# New Java Exploit!



## silkstone (Jan 11, 2013)

I read this on Ars the other day and i thought i would re-post the information here as it seems like a pretty big exploit:

"A previously unknown and currently unpatched security hole in the latest version of the Java software framework is under attack online, according to security researchers and bloggers.

Attack code that exploits vulnerability in Java's browser plugin has been added to the Blackhole, Cool, Nuclear Pack, and Redkit exploit kits, according to the Malware Don't Need Coffee blog, prompting its author to say that the bug is being "massively exploited in the wild." Miscreants use these products to turn compromised websites into platforms for silently installing keyloggers and other types of malicious software on the computers of unsuspecting visitors. KrebsOnSecurity reporter Brian Krebs said the curators of both Blackhole and Nuclear Pack have taken to the underweb to boast of the addition to their wares. It's not yet clear how many websites have been outfitted with the exploits.

According to researchers at Alienvault Labs, the exploits work against fully patched installations of Java. Attack files are highly obfuscated and are most likely succeeding by bypassing security checks built in to the program. KrebsOnSecurity said the malware authors say the exploits work against all versions of Java 7.

Update: Analysis from antivirus provider Kaspersky Lab indicates the exploits are already deployed on a variety of websites.

"There appears to be multiple ad networks redirecting to Blackhole sites, amplifying the mass exploitation problem," Kaspersky Lab expert Kurt Baumgartner wrote. "We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course, adult sites."

People who don't use Java much should once again consider unplugging Java from their browser, while those who don't use it at all may want to uninstall it altogether. The release notes for Java 7 Update 10—the most recent version—say users can disable the program from the browser by accessing the Java Control Panel. KrebsOnSecurity has instructions here for other ways to do this."

- Dan Goodin - Jan 10 2013
Source: http://arstechnica.com/security/201...bug-is-being-massively-exploited-in-the-wild/


----------



## MxPhenom 216 (Jan 11, 2013)

and theres my queue to uninstall Java.


----------



## silkstone (Jan 11, 2013)

MxPhenom 216 said:


> and theres my queue to uninstall Java.



This is the scariest part: "We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course, adult sites."

I'm using Chrome and it's quite easy to set up so that you need to click to allow java to run on each site. I haven't uninstalled it yet, but i'm not going to be allowing it to run until an update comes out.


----------



## OneMoar (Jan 11, 2013)

a security hole in JAVA NOWAI


----------



## Drone (Jan 17, 2013)

Wouldn't that be awesome if flash and java go away and never come back and get replaced with something more reliable and less buggy...


----------



## 3870x2 (Jan 17, 2013)

Drone said:


> Wouldn't that be awesome if flash and java go away and never come back and get replaced with something more reliable and less buggy...



Java itself is a great idea, but it has terrible security flaws.

in the last two years I have helped about a dozen friends and family members where, through a Java exploit, their computers were completely locked down, usually with programs that acted like anti-virus and wanted you to purchase their program to remove the virus that it in itself caused.

These exploits are very serious and renders a computer useless, I am almost surprised Java hasn't been sued or gotten into some kind of trouble for this.  The process to remove this malware is usually quite extensive, and varies from one instance to another.


----------



## Aquinus (Jan 17, 2013)

3870x2 said:


> I am almost surprised Java hasn't been sued or gotten into some kind of trouble for this.



EULA. Gotta love the things you agree to when you install software. 



			
				Oracle said:
			
		

> 5. LIMITATION OF LIABILITY. IN NO EVENT SHALL ORACLE BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA OR DATA USE, INCURRED BY YOU OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT, EVEN IF ORACLE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. ORACLE'S ENTIRE LIABILITY FOR DAMAGES HEREUNDER SHALL IN NO EVENT EXCEED ONE THOUSAND DOLLARS (U.S. $1,000).



In other words, they're not liable and if the courts disagree they attempt to impose a maximum limit of 1,000 USD. That's all disputable in court, but you (or whoever installed it,) did agree to if you're using Java or have it installed. This really says if Java itself sans any code that Java executes damages your machine, then you might have grounds to sue but other than that, good luck.


