A Tidal Wave of Java Flaw Exploitation

← Back to Stories (view on slashdot.org)

A Tidal Wave of Java Flaw Exploitation

Posted by Soulskill on Monday October 18, 2010 @08:04AM from the surf's-up dept.

tsu doh nimh writes "Microsoft warned today that it is witnessing a huge spike in the exploitation of Java vulnerabilities on the Windows platform, and that attacks on Java security holes now far outpace the exploitation of Adobe PDF bugs. The Microsoft announcement cites research by blogger Brian Krebs, who has been warning for several months that Java vulnerabilities are showing up as the top moneymakers for those peddling commercial crimeware exploitation kits, such as Eleonore, Crimepack and SEO Sploit Pack." Several days ago, Oracle released a patch that fixed 29 Java security flaws.

29 of 238 comments (clear)

Min score:

Reason:

Sort:

How? by MrEricSir · 2010-10-18 08:10 · Score: 4, Interesting

The one question this article doesn't really clarify is pretty important: How are these exploits being loaded onto the user's computer?
Are we talking applets, Java web start, or some other mechanism?

--
There's no -1 for "I don't get it."
1. Re:How? by adisakp · 2010-10-18 08:14 · Score: 5, Informative
  
  CVE Attacks Computers Description
  
  CVE-2008-5353 3,560,669 1,196,480 A deserialization issue in vulnerable versions of JRE (Java Runtime Environment) allows remote code execution through Java-enabled browsers on multiple platforms, such as Microsoft Windows, Linux, and Apple Mac OS X.
  
  CVE-2009-3867 2,638,311 1,119,191 Another remote code execution, multi-platform issue caused by improper parsing of long file:// URL arguments.
  
  CVE-2010-0094 213,502 173,123 Another deserialization issue, very similar to CVE-2008-5353.
2. Re:How? by Florian+Weimer · 2010-10-18 08:14 · Score: 5, Informative
  
  Propagation generally happens via applets, loaded through IFRAMEs or Javascript-based redirects. Actual payloads are not yet OS-agnostic (even though the exploits themselves are).
3. Re:How? by adisakp · 2010-10-18 08:16 · Score: 4, Informative
  
  The keywords in the above descriptions are "remote code execution through Java-enabled browsers on multiple platforms". The flaw is not Windows specific but could also be exploited on OSX and Linux.
4. Re:How? by hydrofix · 2010-10-18 08:37 · Score: 3, Informative
  
  I feel that NoScript is doing a greater and greater work in protecting me each and every day.
5. Re:How? by doishmere · 2010-10-18 08:39 · Score: 3, Informative
  
  A few days ago smbc comics was hit with a Java exploit in the form of a popup that installed a trojan on users machines. People affected were discussing it here; from this it looks like mostly Windows machines were infected, but at least one user claims Ubuntu was affected.
6. Re:How? by Bill_the_Engineer · 2010-10-18 08:43 · Score: 4, Informative
  
  CVE-2008-5353 was fixed with Apple's Java Patch #2 on June 15, 2009.
  CVE-2009-3867 was fixed with Apples Java for OS X 10.6 Update #1 and Java on 10.5 Patch #6 on December 3, 2009
  CVE-2010-0094 was fixed With Apple's Java for OS X 10.6 Update #2 and Java on OS X 10.5 Update #7 on May 18, 2010
  The flaw may not be Windows specific, but OS X is not included in your list.
  
  --
  These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
7. Re:How? by Bill_the_Engineer · 2010-10-18 08:48 · Score: 5, Informative
  
  After further research. It appears that Oracle/Sun latest version of Java addressed these issues for the Windows and Linux platforms. This looks like a case of people not updating their Java JRE.
  
  --
  These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
8. Re:How? by init100 · 2010-10-18 09:07 · Score: 3, Informative
  
  NoScript blocks all executable content on a web page, including Java applets, Javascript, Flash, etc, and lets you decide which ones to allow on a per-site basis.
9. Re:How? by broken_chaos · 2010-10-18 09:51 · Score: 4, Informative
  
  It sandboxes Java and Flash until we tell them to run, too.
  You're saying two different things in this sentence, only one of which is true. NoScript does only load plugins if you click on them (assuming it's configured to do so), but it does not "sandbox" plugins in any way. If you allow a malicious object to be loaded in a plugin (such as by clicking on it), NoScript does nothing to stop it.
Nervous by Konster · 2010-10-18 08:10 · Score: 4, Funny

Seeing Oracle and Java all in the same sentence gives me a nervous tick...the same nervous tick that I developed when I read MS was in talks to acquire Adobe.
1. Re:Nervous by MrEricSir · 2010-10-18 08:25 · Score: 4, Funny
  
  Just wait until you hear the news that Larry Ellison is buying Linus Torvalds.
  
  --
  There's no -1 for "I don't get it."
Patches have been available for a long time by adisakp · 2010-10-18 08:11 · Score: 3, Insightful

FTA: The Java spike in Q3 is primarily driven by attacks on three vulnerabilities, which all, by the way, have had patches available for them for some time now.
So unpatched machines are vulnerable. Perhaps people don't auto-update Java as often.
1. Re:Patches have been available for a long time by lgw · 2010-10-18 08:16 · Score: 4, Insightful
  
  I've run out of space in my head for all the different tools I need to seperately manage updates for.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
2. Re:Patches have been available for a long time by MozeeToby · 2010-10-18 08:16 · Score: 4, Interesting
  
  For reasons I have never been able to figure out, Java has significant issues auto updating on all my home Windows computers (XP, Vista, and 7). Sure enough, just last week I had to spend a night sanitizing one of the systems, for now I've uninstalled Java until I have the chance to figure out just what the problem is but honestly not having it hasn't been a problem so I'll probably just leave it off until I find something that actually requires it.
3. Re:Patches have been available for a long time by Florian+Weimer · 2010-10-18 08:19 · Score: 4, Interesting
  
