Hello, another Java 0-day exploit has been revealed!
January 17, 2013
It was 5 days and a few hours ago that I published a blog article about a recent Java vulnerability being exploited in the wild. In it I advised my readers to disable Java plug-ins from running in their browsers, or to uninstall Java altogether.
Then, three days later, on Jan 14, 2013, Oracle, the keeper and maintainer of the Java code, released an out-of-band patch to plug the vulnerability that was the cause of the exploits. This was done with the release of Java 7 update 11.
However, on Wednesday, Jan 16, 2013, Trend Micro researchers posted findings that revealed that the Oracle patch was incomplete and left a related attack vector open. A few hours later, a high ranking admin on a malware distribution forum offered to sell a working exploit of this new zero day exploit for a starting bid of $5,000 USD (see Brian Krebs' article), to two more individuals (he had already sold one copy). Within a short time his offer was taken down, leading Brian Krebs to postulate that the bidding had ended and all three copies of the hardened and ready to go exploit had been sold.
I know that there are some business programs and commercial web pages that operate with Java Applets, requiring users to have Java enabled in their browsers, and/or operating systems. These people cannot just uninstall Java hodge-podge. They want a workable method of keeping Java, but reducing their exposure to malware sneak attacks. Let's see if I can help a little.
First of all, Java can be uninstalled easily from most Windows computers, via the (Add/Remove) Programs (and Features) applet in the Windows Control Panel. All properly installed versions of Java will be listed in the list of installed programs which can be uninstalled, via a button press.
But, if you must keep Java on your computer, to use a mandatory program or website, here are some practical methods you can use to limit your risk of malware infection via Java. They are listed in what I consider to be the most easily deployed order.
- Go to Control Panel (Windows), find the Java icon, open it, update to the current version, then reboot.
- The newest version has a security level slider and a checkbox to disable Java plug-ins from your browsers. Set the security slider to the high or highest setting. Close and re-open your browser to get this to take effect.
- If you only need Java for a desktop or network application, not a website, uncheck the checkbox labeled: "Enable Java content in the browser" then apply the change.
- Browse with the most current version of Firefox. Firefox now disables Java applets by default and asks you if you wish to allow them to run when Java Applets are encountered on a web page.
- Every Java exploit kit I have encountered relies upon JavaScript functions to load the appropriate malware Applet .jar file to exploit your PC. For better protection, install the NoScript Add-on for Firefox and allow it to use the default settings (which you must read about before using it). NoScript blocks both Java and JavaScript by default, unless you explicitly allow them to run. If your browser does not receive the redirection commands, or exploit detection functions, nothing happens automatically. In that case, watch out for prompts to manually install a malicious Java Applet!
- Many zero-day exploits, as well as nth day exploits assume that the user is logged in with administrator privileges, or with UAC prompts disabled. This enables silent, drive-by exploits to install malware into the operating system with no user interaction. Watch the video on the Malwarebytes' blog to see such an exploit in action.
- In view of how malware exploits use administrator level privileges to do their dirty work, consider lowering your privileges for the computer account you normally use to browse the Internet and run productivity applications. Read these articles for more details: (1) (2) (3)
- I can't tell you what malware protection to use, but I sure as my name's Wiz can recommend some that I use. I use a 4-fold approach to secure my PCs: (1): I operate with reduced user privileges; (2): I run Malwarebytes' Anti-Malware; (3): I run the current version of Trend Micro Internet Security; (4): I browse with the current version of Firefox, with the NoScript Add-On installed and enabled.
- Despite all of the above protections there is one more exploit vector: The weak link that exists between the chair and the keyboard. Use common sense while browsing the 'net. Unexpected alert boxes, pop-up scans and web page redirects are not business as usual. If something seems wrong, assume that it is and back out and close your browser, then scan for malware in the browser cache or temporary Internet files. Don't blindly allow programs to run or install just because a pop-up tells you to, especially if it is an "unsigned" or "Self-signed" program.
I hope this helps keep you safe from Java exploits. Doing the things I suggest will not just block the current zero-day exploits, but those to come.