LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (http://www.linuxquestions.org/questions/linux-general-1/)
-   -   Java zero day attack (http://www.linuxquestions.org/questions/linux-general-1/java-zero-day-attack-4175445278/)

drmjh 01-12-2013 11:06 AM

Java zero day attack
 
I would appreciate some comment on this 'News'
I just read that the Dept. of Homeland Security is recommending ..."disabling Java from their browsers", for those computers that are vulnerable. I read some info about the susceptibility of even Linux (gasp!) on this site. This is an old problem with JRE, that just doesn't get fixed. It seems that the infamous STUXNET code was an amalgamation of 6 different flaws, all of which were zero day flaw-based.
What will replace Java?
Matthew

Thor_2.0 01-13-2013 04:07 AM

Quote:

What will replace Java?
Hey Mathew!

Thanks for the heads-up! Well, it all depends on what Java is supposed to do on the PC. And who's code you're using at the time. Applets will most likely not really be able to "get at the system" as they "live" in a sandbox anyway. Things can get tricky (when the code comes from a non-verified source) when a downloaded Java needs run-permits on the system. The Runescape viewer comes to mind. When the source is verified though, it's likely to be okay...after all...

As to your question above: Java may well be replaced by HTML5 for some (a lot of) stuff, not all, but the Java of the future may well differ from the one of today. Escpecially applet-related. HTML5 is the big contender to replace Flash in the (near/far) future anyway.

As for the platforms, not Linux, but Java gets targetted, of course, if that "dominoes" down to the OS, and that happens to be Linux, that's a completely different issue.

Maybe a digest of "what-will-happen-if's" is in order. Would such an attach result in a browser crash? Maybe most of us can live with that. The structure of Java, however, is such that a direct ***soft-style attack is not likely, IMHO...

Thor

H_TeXMeX_H 01-13-2013 05:23 AM

You could always use openjdk + icedtea, which don't have this problem.

I personally have no need of java, and I think it may disappear completely in the future.

sundialsvcs 01-13-2013 09:46 PM

Can you cite that news-source, and also validate that the US Department of Homeland Security actually said it? (In what DHS publication or release, accessible directly on their web-site?)

H_TeXMeX_H 01-14-2013 04:08 AM

http://www.zdnet.com/homeland-securi...aw-7000009713/

Thor_2.0 01-14-2013 05:31 AM

As a precaution, I installed the patch (#11) already. For Firefox, you'll need a new symlink in the plugins folder:

Quote:

mv /home/you/.mozilla/plugins/libnpjp2.so /home/you/.mozilla/plugins/Oldlibnpjp2.so
ln -s /[folder]/jre1.7.0_11/lib/i386/libnpjp2.so libnpjp2.so
the rest...is histooooooooooooooooooooory... :D

Thor
(typed in quickly, gotta go to work NOW!!!)

drmjh 01-14-2013 07:22 AM

sundialsvcs,
I jackrabbit all over the place when reading news, hence cannot locate the original article I read. However, following are 3 recent brief articles on the subject:
Matthew


ZDNet

Quote:
The U.S. Department of Homeland Security has warned users to disable or uninstall Java software on their computers, amid continuing fears and an escalation in warnings from security experts that hundreds of millions of business and consumer users are vulnerable to a serious flaw.

Hackers have discovered a weakness in Java 7 security that could allow the installation of malicious software and malware on machines that could increase the chance of identity theft, or the unauthorized participation in a botnet that could bring down networks or be used to carry out denial-of-service attacks against Web sites.

"We are currently unaware of a practical solution to this problem," said the DHS' Computer Emergency Readiness Team (CERT) in a post on its Web site on Thursday evening. "This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available."

Java users should disable or uninstall Java immediately to mitigate any damage.

The latest flaw, as earlier reported by ZDNet, is currently being exploited in the wild, security experts have warned. Alienvault Labs have reproduced and verified claims that the new zero-day that exploits a vulnerability in Java 7, according to security expert Brian Krebs.




-------------------------------------------------------------------------------------------------------
Aug28

Java Runtime Environment 1.7 Zero-Day Exploit Delivers Backdoor
10:02 am (UTC-7) | by Manuel Gatbunton (Threat Response Engineer)




An unpatched JRE 1.7/Java 7 zero-day vulnerability (CVE-2012-4681) was recently found to be exploited by a malicious .JAR file hosted on a specific site. Successful exploit leads to the download of a backdoor, in effect allowing remote malicious users to execute their desired commands on the vulnerable system.

