Posts Tagged: java


18
Sep 12

Internet Explorer Users: Please Read This

Microsoft is urging Windows users who browse the Web with Internet Explorer to use a free tool called EMET to block attacks against a newly-discovered and unpatched critical security hole in IE versions 7, 8 and 9. But some experts say that advice falls short, and that users can better protect themselves by surfing with an alternative browser until Microsoft issues a proper patch for the vulnerability.

The application page of EMET.

EMET, short for the Enhanced Mitigation Experience Toolkit, is a tool that can help Windows users beef up the security of commonly used applications, whether they are made by a third-party vendor or by Microsoft. EMET allows users to force applications to use one or both of two key security defenses built into Windows Vista and Windows 7 — Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).

Put very simply, DEP is designed to make it harder to exploit security vulnerabilities on Windows, and ASLR makes it more difficult for exploits and malware to find the specific places in a system’s memory that they need to do their dirty work.

Before I get into the how-tos on EMET, a few caveats. EMET is a great layer of security that Windows users can and should use to enhance the security of applications. But EMET may not block the exploit code now publicly available through the Metasploit framework. In fact, Tod Beardlsey, an engineering manager with Rapid7, the security firm that manages Metasploit, told The Associated Press that EMET does not appear to be completely effective against this exploit.

I asked Metasploit founder HD Moore what he thought was the best way to block this exploit, and he pointed out that the exploit available through Metasploit requires the presence of Java on the host machine in order to execute properly on IE 8/9 on Windows 7 and Vista systems (the exploit works fine without Java against IE7 on XP/Vista and IE8 on XP). Obviously, while the lack of Java on a Windows machine may not prevent other exploits against this flaw, it is a great first start. I have consistently urged computer users of all stripes to uninstall Java if they have no specific use for it.

Continue reading →


17
Sep 12

Exploit Released for Zero-Day in Internet Explorer

A working exploit that takes advantage of a previously unknown critical security hole in Internet Explorer has been published online. Experts say the vulnerability is being actively exploited in the wild, and that it appears to be connected to the same group of Chinese hackers responsible for unleashing a pair of Java zero-day exploits late last month.

Researchers at security vulnerability testing firm Rapid7 have added a new module to the company’s free Metasploit framework that allows users to successfully attack the vulnerability on Internet Explorer versions 7, 8 and 9 on Windows XP, Vista and 7.

“Computers can get compromised simply by visiting a malicious website, which gives the attacker the same privileges as the current user,” Rapid7 researcher “sinn3r” wrote on the firm’s blog. “Since Microsoft has not released a patch for this vulnerability yet, Internet users are strongly advised to switch to other browsers, such as Chrome or Firefox, until a security update becomes available. The exploit had already been used by malicious attackers in the wild before it was published in Metasploit. The associated vulnerability puts about 41% of Internet users in North America and 32% world-wide at risk.”

News of the IE exploit surfaced at the blog of security researcher and blogger Eric Romang, who said he discovered the attack code while examining a Web server recently used by Chinese hackers to launch targeted attacks via zero-day Java vulnerabilities that were patched by Oracle last month. Romang and other experts have connected the sites serving those Java exploits to the Nitro attacks of 2011, espionage attacks directed against at least 48 chemical and defense companies.

I pinged Microsoft for a comment but have not yet heard back from them. I suspect they are preparing an advisory about this threat, and will update this post when I receive a response. Until an official fix is available, IE users would be wise to surf with another browser.


5
Sep 12

Apple Releases Fix for Critical Java Flaw

Apple has issued an update for Mac OS X installations of Java that fixes at least one critical security vulnerability in the software.

If you own a Mac, take a moment today to run the Software Update application and check if there is a Java update available. Delaying this action could set your Mac up for a date with malware. In April, the Flashback Trojan infected more than 650,000 Mac systems using an exploit for a critical Java flaw.

Java for Mac OS X 10.6 Update 10 and Java for OS X 2012-005 are available for Java installations on OS X 10.6, OS X Lion and Mountain Lion systems, via Software Update or from Apple Downloads.

