Friday, January 11, 2013

US-CERT, multiple companies warn about, react to new Java vulnerability

A number of companies and the U.S. Computer Emergency Readiness Team (US-CERT), which is a division of the Department of Homeland Security, have warned end users to disable Java on their systems to prevent infection by a newly discovered Java vulnerability.

To be clear, though, although this has been labeled a new vulnerability, the current exploit would not have worked if Oracle had properly patched an older vulnerability back in October of last year, according to Security Explorations, the security firm which has identified many of the most recent Java vulnerabilities (though notably, not this one).

The US-CERT started the ball rolling with following vulnerability note it issued late Thursday, as well as a warning:
Overview – Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description – Java 7 Update 10 and earlier contain an unspecified remote-code-execution vulnerability. This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits.

Impact – By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.

Solution - We are currently unaware of a practical solution to this problem. Please consider the following workarounds:

Disable Java in web browsers

Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet.
Mozilla was quick to respond. On Friday the company announced that it had added Java 7 Updates 9 and 10 as well as Java 6 Updates 37 and 38 to its Firefox add-on block list, after news of the new vulnerability was released. Older versions of Java are already blacklisted due to other security holes.

With those additions, users are protected in one of two ways, existing plugin blocking (self-explanatory and for the earlier versions) or Click To Play, for the new blocks and described as follows:
The Click To Play feature ensures that the Java plugin will not load unless a user specifically clicks to enable the plugin. This protects users against drive-by exploitation, one of the most common exploit techniques used to compromise vulnerable users.

Click To Play also allows users to enable the Java plugin on a per-site basis if they absolutely need the Java plugin for the site.
Apple also moved quickly to protect Mac OS X systems. Apple updated its "Xprotect.plist" blacklist to require a minimum of the as-of-yet unreleased 1.7.0_10-b19 version of Java 7.

This disables the Java 7 plug-in on Macs where it is already installed, since the current publicly-available versions of Java 7 (1.7.0_10-b18) fail to pass the check initiated through the anti-malware system built into OS X.

It's somewhat ironic to see Apple move so quickly. The Flashback trojan from 2012 relied on a Java vulnerability. It was patched by Oracle, the company behind Java, fixed the vulnerability exploited to install Flashback on Feb. 14, 2012.

However, Apple maintains the Mac OS X version of Java and did not release an update for its OS until April 3, 2012. By then Flashback had already infected 600,000 systems.

No comments: