Think Information. Think Security.
A vulnerability in the latest version of Oracle's Java software framework is under active attack, and the damage is likely to get worse thanks to the availability of reliable exploit code that works on a variety of browsers and computer platforms, security experts warn.

The flaw in Java version 1.7 was reported on Sunday afternoon by FireEye security researcher Atif Mushtaq. A separate post published on Monday by researchers Andre M. DiMino and Mila Parkour said the number of attacks, which appear to install the Poison Ivy Remote Access Trojan, were low. But they went on to note that the typical delay in issuing Java patches, combined with the circulation of exploit code, meant it was only a matter of time until the vulnerability is exploited more widely by other attackers.

Members of Rapid7, the security company that helps maintain the open-source Metasploit exploit framework used by penetration testers and hackers, said they have already developed an exploit that works against Windows 7. They are in the process of testing it against the Microsoft Internet Explorer, Mozilla Firefox, and Google Chrome browsers running on other operating systems, including Ubuntu Linux 10.04 and Windows XP. They went on to suggest that users should disable Java until a patch plugging the gaping hole is released.

According to KrebsonSecurity reporter Brian Krebs, there are indications the exploit will also be rolled into BlackHole, an exploit kit that sells advanced and highly weaponized exploits in underground forums. Like the Rapid7 researcher, Krebs recommends end users uninstall Java altogether, advice we at Ars think is worth following for those who have no need for the cross-platform application. Those who need Java to run applications such as Open Office or Freemind can still protect themselves by disabling Java in their browser to prevent drive-by attacks on booby-trapped websites.

The zero-day vulnerability is only the latest to affect Java, which over the past few years has emerged as one of the apps most frequently exploited by malware operators, along with Adobe's Reader and Flash programs. Oracle has yet to comment on the reports or say when it plans to fix the vulnerability. The next scheduled patch release isn't until the middle of October. DiMino and Parkour have issued an unofficial patch they said prevents exploits from working. But the use of such patches can create stability problems, and in any event, it's only available on a per-request basis, so end users should probably consider other ways to protect themselves against this threat.

Dave Maynor, CTO of penetration-testing firm Errata Security, said in his own blog post that the exploit code included in Metasploit "worked like a charm" against a Windows 7 installation he tested. He went on to say that the attack also worked reliably against a fully patched Ubuntu 12.04 Linux machine once he took the time to remove the OpenJRE app that was included by default and installed the run-time environment provided by Oracle.

Maynor said a Mac running Apple's OS X was able to only partially execute the exploit code. Technical details concerning the underlying vulnerability remain scarce, except, as noted in comments below, it appears to allow an unsigned, unprivileged process to overwrite its own security context token with reflection. Multiple reports claim it doesn't affect Java 1.6 and earlier versions. A report from security firm Alien Vault is here.

Cross-posted from: Ars Technica
8/7/2013 10:36:34 pm

This blog made me your crazy follower. I am deeply impressed by your "Java framework- Web developers" and therefore adding you in my favorite list so that next time I could read you again. You did not divert from the topic even once which I have not seen in many other writers.

10/21/2013 08:58:55 pm

Even though the title "Java framework" of your blog is very short but still it is catchy enough to manages the attraction at first sight and conveying the gist of the whole matter.

8/22/2013 03:30:47 pm

All the efforts you put in the blog post is appreciable. Entire blog is informative. Looking forward to read more blogs and contents from you. Wish you luck!!!


Leave a Reply.