If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
New Java 0day exploited in the wild
http://labs.alienvault.com/labs/inde...d-in-the-wild/
Researchers: Java Zero-Day Leveraged Two Flaws http://krebsonsecurity.com/2012/08/j...ged-two-flaws/ " “There are 2 different zero-day vulnerabilities used in this exploit,” Guillardoy wrote in a lengthy analysis of the exploit. “The beauty of this bug class is that it provides 100% reliability and is multi-platform. Hence this will shortly become the penetration test Swiss knife for the next couple of years (as did its older brother CVE-2008-5353).” Not long after news broke that miscreants were exploiting an unpatched security hole in Java to break into PCs, I began seeing tweets from non-Windows users urging people to switch to Mac OS X or Linux. Unfortunately, this latest Java exploit has been shown to work flawlessly to compromise browsers on all three operating systems. According to Rapid7, the Java exploit found being used in targeted attacks (CVE-2012-4681) is now available as a plug-in to Metasploit, a free software tool built to test the security of networks. Rapid7 said the exploit has been successfully tested to work against nearly all browser configurations on Windows systems, and against Safari on OS X 10.7.4 and Mozilla Firefox on Ubuntu Linux 10.04. " The vulnerabilities ONLY exist in Java 1.7 . Reverting to JRE 1.6 and/or disabling web brower java plugins are the only mitigation steps available at present. Oracle updates their JREs on a quarterly schedule. The next update is due October 16th. According to their Security Fixing Policies web page - http://www.oracle.com/us/support/ass...ies/index.html " Oracle may issue a Security Alert in the case of a unique or dangerous threat to our customers. In this event, customers will be notified of the Security Alert by email notification through My Oracle Support and Oracle Technology Network. The fix included in the Security Alert will also be included in the next Critical Patch Update. " MowGreen ================ *-343-* FDNY Never Forgotten ================ |
Ads |
#2
|
|||
|
|||
New Java 0day exploited in the wild - more vuln info and mitigationsteps
Java 7 0-Day vulnerability information and mitigation.
http://www.deependresearch.org/2012/...formation.html See: Details about the exploited vulnerability, mitigation factors and tips. MowGreen ================ *-343-* FDNY Never Forgotten ================ |
#3
|
|||
|
|||
New Java 0day exploited in the wild - more vuln info and mitigation steps
On Wed, 29 Aug 2012 10:50:06 -0700, MowGreen
wrote: Java 7 0-Day vulnerability information and mitigation. http://www.deependresearch.org/2012/...formation.html See: Details about the exploited vulnerability, mitigation factors and tips. How does one disable Java? -- Robin Bignall Herts, England |
#4
|
|||
|
|||
New Java 0day exploited in the wild - more vuln info and mitigationsteps
Robin Bignall wrote:
How does one disable Java? Control panel, Programs and Features, Java, Uninstall is one way, if you just want to disable it within your web browser there are other ways that will vary from browser to browser such as disabling plugins. |
#5
|
|||
|
|||
New Java 0day exploited in the wild - more vuln info and mitigation steps
On 29 Aug 2012, Robin Bignall wrote in
alt.windows7.general: On Wed, 29 Aug 2012 10:50:06 -0700, MowGreen wrote: Java 7 0-Day vulnerability information and mitigation. http://www.deependresearch.org/2012/...formation.html See: Details about the exploited vulnerability, mitigation factors and tips. How does one disable Java? Instructions can be found he http://www.slate.com/blogs/future_te...ight_now_.html Apparently it's a little difficult to disable it in Internet Explorer. You can also uninstall it entirely. Unless you have a particular need to use a Java program, it's there's little need for Java. You could also uninstall ver. 1.7 and use 1.6 instead, which can be found here (scroll down to JRE 6): http://www.oracle.com/technetwork/ja...ads/index.html |
#6
|
|||
|
|||
New Java 0day exploited in the wild - more vuln info and mitigation steps
On Wed, 29 Aug 2012 16:42:19 -0400, Nil