Apple stopped bundling Java by default in OS X 10.7 (Lion), but it offers instructions for downloading and installing the software framework when users access webpages that use it. The latest iteration of Java for OS X configures the Java browser plugin and Java Web Start to be deactivated if they remain unused for an extended period of time.

Update, 8:14 p.m.: It looks like I may have misread Apple’s somewhat hazy advisory, which appears to state that this update addresses CVE-2012-4681, the Java flaw that was recently spotted in increasingly widespread attacks against Java 7 installations on Windows. Upon closer inspection, it looks like this patch applies just to CVE-2012-0547. The above blog post has been changed to reflect that. In any case, Mac users should not delay in updating (or better yet, removing) Java.

Continue reading →


29
Aug 12

Researchers: Java Zero-Day Leveraged Two Flaws

New analysis of a zero-day Java exploit that surfaced last week indicates that it takes advantage of not one but two previously unknown vulnerabilities in the widely-used software. The latest figures suggest that these vulnerabilities have exposed more than a billion users to attack.

Esteban Guillardoy, a developer at the security firm Immunity Inc., said the underlying vulnerability has been around since July 28, 2011.

“There are 2 different zero-day vulnerabilities used in this exploit,” Guillardoy wrote in a lengthy analysis of the exploit. “The beauty of this bug class is that it provides 100% reliability and is multi-platform. Hence this will shortly become the penetration test Swiss knife for the next couple of years (as did its older brother CVE-2008-5353).”

ONE BILLION USERS AT RISK?

How many systems are vulnerable? Oracle Corp., which maintains Java, claims that more than 3 billion devices run Java. But how many of those systems run some version of Java 7 (all versions of Java 7 are vulnerable; this flaw does not exist in Java 6 versions).

To get an idea, I asked Secunia, whose Personal Software Inspector program runs on millions of PCs. Secunia said that out of a random sampling of 10,000 PSI users, 34.2 percent had some version of Java 7 installed. In the same data set, 56.4 percent of users had an update of Java 6 installed. Assuming that Secunia’s 10,000 user sample is representative of the larger population of computer users, more than a billion devices could be vulnerable to attack via this exploit.

Continue reading →


13
Aug 12

Inside a ‘Reveton’ Ransomware Operation

The U.S Federal Bureau of Investigation is warning about an uptick in online extortion scams that impersonate the FBI and frighten people into paying fines to avoid prosecution for supposedly downloading child pornography and pirated content. This post offers an inside look at one malware gang responsible for orchestrating such scams.

Reveton ransomware scam impersonating FBI

Reveton ransomware scam page impersonating the FBI

In an alert published last week, the FBI said that The Internet Crime Complaint Center — a partnership between the FBI and the National White Collar Crime Center — was “getting inundated with complaints” from consumers targeted or victimized by the scam, which uses drive-by downloads to hijack host machines. The downloaded malware displays a threatening message (see image to the right) and blocks the user from doing anything else unless he pays the fine or finds a way to remove the program.

The FBI alert said the attacks have surged with the help of a “new drive-by virus” called Reveton; in fact, Reveton and its ilk are hardly new. These types of attacks have been around for years, but traditionally have targeted European users. The scam pages used in the attacks mimic official notices from various national police or investigatory agencies, corresponding to the country in which the victim resides. For a breakdown of these Reveton-related ransomware scam pages by country, see this comprehensive gallery set up at botnets.fr.

Reveton.A is blamed in these most recent attacks, and the FBI said it appears Reveton is being distributed in conjunction with Citadel, an offshoot of the ZeuS Trojan that I have written about on several occasions. It is certainly possible that crooks are using Citadel to deploy Reveton, but as I’ll illustrate below, it seems more likely that the attackers in these cases are using exploit kits like BlackHole to plant both threats on victim PCs.

INSIDE A REVETON MALWARE GANG

Operations of one Reveton crime group. Source: ‘Kafeine,’ from botnets.fr.

At least that’s the behavior that’s been observed by a ragtag group of researchers that has been tracking Reveton activity for many months. Some of the researchers are associated with botnets.fr, but they’ve asked to remain nameless because of the sensitivity of their work. One of them, who goes by the screen name “Kafeine,” said much of the Reveton activity traces back to a group that is controlling the operation using reverse proxies at dozens of servers scattered across data centers globally (see this PDF for a more detailed look at the image above).

