting java.com and clicking the “Do I have Java? link. Mac users can use the Software Update feature to check for any available Java updates.
If you primarily use Java because some Web site, or program you have on your system — such as OpenOffice or Freemind — requires it, you can still dramatically reduce the risk from Java attacks just by disabling the plugin in your Web browser. In this case, I would suggest a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox (from the Add-ons menu, click Plugins and then disable anything Java related, and restart the browser), and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it.
Apple stopped bundling Java by default in OS X 10.7 (Lion), it offers instructions for downloading and installing the software framework when users access webpages that use it. The latest iteration of Java for OS X configures the Java browser plugin and Java Web Start to be deactivated if they remain unused for 35 days.
Why doesn’t Java have auto-update?
Recent Windows versions do.
Usually Java updates are 3-monthly.
It’s not exactly auto-update. It will automagically check once a week and alert you of any updates. I believe the user still has to allow the installation.
At least on Windows, you can set the frequency of update checks to as often as once a day. Click the Advanced button in the Updates tab of the Java Control Panel.
Incorrect. Java will check for updates automatically but it won’t install them. The user has to kick off the installation manually.
If it auto-push installed, corporate users would be up in arms.
Use the auto-check function offered during install and watch for the Java icon in the tray that signifies an update.
Or uninstall it, many home users won’t miss it and IE surfing will be safer.
“IE surfing will be safer?”
no, just no. Please don’t tell people to turn java off then point them to IE
You can’t “turn Java off” in IE. That’s why uninstalling Java is safer for users of IE.
Yes, you can disable Java in IE. On a per-Zone basis, in fact. If you have a few sites that need Java, forcing you to have it installed, then add those sites to the Trusted Sites zone and leave Java enabled there, then disable it in the Internet Zone.
This setting is in Internet Options on the Security tab. Select the Zone you want to change, then click Custom Level and scroll down to nearly the bottom, where you can set scripting of Java applets to the desired setting.
I’d certainly rather be rid of Java entirely, but if you’ve got some non-negotiable needs for it, there’s your workaround. I’d also suggest using Microsoft EMET and manually adding Java.exe and all browsers, media players, PDF readers, office software, email clients, IM clients, and other predictable exploit targets to EMET’s protected-apps list.
Usually Java updates are every 4 months (3 times a year, Feb, Jun, Oct), not every 3 months.
Is there a way to disable Java in Chrome?
I use an extension called “ScriptNo” which acts like “NoScript” for Firefox but is better IMO.
I thought Java isn’t Javascript and they are 2 entirely different things.
That’s correct. Java and Javascript are two very different things. But, Noscript (and perhaps other script blocking addons) blocks Java applets by default.
Great, thanks.
So just so I get this straight, I get the distinction, but which is being abused more – Java, or JavaScript – or both equally ?
For controls, in Firefox I see :
Options>>Content : Enable JavaScript
Tools>>Addons>>Plugins :
>>>Java Deployment Toolkit
>>>Java Platform SE 7
(What is the purpose of “Java Deployment Toolkit ” btw.)
I was under the impression that just about every site I visit regularly is employing some kind of JavaScript, so I’ve always left it enabled, despite the security risk.
It can be a real pain when something doesn’t seem to work correctly, and you have no clear idea why without spending a lot of time tracking it down.
Anyway, curious about the relative risks of Java vs JavaScript.
“scriptno” comes up under a google search in firefox but not in chrome ????
It’s there… you’re just looking using the wrong search term:
“Script No” in the Google Webstore:
https://chrome.google.com/webstore/detail/oiigbmnaadbkfbmpbfijlflahbdbdgdf
There’s a way to disable Java in Chrome… just look around under the hood.
http://support.google.com/chrome/bin/answer.py?hl=en-GB&answer=142064
Illustrated here :
http://www.youtube.com/watch?v=VXpzPiraX3I
Mr Krebs, Chrome now also has the ability to disable Java and use it only when required…
Brian,
It seems that you are right and wrong (or misleading) concerning Apple.
