42 new security fixes are included for Oracle’s Java SE software. This new version with all security fixes included also includes a new feature to alert users of the dangers of running certain Java content.
Java 7 Update 21 was released yesterday (April 16, 2013) with all 42 bugs fixed. Most of the flaws are from exploits. Which means that visiting a hacked website can get you infected. Users running Java 6 are prompted to update to Java 7. However, Java 6 updates are still privately available (Update 45).
Anyway, the new update involves the introduction of newer security warnings as well as other message prompts. These are used for the web browsing environment to help users identify potentially risky content. See the image below for more information:
Java’s new features have been pretty continuous when Oracle finally realized last year that Java was getting to be an extremely insecure plugin. Java’s not so bad when it’s running an out-of-browser application, like a program or game.
The new version, now available on Java.com will bring the current version to Java SE 7 Update 21 and Java SE 6 Update 45. It is recommended to unplug your browser from Java, at least the main one, and only use Java Runtime Environment (JRE) in a lesser-used browser. Whenever you need to use a site that required Java, use it on your rare browser, so that you don’t get tripped up by ads or other exploit sites that try to access Java on your main browser.
Additionally, make sure to occasionally clear the Java cache, which will help prevent old temporary files for Java from loading. It’ll make the Java experience a bit better. This may also help remediate issues, if a Java application doesn’t run.
CanSecWest is a conference, and 2013’s conference once again involved the Pwn2Own contest for hackers, an elite (1337) competition. The concept remained simple and will always that if you pwn a fully-patched browser running on a fully-patched laptop, you get to keep the laptop.
However, different rules applied this year. It involved successfully demonstrating the exploit, providing the sponsor (HP) the fully functioning exploit, and all details involved with the vulnerability used in the attack. If there were many vulnerabilities, multiple reports are needed, etc.
The work couldn’t be sold to anyone else, and proof of concept would belong to HP once sold. Basically, HP buys the winning exploits for own use. Their idea of reward money was the following:
- Google Chrome on Windows 7 = $100,000
- IE10 on Windows 8 = $100,000 or IE9 on Windows 7 = $75,000.
- Mozilla Firefox on Windows 7 = $60,000
- Apple Safari on Mac OS X Mountain Lion = $65,000
- Adobe Reader XI and Flash Player = $70,000
- Oracle Java = $20,000
It was assuredly a blast at the competition, no doubt about it.
DAY ONE: Java, Chrome, IE10, and Firefox PWNED!!!
(Where’s Safari, right? It survived!)
The idea behind each attack is the ability to browse to an untrusted website where you’re able to inject and run arbitrary code outside of the browsing environment.
Of course, one of the rules is: “A successful attack … must require little or no user interaction and must demonstrate code execution… If a sandbox is present, a full sandbox escape is required to win.”
In addition to Chrome, Firefox, and IE10 being pwned, Java was pwned three times on the first day. Once by James Forshaw, Joshua Drake, and VUPEN Security. VUPEN Security also led a lot of the pack of issues by successfully exploiting IE10 and Firefox as well.
The only other exploit was by Nils & Jon, where both successfully exploited Chrome.
The day after the first day of Pwn2Own, Mozilla and Google patched the exploits that were pushed out. Amazingly fast, Firefox went on to version 19.0.2 (which you should’ve been updated automatically), and Chrome went on to version 25.0.1364.160 (effectively patching 10 vulnerabilities).
“We received the technical details on Wednesday evening and within less than 24 hours diagnosed the issue, built a patch, validated the fix and the resulting builds, and deployed the patch to users,” said Michael Coates, Mozilla’s director of security assurance, in a Thursday blog.
Microsoft has decided to wait until next week’s Patch Tuesday run of updates to push out the fix for the Internet Explorer exploit on IE10.
DAY TWO: Adobe Reader and Flash Player PWNED!!! Java PWNED AGAIN!!!
Flash Player…exploited by VUPEN Security (any surprise?). Adobe Reader PWNED by George Hotz. Java once again was exploited, this time proxied by Ben Murphy.
Who’re the overall prize winners?
- James Forshaw, Ben Murphy, and Joshua Drake for Java – each $20,000
- VUPEN Security for IE10 + Firefox + Java + Flash – $250,000
- Nils & Jon for Google Chrome – $100,000
- George Hotz for Adobe Reader – $70,000
Of course, George Hotz is best known for jailbreaking the iPhone and PlayStation 3. He’s still in progress with a lawsuit with Sony over the issue for PS3.
Now in its eighth year, Pwn2Own contest had $480,000 in payouts, a record year. Amazing!
Got any vibe on this issue? Post comment below! 🙂
Adobe has published another update now, fixing three vulnerabilities. Two of these three vulnerabilities are currently being exploited in the wild.
Adobe has introduced the Flash Player sandbox a year ago protecting Firefox users from vulnerabilities in Flash Player. This sandbox is being actively targeted for attacks.
“Adobe is aware of reports that CVE-2013-0643 and CVE 2013-0648 are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content,” the company wrote in a security bulletin.
Adobe classifies the update at priority rating of 1 for Windows and Mac (which means super-critical: PATCH NOW!), and 3 for Linux (not as critical for Linux).