Kafeine said the groups involved in spreading Reveton are constantly fine-tuning all aspects of their operations, from the scam pages to solidifying their back-end hosting infrastructure. The latest versions of Reveton, for example, serve the scam pages from an encrypted (https://) connection, and only cough up the pages when an infected machine visits and sends a special request. Continue reading →


9
Jul 12

How to Break Into Security, Grossman Edition

I recently began publishing a series of advice columns for people who are interested in learning more about security as a craft or profession. For the third installment in this series, I interviewed Jeremiah Grossman, chief technology officer of WhiteHat Security, a Web application security firm.

A frequent speaker on a broad range of security topics, Grossman stressed the importance of coding, networking, and getting your hands dirty (in a clean way, of course).

BK: How did you get started in computer security?

Grossman: For me it was…I could hack stuff and I did it in my spare time and someone offered me a job — which was Yahoo. But before that, I was just a UNIX admin. I was thinking about this question a lot, and what occurred to me is that I don’t know too many people in infosec who chose infosec as a career. Most of the people who I know in this field didn’t go to college to be infosec pros, it just kind of happened. They followed opportunity.

BK: You might have seen that the last two experts I asked had somewhat different opinions on this question, but how important is it that someone interested in this field know how to code?

Grossman: It’s tough to give solid advice without knowing more about a person. For instance, are they interested in network security or application security? You can get by in IDS and firewall world and system patching without knowing any code; it’s fairly automated stuff from the product side. But with application security, it is absolutely mandatory that you know how to code and that you know software. So with Cisco gear, it’s much different from the work you do with Adobe software security. Infosec is a really big space, and you’re going to have to pick your niche, because no one is going to be able to bridge those gaps, at least effectively.

BK: So would you say hands-on experience is more important that formal security education and certifications?

Grossman: The question is are people being hired into entry level security positions straight out of school? I think somewhat, but that’s probably still pretty rare. There’s hardly anyone coming out of school with just computer security degrees. There are some, but we’re probably talking in the hundreds. I think the universities are just now within the last 3-5 years getting masters in computer security sciences off the ground. But there are not a lot of students in them.

BK:  What do you think is the most important qualification to be successful in the security space, regardless of a person’s background and experience level?

Grossman: The ones who can code almost always [fare] better. Infosec is about scalability, and application security is about scalability. And if you can understand code, you have a better likelihood of being able to understand how to scale your solution. On the defense side, we’re out-manned and outgunned constantly. It’s “us” versus “them,” and I don’t know how many of “them,” there are, but there’s going to be too few of “us “at all times.  So whatever your solution is or design criteria, you’re going to have to scale it. For instance, you can imagine Facebook…I’m not sure many security people they have, but…it’s going to be a tiny fraction of a percent of their user base, so they’re going to have to figure out how to scale their solutions so they can protect all those users.

Continue reading →


29
Jun 12

Secunia’s Auto-patching Tool Gets Makeover

Vulnerability management firm Secunia has shipped a new version of its auto-patching tool — Personal Software Inspector 3.0 – a program for Windows users that can drastically simplify the process of keeping up-to-date with security patches for third-party software applications.

The final release of PSI 3.0 supports programs from more than 3,000 software vendors, and includes some key changes that address shortcomings identified in the beta version that I highlighted back in February.

The 3.0 version of PSI still keeps auto-patching on by default at installation, although users can uncheck this box and choose to manually install all available updates for third-party programs. Unlike the beta version — which was radically devoid of tweakable options and settings — the version released this week provides a more configurable interface that should be more appealing to longtime users of this tool.

Users also can review the history of installed updates, and select which hard drives should be scanned, options absent from the beta release. PSI 3.0 also lets users create rules that tell the software to ignore updates for particular programs.

Overall, the new PSI strikes a fair balance between configurability and ease-of-use, and is a notable improvement over the beta version. However, I had trouble with the program after installing it on my test machine — a Windows 7 64-bit machine with 8 GB of memory. The program seemed to get stuck on scanning for updates, and for an excruciating eight minutes or so the software sucked up most of my machine’s available memory and processing power. The only way I could get my system back to normal was to reboot the system.