Java is not turned on automatically anymore, and it does turn off Java if unused for a while (I have no way to confirm 35 days, but it does turn off.)
On the other hand, as recently as 12 June 2012 there is a Java update for 10.6 users. See: Java for Mac OS X 10.6 Update 9
For 10.7 users, somehow I am up to date with 1.6.0_33 but my 1.7.0 is only at 04. When I go to the Java page Free Java Download: Download Java for your desktop computer now! Version 7 Update 5 it takes me to a page:
Java for Apple which says that “Apple supplies their own version of Java. Use Software Update feature available on the Apple menu…
It may be that Version 7 is not running on Mac OS at all, but that I have it because I have a developers release? Need more data…
Update: 1
When I run How do I test whether Java is working on my computer? it says that I am running Version Java SE 6 Update 33, even though the Version 7 is on the top of the list in my Java Preferences.
This page also says:
Mac Users: Choose the Software Update item on the Apple menu to check that you have the most up-to-date version of Java on your Mac.
Sorry…what am I misleading about, exactly, regarding Apple and Java?
Hmmm…on re-reading what you wrote, and restricting it to Version 10.7 (Lion) as you did, and restricting to Apple not bundling Java in OS 10.7.x, it may be that you are completely right and not misleading.
Without uninstalling Java on my 10.7.4 mac, I can’t be completely certain.
But if I turn off all my Java versions, then go to the Java test page, there is no recommendation from Apple on what to do “for downloading and installing the software framework”. There is just a note on the Java page for Mac users to use Software Update to “check that you have the most up-to-date version…”
Also, if I open a page in LibreOffice and try something from the menus that needs Java, it gives a libreoffice error, but nothing from Apple on what to do.
And, like I said above, Java’s update page doesn’t have a Mac iteration to download, and also refers me to the Mac Software Update. Software Update doesn’t suggest that I download Java, but I have only turned it off, not uninstalled.
My point is that – at best – I don’t think that Apple and Oracle have this all worked out yet for Lion users and that there are still a lot of 10.6 and 10.5 users who are still reliant on Apple for their Java updates.
In addition to turning off Java in the browser, I also have Flash set to require me to click it to run it. A lot of flash exploits run in hidden iframes. This is only a little annoying as I have to click the youtube frame to make it run, but honestly, not having flash-based ads blaring audio when you hit a page is a huge plus as well.
chrome://chrome/settings/content
The Opera browser has a simple solution to these plug-in issues. In preferences , just select “Enable plug-ins only on demand.”
On YouTube, for example, you just get a big “play” symbol in the middle of the frame.
So if we have the latest version of Java (1.6.0_33) on our Windows Operating System, using a Firefox browser are we safe or do we need to take additional steps like removing the older versions of java from the system all together, I don’t’ get it?
A number of the questions asked here are answered in this article
Defensive Computing with Java
http://blogs.computerworld.com/applications/20562/defensive-computing-java
One example: the author tried multiple ways to disable Java in Internet Explorer and could not.
Regarding the ComputerWorld article, this is a very good link. Two notes, though: 1) the author was unable to disable Java in Internet Explorer 9, and 2) the author was able to disable Java in Internet Explorer 8 only *AS THE ADMINISTRATOR*.
Nobody runs as the default user in Windows anymore, right? As a technical solution to malware, least privilege beats everything else (just note that it doesn’t always work). Create a restricted user account and use it for day-to-day computing in Windows. Use the default account only to administer the PC (e.g., configuration, install/uninstall software).
I’d have to disagree with Least Privilege beating everything else, it certainly helps the clean up as the Malware is contained within the user’s profile, so a new profile effectively cleans the infection.
I work in an environment where at least 90% of the workstations are running with only user privileges but they still get infected.
The more savvy malware authors long ago made their code “portable” so it doesn’t require administrator privileges to install, if you write to the user’s profile and Current User registry keys and hook into user owned processes then it still works and they get maximum coverage.