----------



## Frick (Jan 17, 2013)

Aquinus said:


> EULA. Gotta love the things you agree to when you install software.
> 
> In other words, they're not liable and if the courts disagree they attempt to impose a maximum limit of 1,000 USD. That's all disputable in court, but you (or whoever installed it,) did agree to if you're using Java or have it installed. This really says if Java itself sans any code that Java executes damages your machine, then you might have grounds to sue but other than that, good luck.



Doesnt pretty much all software has similiar clauses in the EULAs? If i made software i would have one.


----------



## FordGT90Concept (Jan 17, 2013)

FYI, Update 11 apparently takes care of the vulnerability.


----------



## Drone (Jan 17, 2013)

3870x2 said:


> Java itself is a great idea, but it has terrible security flaws.



I never quite understood the real purpose of Java. There are c/c++, .net and other programming languages. What's up with java? Yes in some cases _some_ applications written on java work faster than others but in many other cases java apps are much slower.
Not sure but I think c/c++ and .net could handle it all.


----------



## 3870x2 (Jan 17, 2013)

Drone said:


> I never quite understood the real purpose of Java. There are c/c++, .net and other programming languages. What's up with java? Yes in some cases _some_ applications written on java work faster than others but in many other cases java apps are much slower.
> Not sure but I think c/c++ and .net could handle it all.



Java is slower in almost all cases.  People use Java because of easier portability, and the fact that Java has many of their own libraries that are also portable.

I find programming in Java a bit easier than c#.

c++ / c# can handle it all.


----------



## Aquinus (Jan 17, 2013)

Drone said:


> I never quite understood the real purpose of Java. There are c/c++, .net and other programming languages. What's up with java? Yes in some cases _some_ applications written on java work faster than others but in many other cases java apps are much slower.
> Not sure but I think c/c++ and .net could handle it all.



Java byte code will run on any machine that has implemented the JVM. Therefore you can write one application with one code base and have it work on multiple platforms. C/C++ libraries differ from OS to OS so code written in C/C++ for one platform may not work in another because the core libraries may be different or behave differently or not exist at all.

Java is good if your intent is to hit the largest audience you can. Newer ARM processors have Jazelle as well, which allows java byte code run in hardware as a third execution mode. So it doesn't have to be slow, it's just slow because of how its implemented. Java can be made to run fast and a lot of the time it does.


3870x2 said:


> the fact that Java has many of their own libraries that are also portable.


+1: This too.


----------



## Drone (Jan 17, 2013)

> .. portability ..



Generally speaking _most_ high-level programming languages are more or less portable


----------



## DarkOCean (Jan 17, 2013)

Seeing this now i feel better that i dont use java from quite some time now knowing its weakness for exploits.


----------



## erixx (Jan 17, 2013)

Sadly i have business software that requieres Java


----------



## Drone (Jan 17, 2013)

FordGT90Concept said:


> FYI, Update 11 apparently takes care of the vulnerability.



And there's already a zeroday bug for update _11_ which is selling for 5000$


----------



## LAN_deRf_HA (Jan 17, 2013)

This is good actually. Holes like this exist for just about everything. They're traded in very tight circles with people highly motivated to keep them secret. If someone gets a hold of one and wants to make a quick buck selling it instead of exploiting it then it's pretty much the end of that exploit. It will get identified and patched.

Honestly the best possible way to root out these long standing exploits in browsers/flash/java is to offer rewards for those exploits. Big ones.


----------



## erixx (Jan 17, 2013)

Defender report of earlier today:

containerfile:C:\Users\...\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\6aee21d4-46ec4b49
file:C:\Users\...\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\6aee21d4-46ec4b49->h.class
file:C:\Users\...\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\6aee21d4-46ec4b49->r.class
file:C:\Users\...\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\6aee21d4-46ec4b49->van.class
file:C:\Users\...\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\6aee21d4-46ec4b49->zou.class


Just now I installed Java update 11


----------



## FordGT90Concept (Jan 18, 2013)

Drone said:


> And there's already a zeroday bug for update _11_ which is selling for 5000$


Well that sucks. 




3870x2 said:


> I find programming in Java a bit easier than c#.


That defies logic.


