All operating systems, browsers vulnerable
By Neil McAllister in San Francisco • Get more from this author
Posted in Security, 27th August 2012 23:42 GMT
A new browser-based exploit for a Java vulnerability that allows attackers to execute arbitrary code on client systems has been spotted in the wild – and because of Oracle's Java patch schedule, it may be some time before a fix becomes widely available.
The vulnerability is present in the Java Runtime Environment (JRE) version 1.7 or later, Atif Mushtaq of security firm FireEye reported on Sunday, while PCs with Java versions 1.6 or earlier installed are not at risk.
The vulnerability allows attackers to use a custom web page to force systems to download and run an arbitrary payload – for example, a keylogger or some other type of malware. The payload does not need to be a Java app itself.
In the form in which it was discovered, the exploit only works on Windows machines, because the payload that it downloads is a Windows executable. But the hackers behind the Metasploit penetration testing software say they have studied the exploit and found that it could just as easily be used to attack machines running Linux or Mac OS X, given the appropriate payload.
All browsers running on these systems were found to be vulnerable if they had the Java plugin installed, including Chrome, Firefox, Internet Explorer, Opera, and Safari.
Although the actual source of the exploit is not known, it was originally discovered on a server with a domain name that resolved to an IP address located in China. The malware it installed on compromised systems attempted to connect to a command-and-control server believed to be located in Singapore.
Oracle has yet to comment on the vulnerability or when users should expect a fix, but it might be a while. The database giant ordinarily observes a strict thrice-annual patch schedule for Java, and the next batch of fixes isn't due until October 16.
Downgrading to an earlier version of Java is not advised, because even though earlier versions aren't vulnerable to this particular exploit, they may contain other bugs that expose still other vulnerabilities.
In advance of any official patch, and because of the seriousness of the vulnerability, malware researchers at DeepEnd Research have developed an interim fix that they say seems to prevent the rogue Java code from executing its payload, although it has received little testing.
Because the patch could be used to develop new exploits if it fell into the wrong hands, however, DeepEnd Research is only making it available by individual request to systems administrators who manage large numbers of clients for companies that rely on Java.
For individual users, the researchers say, the best solution for now is to disable the Java browser plugin until Oracle issues an official patch. ®
How to Disable Java, Credit to WK_of_Angmar
In Firefox: Press Firefox button -> Add-ons, go to Plugins and click the "Disable" button next to anything named "Java".
In Chrome: Type in: "chrome://plugins/" into the address bar (no speech marks). Scroll down to Java and click disable.
In Opera: Type in "opera:plugins" into the address bar (no speech marks). Scroll down to:
1. Disable UAC (if enabled) and restart.
2. Open the Java app in Control Panel.
3. Go to advanced tab.
4. Expand Default Java for browsers.
5. The checkbox next to IE is grayed out. Select Microsoft Internet Explorer and press spacebar so it is unchecked (no tick). Click OK.
6. You can re-enable UAC and restart now.
EDIT: Updated IE instructions. [Credit to gilbes]Credit to gilbes.
Java 6 isn't affected, which I assume most of you have but this is at least knowledgeable to some.
2012-08-28, 03:05 PM
Foxino
Re: Disable Java NOW, users told, as 0-day exploit hits web
Saved by my lazyness to update Java.
2012-08-28, 03:07 PM
SaptaZapta
Re: Disable Java NOW, users told, as 0-day exploit hits web
Hm. My Firefox seems to have disabled Java due to this risk all by itself, two weeks ago.
2012-08-28, 03:10 PM
Razmos
Re: Disable Java NOW, users told, as 0-day exploit hits web
Quote:
Originally Posted by Foxino
Saved by my lazyness to update Java.
Exactly the same. I've been holding off on updating it for like a year now and now i'm glad I did.
I disabled it anyway though.
2012-08-28, 03:19 PM
Cere
Re: Disable Java NOW, users told, as 0-day exploit hits web
I'm confused. There are like 23049584 Java things on my computer, and none of their version numbers is 1.x, 6.x, or 7.x? I'll disable my plugins anyway just in case, AFAICR nothing I do as of late requires it.
2012-08-28, 03:23 PM
Felicitates
Re: Disable Java NOW, users told, as 0-day exploit hits web
Darn guys.
Now I can't play runescape guys.
What am I supposed to do guys?
2012-08-28, 03:27 PM
Aircalibur
Re: Disable Java NOW, users told, as 0-day exploit hits web
Quote:
Originally Posted by Delicae
Darn guys.
Now I can't play runescape guys.
What am I supposed to do guys?
I dunno. But I hear there's this rad game called MapleStory out.*
*This post paid for by Nexon of America.
2012-08-28, 03:30 PM
Untradeable
Re: Disable Java NOW, users told, as 0-day exploit hits web
yeesh. this is like the stuff of nightmares. they can just up and force a keylogger onto your system using something almost everyone uses. D:
2012-08-28, 03:34 PM
SaptaZapta
Re: Disable Java NOW, users told, as 0-day exploit hits web
Quote:
Originally Posted by Untradeable
yeesh. this is like the stuff of nightmares. they can just up and force a keylogger onto your system using something almost everyone uses. D:
Quote:
Originally Posted by warning
The vulnerability allows attackers to use a custom web page to force systems to download and run an arbitrary payload
So, you'd still have to visit their "custom web page" to get infected.
Of course they could hack into an innocent website and install their script on there, so better safe than sorry.
2012-08-28, 03:56 PM
KhainiWest
Re: Disable Java NOW, users told, as 0-day exploit hits web
Fortunately the only website I go on is southperry, the most reliable site on the planet
Re: Disable Java NOW, users told, as 0-day exploit hits web
Quote:
Originally Posted by SaptaZapta
So, you'd still have to visit their "custom web page" to get infected.
Of course they could hack into an innocent website and install their script on there, so better safe than sorry.
I could feasibly see somehow injecting this into an Ad on a website without actually hacking it.
2012-08-28, 03:58 PM
Celan
Re: Disable Java NOW, users told, as 0-day exploit hits web
>quickly disables Java after seeing I have 1.7
Goddamn auto-download.
2012-08-28, 04:01 PM
Flonne
Re: Disable Java NOW, users told, as 0-day exploit hits web
Best targets ever would be huge websites like 4chan, reddit, twitter, etc. Good thing I don't use any of those.
2012-08-28, 04:18 PM
Celan
Re: Disable Java NOW, users told, as 0-day exploit hits web
Facebook and Youtube. Boom, world deleted.
o--o
2012-08-28, 05:15 PM
FabledGumbo
Re: Disable Java NOW, users told, as 0-day exploit hits web
so I don't need to disable Java if I'm using deployment toolkit 6 and platform SE 6?
2012-08-28, 05:42 PM
MariettaRC
Re: Disable Java NOW, users told, as 0-day exploit hits web
I'm using 1.6, but I disabled it anyway.
Yeesh.
2012-08-28, 05:57 PM
Piggy 2.0
Re: Disable Java NOW, users told, as 0-day exploit hits web
Usin 6, should be fine.
I hope.
2012-08-28, 06:01 PM
Arrol
Re: Disable Java NOW, users told, as 0-day exploit hits web
Quote:
Originally Posted by MariaColette
I'm using 1.6, but I disabled it anyway.
Yeesh.
Better safe than sorry.
2012-08-29, 12:11 AM
DeanNim
Re: Disable Java NOW, users told, as 0-day exploit hits web
chrome only prompted a critical security update. so i guess the patch is out ? o.o
2012-08-29, 12:32 AM
Green4Ever
Re: Disable Java NOW, users told, as 0-day exploit hits web