wrote: On 29 Aug 2012, Robin Bignall wrote in alt.windows7.general: On Wed, 29 Aug 2012 10:50:06 -0700, MowGreen wrote: Java 7 0-Day vulnerability information and mitigation. http://www.deependresearch.org/2012/...formation.html See: Details about the exploited vulnerability, mitigation factors and tips. How does one disable Java? Instructions can be found he http://www.slate.com/blogs/future_te...ight_now_.html Apparently it's a little difficult to disable it in Internet Explorer. You can also uninstall it entirely. Unless you have a particular need to use a Java program, it's there's little need for Java. You could also uninstall ver. 1.7 and use 1.6 instead, which can be found here (scroll down to JRE 6): http://www.oracle.com/technetwork/ja...ads/index.html Andy, Nil, thanks. I've reverted to 1.6. -- Robin Bignall Herts, England |
#7
|
|||
|
|||
New Java 0day exploited in the wild - more vuln info and mitigationsteps
Robin Bignall wrote:
On Wed, 29 Aug 2012 16:42:19 -0400, Nil wrote: On 29 Aug 2012, Robin Bignall wrote in alt.windows7.general: On Wed, 29 Aug 2012 10:50:06 -0700, MowGreen wrote: Java 7 0-Day vulnerability information and mitigation. http://www.deependresearch.org/2012/...formation.html See: Details about the exploited vulnerability, mitigation factors and tips. How does one disable Java? Instructions can be found he http://www.slate.com/blogs/future_te...ight_now_.html Apparently it's a little difficult to disable it in Internet Explorer. You can also uninstall it entirely. Unless you have a particular need to use a Java program, it's there's little need for Java. You could also uninstall ver. 1.7 and use 1.6 instead, which can be found here (scroll down to JRE 6): http://www.oracle.com/technetwork/ja...ads/index.html Andy, Nil, thanks. I've reverted to 1.6. Published 2012-August-30 Oracle Security Alert for CVE-2012-4681 http://www.oracle.com/technetwork/to...l#AppendixJAVA " Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2012-4681 "in the wild," Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible. Users running Java SE with a browser can download the latest JRE 7 release from http://java.com/. Users on the Windows platform can also use automatic updates to get the latest JRE 7 and 6 releases " The link to manually download the latest JRE 7 release is he http://www.oracle.com/technetwork/ja...ads/index.html " Java SE 7u7 This releases address security concerns. Oracle strongly recommends that all Java SE 7 users upgrade to this release. Java SE 6 Update 35 This releases address security concerns. Oracle strongly recommends that all Java SE 6 users upgrade to this release. " For the typical Users ("consumers" ), the downloads are under the JRE heading or, just head to http://java.com. Be sure that NO additional toolbars/anti-malware scanners/ or other assorted "fluff" is checked or it will piggy back on the java installation. MowGreen ================ *-343-* FDNY Never Forgotten ================ |
#8
|
|||
|
|||
New Java 0day exploited in the wild - more vuln info and mitigation steps
On Thu, 30 Aug 2012 11:57:31 -0700, MowGreen
wrote: Robin Bignall wrote: On Wed, 29 Aug 2012 16:42:19 -0400, Nil wrote: On 29 Aug 2012, Robin Bignall wrote in alt.windows7.general: On Wed, 29 Aug 2012 10:50:06 -0700, MowGreen wrote: Java 7 0-Day vulnerability information and mitigation. http://www.deependresearch.org/2012/...formation.html See: Details about the exploited vulnerability, mitigation factors and tips. How does one disable Java? Instructions can be found he http://www.slate.com/blogs/future_te...ight_now_.html Apparently it's a little difficult to disable it in Internet Explorer. You can also uninstall it entirely. Unless you have a particular need to use a Java program, it's there's little need for Java. You could also uninstall ver. 1.7 and use 1.6 instead, which can be found here (scroll down to JRE 6): http://www.oracle.com/technetwork/ja...ads/index.html Andy, Nil, thanks. I've reverted to 1.6. Published 2012-August-30 Oracle Security Alert for CVE-2012-4681 http://www.oracle.com/technetwork/to...l#AppendixJAVA " Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2012-4681 "in the wild," Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible. Users running Java SE with a browser can download the latest JRE 7 release from http://java.com/. Users on the Windows platform can also use automatic updates to get the latest JRE 7 and 6 releases " [..] Thanks. I clicked on 'update' in the Java control panel and down it came. This would have happened automatically tomorrow, I think. -- Robin Bignall Herts, England |
#9
|
|||
|
|||
New Java 0day exploited in the wild - Patched or not ?
