New Java Zero Day Being Used in Targeted Attacks

Watcher

http://www.majorgeeks.com/story.php?id=35652

Quote:

New Java Zero Day Being Used in Targeted Attacks

There is a newly discovered zero day vulnerability in Java 7 that is being used in some targeted attacks right now. The vulnerability works against Internet Explorer and Firefox and researchers say that attackers are exploiting in the wild and installing a version of the Poison Ivy RAT on compromised systems.

The targeted attacks that are being launched right now are using an exploit from a site hosted in China, which is still up and running. Once the exploit fires, the attack will install a dropper on the compromised PC called Dropper. MsPMs, which will then call out to another IP address on the same domain as the one serving the exploit.

"The dropper executable is located on the same server: http://ok.XXX4.net/meeting/hi.exe . Dropper. MsPMs further talks to its own CnC domain hello. icon. pk which is currently resolving to an IP address 223.25.233.244 located in Singapore," Atif Mushtaq at FireEye wrote in an analysis of the attack.

The vulnerability is present in Java 7 and doesn't affect earlier versions, researchers said. There is proof-of-concept exploit code circulating for the bug, and the folks at Metasploit also have developed a module that exploits the flaw. They said that their exploit works against a fully patched Windows 7 machine with Java 7 update 6 running. Their exploit also works against IE and Firefox on Windows Vista and XP and also against Chrome on Windows XP and Firefox on Ubuntu Linux 10.04.

Researchers at DeepEnd Research who looked at the vulnerability said that there is little indication of a successful exploit of this vulnerability.

"It does not crash browsers, the landing page looks like a blank page, sometimes one may see a flash of a rotating Java logo and the word 'Loading'," Andre' M. DiMino and Mila Parkour wrote.

The massive installed base of Java makes this vulnerability a particularly serious one, as any Java zero day is, but the other factor in the mix is that Oracle uses a scheduled quarterly patch cycle, and the next one isn't until mid-October. Unless the company issues an emergency patch, which is does rarely, the vulnerability will be fair game for attackers for nearly two months.

There is a third-party patch available for the vulnerability, available by request only from the folks at DeepEnd. In order to get the patch, organizations need to explain their need for it.

"This is not an official patch and had limited testing. In general, it is best to disable Java in your browser or use Chrome. If you are in the environment where you must have Java with Internet Explorer, Firefox and Opera, email us at admin deependresearch. org from your company address with a brief explanation of the planned use and we will send you the download link," DeepEnd said in its post.

&

http://www.majorgeeks.com/story.php?id=35660

Quote:

Detecting and Removing Vulnerable Java Versions - continued

As attacks on the new Java zero-day vulnerability continue and researchers look for ways to mitigate the flaw, they are encouraging users to disable Java in their browsers. There is now a site that users can visit that will detect whether their browser is running a vulnerable version of Java.

Security vendor Rapid 7 has set up a site that will detect the version of Java that is running in the user's browser and tell her whether it contains the newly discovered Java vulnerability. The flaw is in Java 7 and researchers have found ongoing attacks in the wild targeting the vulnerability. The attacks are in the form of drive-by downloads right now, with successful exploitation leading to the installation of the Poison Ivy remote-access tool on compromised machines. Poison Ivy is a well-known RAT and has been used in a number of attacks in recent years.

Java has become a major target for attackers in the last few years, as it offers a number of things that appeal to them: wide deployment, a long update cycle and lots of readily available bugs. Java vulnerabilities often are included in exploit packs and tend to be used in the kind of drive-by download attacks that often ensnare unsuspecting users.

Oracle has not released any statements on the new Java flaw, but the next scheduled patch release is not until mid- October. Oracle does not release emergency patches often, so the best course of action right now is to disable Java in any browser that you use regularly.

To disable Java in Google Chrome:

Go to the wrench in the upper right corner of the browser window Click on settings and search for Java in the search box Click on the highlighted Content Settings button and then scroll down to the Plug-ins entry Select Disable Individual Plugins and then click on Disable Java

To disable Java in Mozilla Firefox:

Click on the Firefox tab in the top left corner and then click Add-ons Select Plug-ins and then click Disable on Java

Disabling Java in Internet Explorer is a little more complex, for some reason. Brian Krebs has a description of a couple of different methods for removing Java from IE.

Arctucas · 08-30-2012, 22:08 | posts: 1,749

Java 7 update 7 is available, do you know if it resolves the issue or not?

mmicrosysm · 08-30-2012, 22:57 | posts: 578 | Location: Box

Quote:

Originally Posted by Arctucas

Java 7 update 7 is available, do you know if it resolves the issue or not?

you can check here http://isjavaexploitable.com/

Mufflore · 08-30-2012, 23:10 | posts: 9,521 | Location: UK

There is another report that 2 zero day vulns are being used together to guarantee a successful hack.
http://www.theregister.co.uk/2012/08...ro_day_latest/

Quote:

A potent Java security vulnerability that first appeared earlier this week actually leverages two zero-day flaws. The revelation comes as it emerged Oracle knew about the holes as early as April.

Windows, Mac OS X and Linux desktops running multiple browser platforms are all vulnerable to attacks. Exploit code already in circulation first uses a vulnerability to gain access the restricted sun.awt.SunToolkit class before a second bug is used to disable the SecurityManager, and ultimately to break out of the Java sandbox.

"The beauty of this bug class is that it provides 100 per cent reliability and is multi-platform," Esteban Guillardoy, a researcher at Argentina-based security outfit Immunity explains in a technically detailed blog post here. "Hence this will shortly become the penetration test Swiss knife for the next couple of years."

Unpatched vulnerabilities to the so-called Gondvv exploit were introduced in Java 7.0, released in July 2011. All versions of Java 7 are vulnerable but older Java 6 versions appear to be immune. This factor means that Mac OS X users who follow best practice and apply the latest version of software applications are more at risk of attack.

dcx_badass · 08-30-2012, 23:51 | posts: 9,543 | Location: Leeds [UK]

How long as this been out? I got my first virus in about 10 years last month and all I was doing was browsing one of my usual sites like normal, had recently installed Java though, got a fake anti virus suddently installed that wiped out a shed loads of windows files. I used it as an excuse to buy an SSD, but it was annoying.