As far as Drivebys go Least Privilege and Patching are equally important and if you have the luxury, Firefox with Adblocker Plus and NoScript, means that Drive by infections are a thing of the past.
Unfortunately none of this is easy for the average user and for some it’s a hassle and nowhere near as important as updating their Facebook status.
Dean
I’d have to agree with Dean. Most of the threats out there today work just fine on limited account. Granted, the damage may be limited somewhat by infecting an admin account vs. a user account, but if the malware is able to hijack browser sessions, steal passwords and the like, it really doesn’t matter.
It certainly is a good idea to adopt least user privileges on all operating systems. But on the Windows space, in the face of modern malware, the benefits of running under limited account are hardly the same as in years prior.
I can verify that the LUP approach is no longer a guarantee of no troubles–this one snagged me yesterday and it took a couple of hours to fix :-\
I serve as a low-level tech resource for a number of computer un-savvy friends and am getting very pessimistic about the prospects of keeping them out of trouble given things like this.
Brian Krebs wrote:
“Granted, the damage may be limited somewhat by infecting an admin account vs. a user account, but if the malware is able to hijack browser sessions, steal passwords and the like, it really doesn’t matter.
Here’s why I believe it does matter. One recommendation I have made at this site previously and elsewhere is that one should not conduct sensitive online activities (e.g., online banking, securities trading, portfolio management) in their day-to-day restricted user account. Instead, create another restricted user account dedicated to these sensitive online activities. If the day-to-day user account gets owned, it is compartmentalized from the user account used for sensitive activities and one’s passwords, accounts and financial assets are likely to be safe.
Of course, all bets are off if the user installs software (e.g., codecs) containing an MBR exploit, as an example, from an inappropriate site. However, more cautious users adhering to your three rules are more likely to avoid this situation.
P.S. I am not referring to commercial enterprises where your advice is to use either a dedicated PC or a Linux LiveCD for online banking. I am referring, primarily, to consumers that choose to use their Windows, OS X or desktop Linux PC for these activities.
Agree than least privilege is not always effective. Thus, my disclaimer in parentheses, “just note that it doesn’t always work”. A high-profile example of malware that operates in a restricted user account is the Zeus banking trojan. However, MBR-infecting malware, mebroot as an example, will have a difficult time getting to the MBR from a restricted account, especially if the user doesn’t have the Admin credentials to type in when prompted.
As far as enterprise users go, I would be tempted to add various Internet Explorer group policy restrictions along with Software Restriction Policy whitelisting (via gpedit.msc, for both executables and dll’s) or AppLocker for Windows 7.
I agree that it’s hard for home users as most are also the local Admins What to do? In addition to restricted accounts, I usually recommend using Windows Vista/7 built-in Parental Controls to implement application control for each standard user account on the system. What I refer to as Software Restriction Policy “lite”, as dll protection is not provided.
Windows XP Home? I recommend using the Chrome web browser in lieu of Internet Explorer as it is the only browser that is sandboxed on Windows XP. And Windows XP Pro? Again, I recommend using gpedit.msc to implement Software Restriction Policy whitelisting *along with* using the Chrome browser.
Anyhow, these items, other than installing and using the Chrome browser, are not easy for the average user. Their advantage is that they, along with the ability to create restricted accounts, are provided by the Windows operating system. Thus, no 3rd party security software to learn and manage.
I use Chrome and there use to be a box that would pop up, axing whether or not you wish to use Java…
Now it does not appear anymore and when I go to disable the pugin under settings there is no “under the hood” options!!
One problem with Java is that when it gets updated it sometimes breaks functionality with some management consoles (like Symantec Endpoint Protection). So I can’t just update it, lest I not be able to easily control my anti-virus clients. The solution would be for companies (like Symantec) to NOT use Java for their software!
But I’m not holding my breath.
A product designed to manage multiple java versions in the *enterprise* is Browsium’s UniBrowse add-on for Internet Explorer:
http://www.browsium.com/2011/09/21/let’s-get-technical-–-solving-the-“java-problem”-in-internet-explorer/
This may or may not help with your particular situation.