----------



## kn00tcn (Jan 18, 2013)

just disable the browser plugin, not remove java from the OS entirely (since obviously minecraft, jdownloader, all kinds of things need java)

how many SITES still use java when they can just make their thing in flash or by now webgl & unity


----------



## Drone (Jan 21, 2013)

Malware Posing as Java Update 11

The malicious website has the misspelled message "A newer version of Java is require" in large, red letters.


----------



## Drone (Feb 11, 2013)

If anyone cares java is gonna release its cumulative patch. It will arrive February 19.


----------



## Drone (Mar 4, 2013)

Another Java Zero-Day Found



> *FireEye researchers have uncovered yet another zero-day vulnerability in Java, and attackers are currently exploiting it in the wild.* The security flaw, if triggered, leads to arbitrary memory read-and-write. The security flaws are in Java v.1.6 Update 41 and the latest Java v1.7 Update 15, which was just released Feb. 19



FireEye said that there'll be more zero days


----------



## Wrigleyvillain (Mar 4, 2013)

Ffs


----------



## 95Viper (Mar 5, 2013)

Java update to fix two security exploits.

Java SE Downloads

Oracle Security Alert for CVE-2013-1493


> Description
> 
> This Security Alert addresses security issues CVE-2013-1493 (US-CERT VU#688246) and another vulnerability affecting Java running in web browsers. These vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications. They also do not affect Oracle server-based software.
> 
> These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. For an exploit to be successful, an unsuspecting user running an affected release in a browser must visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system.


----------



## syeef (Mar 5, 2013)

FordGT90Concept said:


> 3870x2 said:
> 
> 
> > I find programming in Java a bit easier than c#.
> ...



To me also, Java is lot more simpler and easier than C#. Sure Java has no great GUI editing like C#, but GUI editing is for Newbies not Advanced users...


----------



## Drone (Feb 2, 2014)

bump

http://www.pcworld.com/article/2092...-infects-mac-linux-systems-with-ddos-bot.html

It means that Mac and Limux users are also vulnerable to java crap:



> The malicious Java application is the latest example of the opportunistic trend to use the huge potential of Java to get a malware three-for-one in the cause of turning systems into Distribued Denial of Service bots. Once on the target system after hitting Java flaw CVE-2013-2465 (SE 7 Update 21 and earlier), patched last June, the malware sets up its command and control using IRC. According to Kaspersky, one of the targets on the receiving end of a DDoS attack might be an unnamed bulk email service. It also deploys the Zelix Klassmaster obfuscator as a technique meant to frustrate analysis.


----------



## RejZoR (Feb 4, 2014)

Last time i checked, Java isn't even active in Firefox as embedded content. I'm using it because of Minecraft and it never even interacted with the browser.


----------



## Wrigleyvillain (Feb 4, 2014)

MxPhenom 216 said:


> and theres my queue to uninstall Java.



Oh how I wish this was a viable solution at work.


----------



## typicalintrovert (Feb 4, 2014)

i havent had java installed in such a long time.


----------



## MxPhenom 216 (Feb 4, 2014)

typicalintrovert said:


> i havent had java installed in such a long time.



0 reason to have it installed these days.


----------



## W1zzard (Feb 4, 2014)

MxPhenom 216 said:


> 0 reason to have it installed these days.


I need it for Android app development  but disabled the browser plugins


----------



## btarunr (Feb 4, 2014)

I need Java for Azureus, which I need for...you know.. downloading open-source Linux ISOs.


----------



## eidairaman1 (Feb 4, 2014)

syeef said:


> To me also, Java is lot more simpler and easier than C#. Sure Java has no great GUI editing like C#, but GUI editing is for Newbies not Advanced users...



so do you write code yourself or you blowing smoke up your own wazoo to try to build your ego



Drone said:


> bump
> 
> http://www.pcworld.com/article/2092...-infects-mac-linux-systems-with-ddos-bot.html
> 
> It means that Mac and Limux users are also vulnerable to java crap:



Mac has always been vulnerable to many attacks. Who do you think hackers will attack, the least popular OS (Macintrash) or the most popular (Winblows 8/8.1)? (love smug Mac Users- not very bright)


----------