  Java updates contain unrelated bugfixes and functionality, breaking applications. They are far from being minimal updates. Back in the Sun days, this was addressed by enabling parallel installation of many JVM versions. It was even possible for web content to request a specific JVM version, which means that you actually had to update to a newer version and delete all the old versions. I'm not complete sure that this part has actually been addressed. It's certainly a problem for those who still need to use Java 1.4 or Java 5 (which are out of security support now, but are still widely mandated in the industry).
4. Re:Patches have been available for a long time by Anonymous Coward · 2010-10-18 08:27 · Score: 5, Funny
  
  I've run out of space in my head for all the different tools I need to seperately manage updates for.
  Sounds like you need a computer.
5. Re:Patches have been available for a long time by ADRA · 2010-10-18 08:33 · Score: 3, Insightful
  
  Java web start allows a developer to specify an exact version of the JVM to run. If that JVM doesn't exist, it could be downloaded from Oracle through the web start installation process. I'm not sure if you can specify flaw enabled versions of the JVM anymore, but at least there are dialogs and choices to make before the JVM gets installed anyways, so a naked web site can't just inject a bad JVM into your system based on an exploit web start file. The same goes for applets these days, as applets and web start start merging into some sort of common entity.
  That said, there are a lot of 3rd party vendors that have installed JVM's over things, and set environment variables that break other things over the years (Oracle DB client I'm looking at you!) that can cause all sorts of compatibility problems.
  
  --
  Bye!
6. Re:Patches have been available for a long time by ADRA · 2010-10-18 09:01 · Score: 4, Informative
  
  There are maybe 3 major versions of Java still in somewhat standard use: 1.4, 1.5, and 1.6. Unless the application in question has some very specific quirks, users should always be able to use the latest and greatest version of 1.6 to run them. The allowance for using older versions of the platform is a feature, not a hindrance.
  It means that if I want to use "BadSoftwareCompany"'s piece of java software, I'm not confined with downloading and breaking my host's latest version of the java if their code only works with 1.4 or 1.5. If I didn't have the feature, I just couldn't use the software without a huge head-ache. To assume that every version of every software will work forever is delusional, but at least there are facilities to support the older tech.
  
  --
  Bye!
7. Re:Patches have been available for a long time by vlm · 2010-10-18 09:09 · Score: 4, Interesting
  
  He seemed pretty accurate other than some exaggeration. If you want to see a "Massive amount of crapware" buy a PC from a big box store, not "java tried to install the yahoo toolbar boo hoo".
  The funniest Java related thing I've seen, is amongst the non-computer cow orkers "Oh man, another java program, that thing is gonna be slow and take IT forever to install (actually they mean the JVM) and crash all the time". Computer people have known that for over a decade now, the funny part is hearing non computer people start to complain.
  
  --
  "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
8. Re:Patches have been available for a long time by Ant+P. · 2010-10-18 09:22 · Score: 5, Funny
  
  I guess Windows isn't ready for the desktop.
9. Re:Patches have been available for a long time by lgw · 2010-10-18 09:30 · Score: 3, Informative
  
  All it needs is to allow me to manage a list of repositories that I trust (one centrally managed repository won't fly in the commercial world, but it doesn't have to be that way). It's a small addition - maybe next year will be the year of Windows on the desktop!
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
Re:Nerd rage by interkin3tic · 2010-10-18 08:19 · Score: 4, Insightful

Honestly? Or is it more likely one individual organization of malware authors suddenly realized that Oracle was being lazy about updating?
Patch bloat by edxwelch · 2010-10-18 08:23 · Score: 5, Interesting

What's annoying is there is no real "patch" as such. You have to install the entire 77mb package from scratch and it installs crap like the yahoo toolbar by default.
1. Re:Patch bloat by TubeSteak · 2010-10-18 09:01 · Score: 4, Informative
  
  What's annoying is there is no real "patch" as such. You have to install the entire 77mb package from scratch and it installs crap like the yahoo toolbar by default.
  If you update through the java control panel, it definitely does not grab the entire 77MB package + toolbar.
  
  --
  [Fuck Beta]
  o0t!
This article speaks the truth by gman003 · 2010-10-18 08:24 · Score: 5, Funny

I'm still in the process of repairing my Windows system after a Java-transmitted virus. A hacked website was sending out malware to visitors via Java applet, and the only solution I found was a format/reinstall. Since then, I've disabled Java on all my machines; the only things I've seen it used for are crappy browser games and malware.
Re:JVM on Windows? by MrEricSir · 2010-10-18 08:28 · Score: 4, Funny

Yeah, they should have used ActiveX, right?

--
There's no -1 for "I don't get it."
Re:Nice try by turgid · 2010-10-18 09:23 · Score: 3, Informative

Incidentally, what are some of my fellow Slashdotters' checklists when they experience an infection? I haven't had any problems for years, so I haven't put much thought into it until last week when I got infected.
Me neither. I switched to Linux in 1996.

--
Stick Men
Re:Java applets require authorization by SamiKoivu · 2010-10-18 17:06 · Score: 3, Informative

CVE-2010-0094 is a privilege escalation vulnerability in the JVM. The applet does not need to be signed and the user does not need to click OK on any dialog window. Even though the flaw is in an RMI related class, the exploitation does not require RMI privileges. No RMI stuff actually takes place, it just happens that this class is a trusted JVM core class that could in the previous versions of Java be exploited into elevating untrusted applet code privileges, thusly escaping the sandbox. Having escaped the sandbox the Java code can then do whatever it wishes, within the local privileges of the user running the browser process, including native code of the platform it's being run on.