A Tidal Wave of Java Flaw Exploitation

tsu doh nimh writes "Microsoft warned today that it is witnessing a huge spike in the exploitation of Java vulnerabilities on the Windows platform, and that attacks on Java security holes now far outpace the exploitation of Adobe PDF bugs. The Microsoft announcement cites research by blogger Brian Krebs, who has been warning for several months that Java vulnerabilities are showing up as the top moneymakers for those peddling commercial crimeware exploitation kits, such as Eleonore, Crimepack and SEO Sploit Pack." Several days ago, Oracle released a patch that fixed 29 Java security flaws.

How?

[MrEricSir]

The one question this article doesn't really clarify is pretty important: How are these exploits being loaded onto the user's computer?

Are we talking applets, Java web start, or some other mechanism?

Re:How?

[adisakp]

CVE Attacks Computers Description

CVE-2008-5353 3,560,669 1,196,480 A deserialization issue in vulnerable versions of JRE (Java Runtime Environment) allows remote code execution through Java-enabled browsers on multiple platforms, such as Microsoft Windows, Linux, and Apple Mac OS X.

CVE-2009-3867 2,638,311 1,119,191 Another remote code execution, multi-platform issue caused by improper parsing of long file:// URL arguments.

CVE-2010-0094 213,502 173,123 Another deserialization issue, very similar to CVE-2008-5353.

Re:How?

[Florian+Weimer]

Propagation generally happens via applets, loaded through IFRAMEs or Javascript-based redirects. Actual payloads are not yet OS-agnostic (even though the exploits themselves are).

Re:How?

[adisakp]

The keywords in the above descriptions are "remote code execution through Java-enabled browsers on multiple platforms". The flaw is not Windows specific but could also be exploited on OSX and Linux.

Re:How?

[JonySuede]

according to CVE-2010-0094 : the vulnerability is in RMIConnectionImpl and since you can only initiate a connection to your host in an applet, I would guess that you would need to use java web start

Re:How?

[hydrofix]

I feel that NoScript is doing a greater and greater work in protecting me each and every day.

Re:How?

[doishmere]

A few days ago smbc comics was hit with a Java exploit in the form of a popup that installed a trojan on users machines. People affected were discussing it here; from this it looks like mostly Windows machines were infected, but at least one user claims Ubuntu was affected.

Re:How?

[Bill_the_Engineer]

CVE-2008-5353 was fixed with Apple's Java Patch #2 on June 15, 2009.

CVE-2009-3867 was fixed with Apples Java for OS X 10.6 Update #1 and Java on 10.5 Patch #6 on December 3, 2009

CVE-2010-0094 was fixed With Apple's Java for OS X 10.6 Update #2 and Java on OS X 10.5 Update #7 on May 18, 2010

The flaw may not be Windows specific, but OS X is not included in your list.

Re:How?

[Bill_the_Engineer]

After further research. It appears that Oracle/Sun latest version of Java addressed these issues for the Windows and Linux platforms. This looks like a case of people not updating their Java JRE.

Re:How?

[emkyooess]

In response to all of these "Java!=Javascript" comments that are here. Yes, we do. NoScript does a lot more than just JavaScript. It sandboxes Java and Flash until we tell them to run, too. It limits XSS. A lot of things, really.

Re:How?

[init100]

NoScript blocks all executable content on a web page, including Java applets, Javascript, Flash, etc, and lets you decide which ones to allow on a per-site basis.

Re:How?

[Kvasio]

Perheps this is because each java update forces the bloody 'autoupdater service' (jusched).
Theoretically it allows user to turn it off.
When I turn it off, close java config and reopen - schedule is still active.
Cutting in registry is the proper sollution.

Re:How?

[adisakp]

oh please clueless astroturfing MS fanbois: how can you mod +5 informative adisakp's clueless comment?

Not so on Linux.

I'm hardly an MS fanboi but I'll reply to your obvious flamebait anyhow. Isn't it a bit harsh to call someone "really clueless" when all I did was point out that the vulnerability exists on all platforms. After all, the summary makes it sound like a Windows-only problem.

Yes it may be harder to escalate privileges but it's not impossible. Linux and OSX are inherently safer but they've been hacked in seconds to get root privileges in just about every pwn-contest held so far when 3rd party software with vulnerabilities are installed. Pretending this is a Windows-only issue isn't going to make OSX / Linux machines any safer.

Re:How?

[broken_chaos]

It sandboxes Java and Flash until we tell them to run, too.

You're saying two different things in this sentence, only one of which is true. NoScript does only load plugins if you click on them (assuming it's configured to do so), but it does not "sandbox" plugins in any way. If you allow a malicious object to be loaded in a plugin (such as by clicking on it), NoScript does nothing to stop it.

