Calling all enterprises: disable Java in your browsers.
That warning has been sounded by numerous information security experts, following the discovery of an in-the-wild exploit that targets a zero-day vulnerability in Java, and for which no patch yet exists.
"We have seen this unpatched exploit being used in limited targeted attacks. Most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable," said Atif Mushtaq, senior staff scientist at FireEye Malware Intelligence Lab, which discovered the attack and identified the Java vulnerability it exploited. "[The] initial exploit is hosted on a domain named ok.XXX4.net. Currently this domain is resolving to an IP address in China," he said in a blog post.
The in-the-wild attack, hosted by a malicious website, currently only targets Windows PCs, via a malicious JAR (Java Archive) applet named "Dropper.MsPMs." If the browser-targeting exploit is successful, the JAR file gets installed on the targeted system. As of Sunday, the website serving the attack remained fully functional, as did the command-and-control servers, which are currently based in Singapore.
The exploited vulnerability exists in all versions of Java 7, and can be used to exploit not just Windows, but also Apple OS X and Linux systems. "I have tested the following operating systems: Windows7, Ubuntu 12.04, OSX 10.8.1 [and] I have tested the following browsers: Firefox 14.0.1 (Windows, Linux, OSX), IE 9, Safari 6. [The] same exploit worked on all of them," said David Maynor, CTO of Errata Security, in a blog post.
[ Most IT security groups are short-handed and can't find good people to hire. Is there a Security Skills Shortage, Or Training Failure? ]
"This exploit is awesome," he said. "[It's] not a buffer overflow or anything like that, it uses a flaw in the JRE design that allows a Java app to change its own security settings with reflection." As a result, an attacker can use the vulnerability to arbitrarily change Java security settings, allowing malware to read, write, and execute code on an infected system.
Oracle has yet to detail when it will release a related Java patch for the vulnerability. "The next scheduled update for Java is October 16th, 2012. Oracle has a bad track record for releasing timely patches for Java exploits, but with all the attention this flaw is getting I would hope it would release an out of cycle fix if for no other reason than to save face," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post.
Until Oracle does patch the vulnerability, "the best way to prevent this attack at the moment is by removing or disabling [the] Java plug-in from your browser settings," said FireEye's Mushtaq. "Once Oracle comes up with a patch you can re-enable this plug-in." Don't, however, roll back to a previous version of Java, since older versions have numerous known vulnerabilities.
An exploit module based on the new vulnerability has already been added to the Metasploit open source penetration testing toolkit, and can be used to exploit the flaw on affected Windows, OS X, and Linux systems. Metasploit developer "sinn3r" said he'd verified that the exploit works against Internet Explorer, Firefox, and Chrome, running on Windows XP, Vista, and 7, as well as Firefox on Ubuntu Linux 10.04 and Safari on OS X Mountain Lion (10.7.4).
"Paunch," the nickname used by the developer of the BlackHole crimeware toolkit, told security journalist Brian Krebs via IM that he planned to immediately integrate the publicly available exploit code into BlackHole, saying that it was a high-quality vulnerability that could have fetched $100,000 if sold privately.
The BlackHole author--or authors--has recently been a devotee of Java vulnerabilities, which have proven easy to exploit, with some Java bugs offering a success rate of up to 80%. Adding in such exploits makes the crimeware toolkit more attractive to would-be buyers.
"Starting at the end of last year, they focused on adding Java exploits--within a month after a patch is released by Oracle," said Jason Jones, lead for the advanced security intelligence team at HP's DVLabs, speaking last month by phone about the BlackHole exploit toolkit. "They did this at the end of last year, and we saw an extremely high success rate for exploitation, then they added another one at the beginning of this year, had another same high level of exploitation rates, then they did it again recently."
Earlier this year, that increasing use of Java exploits led Apple to automatically disable Java in OS X, if it hasn't been used for 35 days. Apple made that change after a Java exploit--first detailed for Windows--was reverse-engineered by malware developers, who created the Flashback malware that infected an estimated 600,000 OS X systems.
In the wake of the latest Java vulnerability, which is difficult to spot, the prevailing security advice has been to disable Java altogether. "The configuration I used to test [the exploit] would be caught by [an] IPS with good rules [but] if you just enable the Metasploit built-in SSL options, an IPS would be blinded to this," said Maynor at Errata Security. "I have tried two different desktop protection suites from McAfee and Symantec. Neither stopped the threat, but then again, they really aren't designed to. This is a perfect exploit to use for phishing, or [targeting] social media users."
The new exploit may have already been used against your business. "Remember to search your logs for connections to the Domains/IPs related to this attack," said Jaime Blasco, a malware researcher at AlienVault Labs, in a blog post.
For businesses that can't disable Java, for example because they need to support functionality on intranet pages, here's a temporary workaround: "Use your client firewall to disallow access to non-intranet resources for javaw.exe (on Windows)," said Wisniewski at Sophos. "Another solution is to surf the net using your favorite browser with Java disabled, and have an alternate browser available for the occasional site that needs it--Java is not JavaScript, you almost never need it," he said.