Robin Bignall wrote:
On Thu, 30 Aug 2012 11:57:31 -0700, MowGreen wrote: Robin Bignall wrote: On Wed, 29 Aug 2012 16:42:19 -0400, Nil wrote: On 29 Aug 2012, Robin Bignall wrote in alt.windows7.general: On Wed, 29 Aug 2012 10:50:06 -0700, MowGreen wrote: Java 7 0-Day vulnerability information and mitigation. http://www.deependresearch.org/2012/...formation.html See: Details about the exploited vulnerability, mitigation factors and tips. How does one disable Java? Instructions can be found he http://www.slate.com/blogs/future_te...ight_now_.html Apparently it's a little difficult to disable it in Internet Explorer. You can also uninstall it entirely. Unless you have a particular need to use a Java program, it's there's little need for Java. You could also uninstall ver. 1.7 and use 1.6 instead, which can be found here (scroll down to JRE 6): http://www.oracle.com/technetwork/ja...ads/index.html Andy, Nil, thanks. I've reverted to 1.6. Published 2012-August-30 Oracle Security Alert for CVE-2012-4681 http://www.oracle.com/technetwork/to...l#AppendixJAVA " Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2012-4681 "in the wild," Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible. Users running Java SE with a browser can download the latest JRE 7 release from http://java.com/. Users on the Windows platform can also use automatic updates to get the latest JRE 7 and 6 releases " [..] Thanks. I clicked on 'update' in the Java control panel and down it came. This would have happened automatically tomorrow, I think. You're most welcome Robin. But, now - Researchers find critical vulnerability in Java 7 patch hours after release http://www.cio.com/article/715219/Re..._after_release " Security researchers from Poland-based security firm Security Explorations claim to have discovered a vulnerability in the Java 7 security update released Thursday that can be exploited to escape the Java sandbox and execute arbitrary code on the underlying system. Security Explorations sent a report about the vulnerability to Oracle on Friday together with a proof-of-concept exploit, Adam Gowdiak, the security company's founder and CEO said Friday via email. The company doesn't plan to release any technical details about the vulnerability publicly until Oracle addresses it, Gowdiak said. snip Based on the experience of Security Explorations researchers with hunting for Java vulnerabilities so far, Java 6 has better security than Java 7. "Java 7 was surprisingly much easier for us to break," Gowdiak said. "For Java 6, we didn't manage to achieve a full sandbox compromise, except for the issue discovered in Apple Quicktime for Java software." Gowdiak has echoed what many security researchers have said befo If you don't need Java, uninstall it from your system. " Ouch ! MowGreen ================ *-343-* FDNY Never Forgotten ================ |
#10
|
|||
|
|||
New Java 0day exploited in the wild - Patched or not ?
On Fri, 31 Aug 2012 11:34:58 -0700, MowGreen
wrote: Gowdiak has echoed what many security researchers have said befo If you don't need Java, uninstall it from your system. " Ouch ! Ouch! indeed. Thanks again. -- Robin Bignall Herts, England |
#11
|
|||
|
|||
New Java 0day exploited in the wild - Patched or not ?
MowGreen wrote:
Gowdiak has echoed what many security researchers have said befo If you don't need Java, uninstall it from your system. " Ouch ! MowGreen ================ *-343-* FDNY Never Forgotten ================ To add insult to injury, I was testing Java here (by coincidence), and I could install 6U24 in Win2K, but 6U35 would not install. The installer seemed to be broken, and even looking at the verbose "log" (500KB worth), I couldn't tell exactly what step was breaking. Something attempted to "elevate", and then the installer started backing out the install. Of course, when 6U35 would run, it would remove 6U24 from the machine first, so when 6U35 would die, I was left with nothing (hardly "backing out", more like making a mess). So if a person was hoping that their older machine, could have some patch like that applied, it would not necessarily be so. In Win2K, I was not able to install 7U7, or 6U35, and eventually I had to settle for 6U24. That VM was not used for anything web related - I was testing "serviio" media server, and accessing it from another virtual machine. At least the uninstall was uneventful (the automatic removal of 6U24 by the other installer). I was not able to find any advice, on which Windows OS Oracle currently supports. On previous versions of the web page, the names of the supported Windows OSes were listed, right on the download page. Now, the download page is simplified and just says "Windows", leaving you to guess which OSes the installer might not work in. Paul |
#12
|
|||
|
|||
New Java 0day exploited in the wild - Patched or not ?
"Paul" wrote:
To add insult to injury, I was testing Java here (by coincidence), and I could install 6U24 in Win2K, but 6U35 would not install. The installer seemed to be broken, and even looking at the verbose "log" (500KB worth), I couldn't tell exactly what step was breaking. Something attempted to "elevate", and then the installer started backing out the install. Of course, when 6U35 would run, it would remove 6U24 from the machine first, so when 6U35 would die, I was left with nothing (hardly "backing out", more like making a mess). So if a person was hoping that their older machine, could have some patch like that applied, it would not necessarily be so. In Win2K, I was not able to install 7U7, or 6U35, and eventually I had to settle for 6U24. That VM was not used for anything web related - I was testing "serviio" media server, and accessing it from another virtual machine. At least the uninstall was uneventful (the automatic removal of 6U24 by the other installer). I was not able to find any advice, on which Windows OS Oracle currently supports. On previous versions of the web page, the names of the supported Windows OSes were listed, right on the download page. Now, the download page is simplified and just says "Windows", leaving you to guess which OSes the installer might not work in. Interesting...the notes on Oracle's web site for JRE have a link to the list of supported configurations, and W2K (with either SP3 or SP4) is listed. The notes state that installing it on an unsupported Windows version will trigger an explicit error message. I presume that you have a reason for continuing to run Windows 2000, but you might want to reconsider that. Microsoft some time ago stopped issuing security patches for that product (Windows XP gets the same treatment on 8 April 2014) and Java 1.6 builds below 35 have known security vulnerabilities for which attacks are curently found "in the wild" (and don't even *think* of installing 1.7 until Oracle fixes the major vulnerability in that version). You're probably the person in the best position to judge both the risk and the benefits of running a vulnerable system on your computer, but even if the decision to continue to use W2K was appropriate when originally made, you should periodically revisit it to see if it still makes sense. Joe |
#13
|
|||
|
|||
New Java 0day exploited in the wild - Patched or not ?