Re:How?

[WuphonsReach]

After further research. It appears that Oracle/Sun latest version of Java addressed these issues for the Windows and Linux platforms. This looks like a case of people not updating their Java JRE.

Probably because the Java updater is a piece of garbage that constantly tries to get you to install toolbars from Bing! or Yahoo! or whoever else is attempting to line their pockets this month.

An update tool should not attempt to install additional software.

Nervous

[Konster]

Seeing Oracle and Java all in the same sentence gives me a nervous tick...the same nervous tick that I developed when I read MS was in talks to acquire Adobe.

Re:Nervous

[MrEricSir]

Just wait until you hear the news that Larry Ellison is buying Linus Torvalds.

Patches have been available for a long time

[adisakp]

FTA: The Java spike in Q3 is primarily driven by attacks on three vulnerabilities, which all, by the way, have had patches available for them for some time now.

So unpatched machines are vulnerable. Perhaps people don't auto-update Java as often.

Re:Patches have been available for a long time

[lgw]

I've run out of space in my head for all the different tools I need to seperately manage updates for.

Re:Patches have been available for a long time

[MozeeToby]

For reasons I have never been able to figure out, Java has significant issues auto updating on all my home Windows computers (XP, Vista, and 7). Sure enough, just last week I had to spend a night sanitizing one of the systems, for now I've uninstalled Java until I have the chance to figure out just what the problem is but honestly not having it hasn't been a problem so I'll probably just leave it off until I find something that actually requires it.

Re:Patches have been available for a long time

[Florian+Weimer]

Java updates contain unrelated bugfixes and functionality, breaking applications. They are far from being minimal updates. Back in the Sun days, this was addressed by enabling parallel installation of many JVM versions. It was even possible for web content to request a specific JVM version, which means that you actually had to update to a newer version and delete all the old versions. I'm not complete sure that this part has actually been addressed. It's certainly a problem for those who still need to use Java 1.4 or Java 5 (which are out of security support now, but are still widely mandated in the industry).

Re:Patches have been available for a long time

I've run out of space in my head for all the different tools I need to seperately manage updates for.

Sounds like you need a computer.

Re:Patches have been available for a long time

[ADRA]

Java web start allows a developer to specify an exact version of the JVM to run. If that JVM doesn't exist, it could be downloaded from Oracle through the web start installation process. I'm not sure if you can specify flaw enabled versions of the JVM anymore, but at least there are dialogs and choices to make before the JVM gets installed anyways, so a naked web site can't just inject a bad JVM into your system based on an exploit web start file. The same goes for applets these days, as applets and web start start merging into some sort of common entity.

That said, there are a lot of 3rd party vendors that have installed JVM's over things, and set environment variables that break other things over the years (Oracle DB client I'm looking at you!) that can cause all sorts of compatibility problems.

Re:Patches have been available for a long time

[Darkness404]

Exactly. Java has become a massive security hole with exploits left and right with fewer and fewer things that use it.

Plus, the patch wants you to install a massive amount of crapware in order to patch your system.

Re:Patches have been available for a long time

[tuffy]

"Write Once, Run on a Very Specific Virtual Machine Version Which We'll Download For You Automatically" doesn't sound quite so appealing.

Re:Patches have been available for a long time

[ADRA]

There are maybe 3 major versions of Java still in somewhat standard use: 1.4, 1.5, and 1.6. Unless the application in question has some very specific quirks, users should always be able to use the latest and greatest version of 1.6 to run them. The allowance for using older versions of the platform is a feature, not a hindrance.

It means that if I want to use "BadSoftwareCompany"'s piece of java software, I'm not confined with downloading and breaking my host's latest version of the java if their code only works with 1.4 or 1.5. If I didn't have the feature, I just couldn't use the software without a huge head-ache. To assume that every version of every software will work forever is delusional, but at least there are facilities to support the older tech.

Re:Patches have been available for a long time

[vlm]

He seemed pretty accurate other than some exaggeration. If you want to see a "Massive amount of crapware" buy a PC from a big box store, not "java tried to install the yahoo toolbar boo hoo".

The funniest Java related thing I've seen, is amongst the non-computer cow orkers "Oh man, another java program, that thing is gonna be slow and take IT forever to install (actually they mean the JVM) and crash all the time". Computer people have known that for over a decade now, the funny part is hearing non computer people start to complain.

Re:Patches have been available for a long time

[Ant+P.]

I guess Windows isn't ready for the desktop.