The zero-day exploit successfully runs in all versions of Internet Explorer, Firefox and Opera. According to a testing done by Metasploit, the vulnerability also runs on Google Chrome and Safari.

Technical Analysis of the Exploit and Payload

The affected vulnerability is related to the new Java 7 classcom.sun.beans.finder.ClassFinder that allows the sun.awt.SunToolkit class to load, modify and execute the malicious code. This threat is composed of an HTML page with malicious JavaScript (index.html detected as JS_FIEROPS.A), a Java applet (applet.java detected as JAVA_GONDY.A), and the malicious binary (FLASH_UPDATE.exe detected as BKDR_POISON.BLW).

Users may encounter this threat by visiting a site, one of which is http://www.{BLOCKED}s.com/public/meeting/index.html, which results to the downloading and loading of the malicious Java applet (JAVA_GONDY.A). It then passes some parameters, which is then used to download BKDR_POISON.BLW.


------------------------------------------------------------------------------------------------------------------------------


Security experts on Java: Fixing zero-day exploit could take 'two years'


Summary: Amid growing concern over Java's security, Oracle released an emergency fix over the weekend. However, security professionals say that this measure doesn't go far enough.
Charlie Osborne

By Charlie Osborne for Zero Day | January 14, 2013 -- 09:41 GMT (01:41 PST)
1Comment
0 Votes
inShare
more +

Oracle, distributor of Sun's Java software, has not had the best weekend.
java fix not good enough security exploits research oracle update

First came the discovery of chinks in the computer language's armor last week, after researcher "kafeine" pointed out a number of websites that were using a zero-day security vulnerability within Java 7 Update 10, which could result in the installation of malware, identity theft or used to rope personal computers in to becoming unauthorized botnets -- which can then be used in denial-of-service attacks against other sites.

The problem was severe enough for the firm to release an emergency patch -- Java 7 Update 11 -- over the weekend. However, security experts have warned that the changes do not go far enough.

Security researcher Adam Gowdiak from Security Explorations has been keeping an eye on the software flaws in Java over the past year. Once Gowdiak analyzed the latest update to Java, he found that the patch still leaves a number of "critical security flaws," according to Reuters. This statement, mirrored by AlienVault Labs' Jaime Blasco who branded Oracle's offering as a "mess," was later reinforced by the firm's recommendation against using the software.

"We don't dare to tell users that it's safe to enable Java again," Gowdiak commented.

However, it is not only the general public which needs to sit up and take note. When it comes down to businesses, a number of security firms are also recommending immediate action to disable the software. For the average person, the possibility of identity theft or malware is horrendous, but it could cost firms far more over the long term.

Speaking to the news agency, chief security officer of business security company Rapid7 HD Moore estimated that it could take up to two years for Oracle to fix the flaws found in the version of Java used to browse the Internet -- not taking into consideration any further exploits that are developed within this timeframe.

It seems like something of a lost cause, as he advised:

"The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop."

Due to the widespread use of Java software, usually found as a plug-in on Internet browsers including Internet Explorer and Firefox, the security flaw is believed to have the potential to place over 850 million PCs at risk worldwide. It has not only been the concern of security experts, but the U.S. Department of Homeland Security has also advised that PC owners immediately disable and stop using the software. Apple has also taken steps to disable the OS X plugin which runs Java on some Macs, as well as updating the anti-malware definitions list XProtect.

The DHS' Computer Emergency Readiness Team (CERT) commented:

"We are currently unaware of a practical solution to this problem. This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available."

TobiSGD 01-14-2013 07:43 AM

Sometimes events like that have good outcomings. Last time I tried OpenJDK my only Java application was not working with it, so I went back to Oracle's Java. This event made me try it again with the recent OpenJDK version and it works without any problem.

So for me it is: Bye, bye, Oracle Java, if you think you don't have to fix such a serious problem within 5 months (this was not a 0-day exploit) then I think I have no use for you.

drmjh 01-14-2013 09:02 AM

Hot off the Press:


Oracle releases v11 fix for zero-day Java security flaw

by Michael Grothaus Jan 14th 2013 at 9:00AM

Oracle has released an official fix for the Java security flaw that was reported by CERT (the Computer Emergency Readiness Team) on January 11. Shortly after the flagging by CERT, Apple took steps to disable the Java plug-in on all Macs running OS X 10.6 or later by amending the XProtect malware/minimum versions file.