If we talk about only “Drive By” infections then by far the best solution to me is Firefox with NoScript.
NoScript will stop the drive by exploits as scripts will not run unless white-listed.
The basic attack method is Compromised Site —> Exploit Server —> Exploit downloaded & executed —> Malware downloaded and executed.
But because scripts will not run unless they’ve been allowed to run with NoScript, you should never find yourself at the receiving end of a bunch of exploits & Malware, even on an unpatched machine (This is no reason not to patch though!)
Even if the initial compromised site has been white-listed, you will run the malicious script but when you land at the next step scripts will not run again unless they are also white-listed which is extremely unlikely.
The Java VM is sandboxed but the numerous exploits allow the code to break out of it and execute malicious code within the operating system.
The downside? NoScript is a little complex for the average user as thing like YouTube require not only YouTube.com but also the content server for videos to play.
Oh and Firefox is seen as out of fashion now since Chrome but I still recommend it due it’s far superior plugin framework.
Dean
if we can not change the version of the JRE due to specific applications, can we limit its privileges by setting Java.policy file?
As far as I know, none of the web browsers sandbox the java plug-in on any operating system. As for limiting the java plug-in privileges, one can use built-in Windows integrity levels on Windows Vista/7. However, as implemented for Internet Explorer by Microsoft, the java plug-in does not run at low integrity level. Instead, it runs at medium integrity level.
I have created a DIY sandbox on Windows Visa/7 for Firefox (and Opera) using Windows integrity levels that does run the java plug-in at low integrity level. To create a DIY sandbox for Firefox on Windows Vista/7, copy the following commands and paste them into Notepad:
cd “C:\Program Files\Mozilla Firefox”
icacls firefox.exe /setintegritylevel low
cd C:\Users\USERNAME\AppData\Local
icacls Mozilla /setintegritylevel (OI)(CI)low
icacls Temp /setintegritylevel (OI)(CI)low
cd C:\Users\USERNAME\AppData\Roaming
icacls Mozilla /setintegritylevel (OI)(CI)low
cd C:\Users\USERNAME
mkdir Downloads
icacls Downloads /setintegritylevel (OI)(CI)low
Change USERNAME to your user name. Also, note that all files must be downloaded to folder C:\Users\USERNAME\Downloads (you can make this anything you want, but it must be a low integrity level folder). Save and name the file something like ‘SandboxFirefox.bat’ (the .bat extension is important). Then run the BAT file in either the Vista or 7 command prompt (cmd.exe) as the Administrator by typing in ‘SandboxFirefox.bat’ and pressing the ‘Enter’ key.
Firefox now runs as a low integrity level process. In addition, the Java plug-in runs as a Firefox child process that is also low integrity level. Verify it by downloading and running Sysinternal’s Process Explorer and adding ‘integrity levels’ to the displayed columns. One drawback is that one can no longer apply updates to Firefox as the updater won’t work at low integrity level (there is no privilege broker). Instead, one must download updated Firefox versions from mozilla.com, install updated Firefox on top of the existing version and rerun the BAT file.
Another alternative (perhaps better than the above DIV approach above) is to download and install a 3rd party sandbox application for Windows. Examples include Trustware BufferZone Pro (free) and SandboxIE (both free and paid versions):
http://trustware.com/BufferZone-Pro/
http://www.sandboxie.com/
One would then run their browser in the 3rd party sandbox and browser plug-ins like Java will also be sandboxed.
I just installed NO SCRIPT and it blocks Java…
You can run a test by going to smart money and enter a stock ticker
KOG, which is Kodiak Oil & Gas…
Then click the chart option and if it loads, Java is not blocked..
If it is blocked, you will see a icon in the upper left of the chart box…
As I said before, it appears Chromey took that option away…
To disable Java in Chromy follow this link:
http://support.google.com/chrome/bin/answer.py?hl=en-GB&answer=142064