Java is most exploited browser plug-in. Disable if not needed!
January 11, 2013
Once again, Oracle's Java software is in making security news for being exploited in most major exploit kits via a new zero-day vulnerability. A zero-day vulnerability is where a proof of concept exploit is disclosed before the software vendor has a chance to create a patch to block that attack vector. At this time, Oracle has not released a patched version of Java and there is no known workaround. The next regularly scheduled Java update is set for February 19, 2013.
UPDATE January 14, 2013
Oracle has just released an out-of-band sudden patch for the new vulnerability in its Java Virtual Machine. The patch is called Java 7 update 11, available here.
The most dangerous and exploited type of Java is the kind that is used as a "plug-in" for web browsers (Internet Explorer, Google Chrome, Firefox, Safari, Opera, etc.). You see, when you install Java on your computer or hand-held devices, it installs both as an executable package that can be used by desktop productivity and entertainment applications, and as a plug-in for each brand of web browser you have installed on that device. The browser plug-in is responsible for running Java Applets in your browser. These Applets are supposed to be contained within a programmed-in software boundary called a "sandbox" - but they are notorious for being exploited to jump out of the sandbox and into the operating system.
I should point out that Java has been one of the favorite targets of virus and malware exploit authors since the year 1998 (Strange Brew - first Java virus). Over the years Java has been deployed in more and more devices, to the point that Oracle, the current owner, claims that Java is installed on over 3 billion devices Worldwide. Chances seem reasonable that you are using one or more of those 3 billion devices.
Since Java itself can be installed and run on devices that are based on different operating systems, it can be used to download malware to any of those devices by simply detecting the operating system and downloading the appropriate binary program for exploiting it. The typical entry point for exploitation is a web browser. The method by which the browser is caused to run malicious codes can be clicking on obfuscated poisoned links in email scams, hidden "iframes" that draw the attack codes into otherwise legitimate websites (and your browser), or JavaScript redirects that were injected into the head or end sections of compromised web pages.
Java is exploited constantly, for both old and new versions and vulnerabilities, for at least three reasons: (1) It is found on 3 billion devices; (2) most people don't even know if they have Java installed on whatever devices they are using to connect to the Internet; (3) Oracle is very slow to patch Java vulnerabilities that they are notified about.
What you can do to protect your devices from Java exploits
You can take the following steps to protect your computers, or hand-held devices from Java exploits.
- Disable Java plug-ins from running in all installed web browsers
- Find out what version, if any, of Java is installed.and active
- Uninstall any non-current versions of Java
- Install only the most current version of Java for your operating system
- Uninstall Java altogether! (Windows | Mac | Linux)
- Operate your computer with reduced user privileges (not as an Administrator) (1) (2) (3)
- Use only legally obtained operating systems and keep up with updates and patches
- Regularly check for and apply updates for all third party browser add-ons and plug-ins (not just Java
- Defend against exploit kits by disabling JavaScript (and Java) by default, unless you specifically want to allow scripting to run. Do this by installing the NoScript add-on to Firefox, or the ScriptNo extension for Google Chrome. Internet Explorer users are and probably will always remain vulnerable to scripting attacks, unless you disable "Active Scripting" altogether. ;-(
The reason for exploit kits is to compromise as many computing devices as possible for the following nefarious purposes:
- To install spamming malware
- To turn your device into an attack zombie in a DDoS botnet
- To make your computer available as a web proxy for criminals to hide behind as they carry on criminal activities and scams
- To silently install keylogging and/or bank account monitoring malware Trojans, to steal funds from your financial accounts
- To use keyloggers to steal login credentials to your website control panels, Facebook, Twitter, LinkedIn, MySpace, eBay etc.
- To install Trojans that search for particularly desirable and sensitive documents and upload copies to spies abroad
- Some will download rogue security software that presents alarming fake virus scans of your computer, demanding money to remove the perceived non-existent threats
- Currently, a lot of exploit kits download what is commonly called "Police Ransomware" to your computer, locking you out of using it unless you pay a fine (ransom). DO NOT PAY THE FINE! Have the PC disinfected by a professional.
- If you work in a Governmental, or Defense, or public utility, Nuclear Energy, or Financial industry, custom written exploit kits might be used in "spear phishing" email attacks to deliver real spyware to your PC and even the entire network. Company, or very high level or secret documents can be stolen by Trojans written for this purpose.
- Above all of these things, all exploit kits install a "backdoor" into the infected computer or device. This allows the cybercriminals running the exploit to visit your computer any time they wish, download other malware to it, or use it to do illegal things (e.g. transfer stolen funds from bank accounts) leading to your IP address, then to your name and address if the Police become involved.
If you know or even think that you may have clicked on a link leading to an exploit kit, you need to scan for malware now. You can use the free online Housecall scanner from Trend Micro, or the stand-alone Microsoft Safety Scanner. If you have no security program installed, or one that is out-dated, or has expired, you can download a trial version of Trend Micro Internet Security (or Anti-Virus+). It is full-feature activated for a month and will remove most malware it detects. It also blocks access to malicious web pages, protecting you from exploit kits.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.