Users who want to re-enable a secure, working version of Java can download the update here. The update is recommended users on all operating systems including Windows and Linux. Of course, if you don't need to be running a Java VM for a specific reason, your most secure path is to not have it installed.

At a minimum, you might consider TJ's reasonable advice and reserve your browser-centric Java activities to a single-site browser like Fluid.app, or simply leave Java disabled for browser access most of the time and only turn it on when specifically required.

From the release notes, Oracle states: "Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2013-0422 'in the wild,' Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible."

Apple no longer distributes its own version of Java for Macs running OS X 10.7 or higher. Oracle is now directly responsible for producing and updating the Mac JRE package, as it does for other mainstream operating systems.

[URL="http://www.tuaw.com/2013/01/14/oracle-releases-fix-for-zero-day-java-security-bug/"]

Matthew

DavidMcCann 01-14-2013 01:01 PM

As I understand it, this is specific to Java 7. IcedTea and OpenJDK use a little original Java code, but I don't know if that's the code causing the problem. Even if it is, then that would only affect the latest version; my version (1.6) is definitely based on Java 6.

drmjh 01-14-2013 02:40 PM

Even HOTTER, right off the press:


Homeland Security warns Java still poses risks after security fix

Summary: After a security fix to patch Java 7 from a massive security vulnerability, the U.S. Department of Homeland Security has reiterated its warning that Java still poses risks.
Zack Whittaker

By Zack Whittaker for Zero Day | January 14, 2013 -- 20:05 GMT (12:05 PST)


The U.S. Department of Homeland Security has reiterated its warning to Java users that the widely used Web plug-in still poses risks for Internet users, even after Oracle patched the software to prevent hackers from exploiting a zero-day vulnerability.

Amid a serious security flaw in the latest version of Java 7, where even the U.S. Department of Homeland Security has warned users to disable the plug-in.



It comes as some security experts are warning that the new software -- Java 7 (Update 11), which was released on Sunday -- may not actually protect against hackers attempting to remotely execute code on user machines.

This code, security experts warn, could be used to acquire personal information and steal identities, or subscribe machines to 'botnets,' which can then be used to hit networks and Web sites with denial-of-service attacks.

Homeland Security said in an updated note that it is reiterating its advice it gave last week, in spite of Oracle updating the Java software to include a security fix that would prevent machines from being attacked by hackers.

The said: "Unless it is absolutely necessary to run Java in Web browsers, disable it [...] even after updating to [Update 11]."

Homeland Security warned on Friday that Internet users should disable the Web plug-in as soon as possible, to prevent being attacked by hackers or malware. While it's not uncommon for a government department to notify users of threats, advising users to actively disable or uninstall software is rare.

Java is used in more than 850 million PCs and Macs, along with billions of devices around the world, including cars, Blu-ray players, and mobile devices. The reason why the U.S. government stepped in, along with security experts and anti-malware companies, to warn users is because the zero-day vulnerability was being exploited in the wild by hackers and malware writers.

Experts and researchers have warned that fixing the zero-day exploit "could take two years." Rapid7 chief security officer HD Moore told the Reuters news agency that it could take this long for Oracle to fix the flaws found in Java -- not including any further exploits or vulnerabilities that are found in the meantime.

"The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop," he said.

We have reached out to Oracle for comment, but did not hear back at the time of writing. If we get a reply, we'll update the post.

rng 01-14-2013 07:32 PM

What action should be taken by those who are using icedtea plugin? There are a number of sites on google discussing this but final opinion is not clear. For example:
https://bugzilla.redhat.com/show_bug.cgi?id=852051

Also, Debian has icedtea-6-plugin, icedtea-7-plugin and icedtea-netx available. Which one would be safest?

TobiSGD 01-14-2013 07:38 PM

You realize that the bugreport you linked to is not about the recent exploit?

rng 01-14-2013 08:24 PM

The title does say: "Java 7 0day"

TobiSGD 01-14-2013 08:28 PM

Yes, Java had already more than one 0-day exploit. As almost any other software.
0-day is not a name of one particular exploit, it is the name of a class of exploits, those that weren't known before (that by the way is why the recent exploit is not a 0-day exploit, Oracle knew for months of the security hole).

http://en.wikipedia.org/wiki/Zero_day_exploit


All times are GMT -5. The time now is 06:53 AM.