Continue reading →


27
Apr 12

Correction to Java Update Story

An earlier version of this blog post incorrectly stated that Oracle had shipped security updates for its Java software. Oracle did push out an update for Java earlier this month — Java 6 Update 32 — but the new version was a maintenance update that did not include security fixes. My apologies for any confusion this may have caused.


12
Apr 12

How to Find and Remove Mac Flashback Infections

A number of readers responded to the story I published last week on the Flashback Trojan, a contagion that was found to have infected more than 600,000 Mac OS X systems. Most people wanted to know how they could detect whether their systems were infected with Flashback — and if so — how to remove the malware. This post covers both of those questions.

Screen shot of Flashback detection tool from Dr.Web

Since the discovery last week of the Flashback Mac botnet, several security firms have released tools to help detect and clean up Flashback infections. Dr.Web, the Russian antivirus vendor that first sounded the alarm about the outbreak, has published a free online service that lets users tell whether their systems have been seen phoning home to Flashback’s control servers (those servers have since been hijacked by researchers). The service requires users to enter their Mac’s hardware unique user ID (HW-UUID), because this is how the miscreants who were running the botnet kept track of their infections.

F-Secure Corp., the Finnish security firm that worked with Dr.Web to more accurately gauge the true number of Flashback-infected Macs, has a Flashback Removal Tool available for download from its Web site.

Where is Apple’s response in all of this, you ask? Apple says it is developing software that will detect and remove Flashback. Inexplicably, it has not yet released this tool, nor has it added detection for it to the XProtect antivirus tool built into OS X. The company’s advisory on this threat is predictably sparse, and focuses instead on urging users to apply a recent update for Java. Flashback attacks a well-known Java flaw, but it’s worth noting that Apple released the Java patch only after Flashback had begun infecting hundreds of thousands of Macs.

Update, 8:22 p.m. ET: Apple just released a new version of Java that includes a Flashback remover. Java for OS X Lion 2012-003 delivers Java SE 6 version 1.6.0_31 and supersedes all previous versions of Java for OS X Lion. It includes no new security fixes, but it adopts a novel approach to the debate over whether to temporarily disable or remove Java: “It configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application.” If the Java web plug-in detects that no applets have been run for at least 35 days, it will again disable Java applets.

Continue reading →


27
Mar 12

New Java Attack Rolled into Exploit Packs

If your computer is running Java and you have not updated to the latest version, you may be asking for trouble: A powerful exploit that takes advantage of a newly-disclosed security hole in Java has been rolled into automated exploit kits and is rapidly increasing the success rates of these tools in attacking vulnerable Internet users.

The exploit targets a bug in Java (CVE-20120-0507) that effectively allows the bypassing of Java’s sandbox, a mechanism built into the ubiquitous software that is designed partly to blunt attacks from malicious code. Microsoft’s Malware Protection Center warned last week that new malware samples were surfacing which proved highly effective at exploiting the flaw. Microsoft says the samples it saw loaded the ZeuS Trojan, but thieves can use such attacks to install malware of their choosing.

According to posts on several underground carding forums, the exploit has now been automatically rolled out to miscreants armed with BlackHole, by far the most widely used exploit pack. An exploit pack is a software toolkit that gets injected into hacked or malicious sites, allowing the attacker to foist a kitchen sink full of browser exploits on visitors. Those visiting such sites with outdated browser plugins may have malware silently installed, and Java is almost universally the most successful method of compromise across all exploit kits.

According to software giant Oracle, Java is deployed across more than 3 billion systems worldwide. But the truth is that many people who have this powerful program installed simply do not need it, or only need it for very specific uses. I’ve repeatedly encouraged readers to uninstall this program, not only because of the constant updating it requires, but also because there seem to be a never-ending supply of new exploits available for recently-patched or undocumented vulnerabilities in the program.

Case in point: On at least two Underweb forums where I regularly lurk, there are discussions among several core members about the sale and availability of an exploit for an as-yet unpatched critical flaw in Java. I have not seen firsthand evidence that proves this 0day exploit exists, but it appears that money is changing hands for said code. Continue reading →