Re:Patches have been available for a long time

[lgw]

All it needs is to allow me to manage a list of repositories that I trust (one centrally managed repository won't fly in the commercial world, but it doesn't have to be that way). It's a small addition - maybe next year will be the year of Windows on the desktop!

Re:Patches have been available for a long time

[blackest_k]

Usually that is the case but

https://bugs.launchpad.net/ubuntu/+source/sun-java6/+bug/659937

The current version appears to be vulnerable. you can manually update or use the ppa

sudo add-apt-repository ppa:duh/sun-java6

and then the usual update upgrade
when the official packaging comes out it should overwrite the ppa version.

Re:Nerd rage

[interkin3tic]

Honestly? Or is it more likely one individual organization of malware authors suddenly realized that Oracle was being lazy about updating?

Oracle just put me in a rough spot

This creates a huge issue for the company I provide support for. We have so far not updated beyond 6u20. That is the last version of the JVM to carry the "Sun Microsystems" label instead of something referencing Oracle.

Some divisions of this company (and I would assume others as well) still run apps that seem to be incompatible with anything above 6u20 for this reason. Oracle's poor stewardship toward the Java platform has lead to a situation where we will have to make a decision on a per workstation basis whether to lose access to some important applications, or remain vulnerable to Java exploits for an unknown and possibly indefinite period of time.

Patch bloat

[edxwelch]

What's annoying is there is no real "patch" as such. You have to install the entire 77mb package from scratch and it installs crap like the yahoo toolbar by default.

Re:Patch bloat

[TubeSteak]

What's annoying is there is no real "patch" as such. You have to install the entire 77mb package from scratch and it installs crap like the yahoo toolbar by default.

If you update through the java control panel, it definitely does not grab the entire 77MB package + toolbar.

Re:Patch bloat

[_xeno_]

Last I checked, that just updated the JRE - the only way to update the JDK was to pull a complete new copy.

Re:Patch bloat

[_xeno_]

Quite a few people who post on Slashdot are developers. I happen to be employed to write Java webapps. To do this, I need the JDK.

If you're doing the full 77MB download, you're grabbing the JDK. As I posted, as far as I know, Sun never offered patches for the JDK: your only choice was to redownload the entire thing. Oracle appears to be continuing that practice.

If all you're using is the JRE, the download is much smaller (16MB versus 77MB) and it should be able to automatically update via patches.

However for quite a few Slashdot posters, the JRE is not an option, and we're stuck downloading the entire JDK. Every. Single. Freaking. Time. It's a bit annoying, especially seeing as some 20+MB are just documentation and examples that rarely change between updates.

This article speaks the truth

[gman003]

I'm still in the process of repairing my Windows system after a Java-transmitted virus. A hacked website was sending out malware to visitors via Java applet, and the only solution I found was a format/reinstall. Since then, I've disabled Java on all my machines; the only things I've seen it used for are crappy browser games and malware.

Re:JVM on Windows?

[MrEricSir]

Yeah, they should have used ActiveX, right?

Java applets require authorization

[SplashMyBandit]

If the infections were coming via Java Applets then it becomes pertinent to ask how did they get on the machine. Java appplets must be signed to write to the user's hard drive. This means the user was prompted to approve an untrusted certificate and they did so, or the malware organisation had a trusted certificate, in which case the trust authority should revoke the certificate. It is not like applets are without protection to the end user.

Re:Java applets require authorization

[SamiKoivu]

CVE-2010-0094 is a privilege escalation vulnerability in the JVM. The applet does not need to be signed and the user does not need to click OK on any dialog window. Even though the flaw is in an RMI related class, the exploitation does not require RMI privileges. No RMI stuff actually takes place, it just happens that this class is a trusted JVM core class that could in the previous versions of Java be exploited into elevating untrusted applet code privileges, thusly escaping the sandbox. Having escaped the sandbox the Java code can then do whatever it wishes, within the local privileges of the user running the browser process, including native code of the platform it's being run on.

Re:Nice try

[turgid]

Incidentally, what are some of my fellow Slashdotters' checklists when they experience an infection? I haven't had any problems for years, so I haven't put much thought into it until last week when I got infected.

Me neither. I switched to Linux in 1996.

Re:Ironically it's in the C-written part of the JV

[SamiKoivu]

Two of the three cited vulns aren't actually buffer overflows. It's badly written Java code that other Java code can exploit to escape from the sandbox.

Re:JRE's no mere ranger.

[Haeleth]

Here in the Enterprise(tm) world, we generally tend to, y'know, test shit thoroughly before launching/updating it.

Indeed. Most of the Enterprise(tm) world is probably completely safe from these attacks. At least till 2027 when they upgrade to the vulnerable versions.