Disable Java for your browser
Posted: Wed Aug 29, 2012 1:40 pm
There is a critical vulnerability in Oracle's Java software framework that makes it possible to install malware on computers running Windows, Mac OS X, or Linux (all varients and flavors of Linux are affected). There are actually two vulnerabilities (bugs) in the Java code that allow this to take place - the first bug is used used to get a reference to sun.awt.SunToolkit class that is restricted to applets while the second bug invokes the getField public static method on SunToolkit using reflection with a trusted immediate caller bypassing a security check. This exploit uses the buggy class which makes it 100 percent reliable and multiplatform. The exploit is silent and 100% reliable 100% of the time, meaning that even if a user does not get some sort of indication or warning it does not mean the attack or exploit did not work and they dodged a bullet - the fact is their system is 100% compromised for a 100% fact. An original detection with the Poison Ivy RAT varient used to infect systems gave a blank page when visiting a compromised web site in which sometimes a user would see a brief flash of the word "loading" or "update" on the page, this was not seen by all users and was browser independant, however, since the original detection this no longer happens and was the only indications to the user that something was not right. The exploit allows supressing any indications or warning of activity.
The vulnerability is a privilege escalation due to a class that allows access to protected members of system classes. Because of this, malicious code can bypass restrictions imposed by sandboxing and use the 'getRuntime().exec()' function to execute a malicious payload. This vulnerability has been confirmed to work on Java version JRE 1.7, but does not work on the older version JRE 1.6. However, it is not recommended to roll back to a previous version of Java because previous versions contain other exploitable vulnerabilities.
This is a zero-day exploit, is in the wild, has already been used in targeted attacks, and has been in use since 22 August 2012. Compromised websites are starting to appear, the exploit spread is snowballing. Simply visiting a compromised web site will cause the malware to be installed on your computer if java is enabled in the browser (any browser). Attacks can be directed against individual/corporate/enterprise/networked systems as well without systems being previously compromised. ALL common browsers are affected (e.g. IE, Mozilla, Firefox, Opera, Chrome, etc...) across all common user operating systems
A few samples of malware downloaded by the exploit have been identified as 'Trojan.Dropper', and has been observed with the file names hi.exe and Flash_update.exe. Others may already exist as of this writing and its possible the malware can download via the exploit and execute without the users knowledged or indications of download, or antivirus warnings until the system is compromised. The exploit also has installed the Poison Ivy backdoor trojan (or Poison Ivy RAT varient) in targeted attacks. The exploit will take complete (as in 100%) control of end-user computers (allowing for any activity such as dismissing or supressing alerts from anti-virus/security software, compromising personal information, bot'ing (zombie'fying) the systems for use in bot-nets, or anything else).
The attack code exploiting this vulnerability has already been added to 'BlackHole' (which is an exploit kit sold in underground forums), and has also been added to the Metasploit exploit framework used by penetration testers and hackers. The BlackHole attack seems to use the same coding from a proof-of-concept exploit published previously by a security researcher.
Until a fix update is made available by Oracle, its highly recommended that Java be disabled for all browsers.
A more detailed analysis can be read here > http://immunityproducts.blogspot.com.ar ... -4681.html
The vulnerability is a privilege escalation due to a class that allows access to protected members of system classes. Because of this, malicious code can bypass restrictions imposed by sandboxing and use the 'getRuntime().exec()' function to execute a malicious payload. This vulnerability has been confirmed to work on Java version JRE 1.7, but does not work on the older version JRE 1.6. However, it is not recommended to roll back to a previous version of Java because previous versions contain other exploitable vulnerabilities.
This is a zero-day exploit, is in the wild, has already been used in targeted attacks, and has been in use since 22 August 2012. Compromised websites are starting to appear, the exploit spread is snowballing. Simply visiting a compromised web site will cause the malware to be installed on your computer if java is enabled in the browser (any browser). Attacks can be directed against individual/corporate/enterprise/networked systems as well without systems being previously compromised. ALL common browsers are affected (e.g. IE, Mozilla, Firefox, Opera, Chrome, etc...) across all common user operating systems
A few samples of malware downloaded by the exploit have been identified as 'Trojan.Dropper', and has been observed with the file names hi.exe and Flash_update.exe. Others may already exist as of this writing and its possible the malware can download via the exploit and execute without the users knowledged or indications of download, or antivirus warnings until the system is compromised. The exploit also has installed the Poison Ivy backdoor trojan (or Poison Ivy RAT varient) in targeted attacks. The exploit will take complete (as in 100%) control of end-user computers (allowing for any activity such as dismissing or supressing alerts from anti-virus/security software, compromising personal information, bot'ing (zombie'fying) the systems for use in bot-nets, or anything else).
The attack code exploiting this vulnerability has already been added to 'BlackHole' (which is an exploit kit sold in underground forums), and has also been added to the Metasploit exploit framework used by penetration testers and hackers. The BlackHole attack seems to use the same coding from a proof-of-concept exploit published previously by a security researcher.
Until a fix update is made available by Oracle, its highly recommended that Java be disabled for all browsers.
A more detailed analysis can be read here > http://immunityproducts.blogspot.com.ar ... -4681.html