Joe Morris wrote:
"Paul" wrote: To add insult to injury, I was testing Java here (by coincidence), and I could install 6U24 in Win2K, but 6U35 would not install. The installer seemed to be broken, and even looking at the verbose "log" (500KB worth), I couldn't tell exactly what step was breaking. Something attempted to "elevate", and then the installer started backing out the install. Of course, when 6U35 would run, it would remove 6U24 from the machine first, so when 6U35 would die, I was left with nothing (hardly "backing out", more like making a mess). So if a person was hoping that their older machine, could have some patch like that applied, it would not necessarily be so. In Win2K, I was not able to install 7U7, or 6U35, and eventually I had to settle for 6U24. That VM was not used for anything web related - I was testing "serviio" media server, and accessing it from another virtual machine. At least the uninstall was uneventful (the automatic removal of 6U24 by the other installer). I was not able to find any advice, on which Windows OS Oracle currently supports. On previous versions of the web page, the names of the supported Windows OSes were listed, right on the download page. Now, the download page is simplified and just says "Windows", leaving you to guess which OSes the installer might not work in. Interesting...the notes on Oracle's web site for JRE have a link to the list of supported configurations, and W2K (with either SP3 or SP4) is listed. The notes state that installing it on an unsupported Windows version will trigger an explicit error message. I presume that you have a reason for continuing to run Windows 2000, but you might want to reconsider that. Microsoft some time ago stopped issuing security patches for that product (Windows XP gets the same treatment on 8 April 2014) and Java 1.6 builds below 35 have known security vulnerabilities for which attacks are curently found "in the wild" (and don't even *think* of installing 1.7 until Oracle fixes the major vulnerability in that version). You're probably the person in the best position to judge both the risk and the benefits of running a vulnerable system on your computer, but even if the decision to continue to use W2K was appropriate when originally made, you should periodically revisit it to see if it still makes sense. Joe That setup, was a couple virtual machines, talking to one another. One was to function as a UPNP media server, the other as a fake "DLNA TV set", a media player. For the server, I was testing something called Serviio, written in Java. The intention wasn't to do much in the way of web surfing on either VM. Unless something comes up, the test is finished now anyway, so it'll be rm -Rf * time soon. I was just surprised how hard it was to install Java. You'd think after this much time, Oracle/Sun would have that all figured out. Paul |
#14
|
|||
|
|||
New Java 0day exploited in the wild - Patched or not ?
"Paul" wrote:
Joe Morris wrote: I presume that you have a reason for continuing to run Windows 2000, but you might want to reconsider that. Microsoft some time ago stopped issuing security patches for that product (Windows XP gets the same treatment on 8 April 2014) and Java 1.6 builds below 35 have known security vulnerabilities for which attacks are curently found "in the wild" (and don't even *think* of installing 1.7 until Oracle fixes the major vulnerability in that version). You're probably the person in the best position to judge both the risk and the benefits of running a vulnerable system on your computer, but even if the decision to continue to use W2K was appropriate when originally made, you should periodically revisit it to see if it still makes sense. That setup, was a couple virtual machines, talking to one another. One was to function as a UPNP media server, the other as a fake "DLNA TV set", a media player. For the server, I was testing something called Serviio, written in Java. The intention wasn't to do much in the way of web surfing on either VM. Unless something comes up, the test is finished now anyway, so it'll be rm -Rf * time soon. I was just surprised how hard it was to install Java. You'd think after this much time, Oracle/Sun would have that all figured out. Well...a counterargument: the likely population of users of Windows 2000 who install JRE, coupled with the security problems that W2K presents, probably doesn't justify much in the way of spending time checking that the JRE installer still works with it...but that doesn't excuse the continued presence of "Windows 2000" on the "supported platforms" list if it's not being tested. Joe |
Thread Tools | |
Display Modes | Rate This Thread |
|
|