Google automatically patches for Chrome Browser. Microsoft automatically patches for Internet Explorer 10 for Windows 8 (note for Internet Explorer 10 for Windows 7, you have to patch).
The following issues are resolved:
- Permissions issue with the Flash Player Firefox sandbox (CVE-2013-0643)
- ExternalInterface ActionScript feature (CVE-2013-0648)
- Buffer overflow in Flash Player broker service (CVE-2013-0504).
To see version information about Flash Player or what browser/OS you’re running, check out the following.
Remember, when updating, UNCHECK McAfee | Security Scan Plus, unless you really want to scan your computer. It is pre-checked, so you have to uncheck it.
Let’s discover the vulnerabilities of CVE-2012-4681 and CVE-2012-5076, what’s similar and what we can learn about these two serious vulnerabilities. These use a Java reflection mechanism that breaks applet security restrictions, and allow a malicious payload. In other words, they bypass security and execute malicious code.
Now, Java reflection is used in programs commonly, usually those requiring the examination of runtime behavior of applications running in Java Virtual Machine. It is very convenient for Java developers (despite saving time) to write Java programs, but it also opens up more opportunities for exploits.
Now, to open up for the technical part, which you can skip if you don’t understand Java or it would give you a headache. 🙂
== TECHNICAL START ==
Java reflection has many functions and they are:
- GET class
- GET all members and methods in class include private ones
- Invoke methods
Java’s big vulnerability in dealing with reflection is that it allows hidden fields. Obviously, this isn’t a true flaw (meaning the Java developers don’t see a problem), but it would help to change this attribute to avoid further problems.
Now, CVE-2012-4681 used Java reflection to induce a hidden field that was called statement.acc. It implemented, also, the “setfield” function, which changes the value of the ACC file (found in the hidden field). To break the code, “Java.beans.statement” would be implemented.
So, in Java, we’d see:
SetField(Statement.class, "acc", localStatement, localAccessControlContext);
Then, as we analyze CVE-2012-5062, we see the big offender, “util. GenericContructor”, which is used to create an object from a restricted class. We would implement it like “sun.invoke.anon.AnonymousClassLoader”, and then call its function “loadclass” – that would deliver the malicious payload. Here is a breakdown of how the payload would work:
- GET the method “loadclass” and then invoke.
- GET the method “r” in payload and then invoke.
- Using “Class.forName” to load a target class
- Using “getDeclaredFields”, which would enumerate all fields (not including hidden ones).
- Using “setAccessible” to expose hidden/private fields.
== TECHNICAL END ==
Obviously, it’s time, researchers, to keep an eye on Java reflection vulnerabilities.
Only hours after the latest Java update, yet another set of vulnerabilities were discovered by security researchers. Now, plagues the question: “Is the Java team doing a good job patching security holes and generally producing secure software code?” What the problem is, is that Java is being actively exploited in the wild. That means hackers and malware writers are naturally targeting Java because of its open holes.
Because Oracle went quite a while before fixing a vulnerability, hackers and malware writers are having a ball game with Java Runtime Environment. Most of these exploits are targeting the Windows OS. Researchers find only a matter of time before it affects the Mac OS platform.
If that’s not problematic enough, many antivirus companies are failing to block the latest exploits for the Java vulnerabilities. Some of the newer avenues of infection and exploits, including ZeroAccess/Sirefef, Java vulnerabilities continue repeatedly. It’s been going on, seems like for ages.
Many question how much Oracle cares about this situation, or not taking it seriously enough. All that can be done is to keep a watch, check for updates every few days, and actually apply the updates to be protected.
Kaspersky Anti-Virus 2013 brings you the essential antivirus technologies that your PC needs – in a product that’s easy to download, install and run. Kaspersky Anti-Virus 2013 works behind-the-scenes – defending you and your PC against viruses, spyware, Trojans, rootkits and other threats… all without significant impact on your PC’s performance. Click Here
According to an analysis conducted by the AV-Comparatives test lab on behalf of The H‘s associates at heise Security, less than half of the 22 anti-virus programs tested protect users against the currently circulating Java exploit that targets a highly critical vulnerability in Javaversion 7 Update 6.
Two versions of the exploit were tested: the basic version that was largely based on the published proof of concept and started the notepad instead of the calculator, and, for the second variant, heise Security added a download routine that writes an EXE file to disk from the internet. The test system was Windows XP that, except in the case of Avast, Microsoft and Panda, had the full versions of the security suites installed. For Avast, Microsoft and Panda, the researchers used the free versions of the products.
Only 9 of the 22 tested products managed to block both variants of the exploit (Avast Free, AVG, Avira, ESET, G Data, Kaspersky, PC Tools, Sophos and Symantec). Twelve virus scanners were found to be unsuccessful (AhnLab, Bitdefender, BullGuard, eScan, F-Secure, Fortinet, GFI-Vipre, Ikarus, McAfee, Panda Cloud Antivirus, Trend Micro and Webroot). Microsoft’s free Security Essentials component at least managed to block the basic version of the exploit.
Get the best protection that DOES block the Java exploit: