Oracle’s emergency Java update this weekend for a zero-day sandbox bypass vulnerability hasn’t exactly kicked off a love-fest for the company among security experts. Researchers are still cautious about recommending users re-enable the ubiquitous software, despite the availability of the fix for the latest zero-day to target the platform.
Some caution there are still ways to bypass a heightened security configuration in the update, and yet others remain concerned about fixes for vulnerabilities reported months ago that still have not been addressed.
Adam Gowdiak of Security Explorations in Poland said Oracle has yet to address vulnerabilities reported in April and September of last year; the September vulnerability, like the one fixed over the weekend, is a sandbox bypass vulnerability that would enable an attacker to remotely execute code.
“[This] is especially important as a critical vulnerability that affects all Java SE versions released over the [last] eight years or so,” Gowdiak said. “We have confirmed that our proof of concept code for it works with flying colors under Java SE 7 Update 11 released yesterday.”
Jaime Blasco, a researcher with AlienVault, echoes Gowdiak’s concerns that users should continue to leave the Java browser plug-in disabled.
“I don’t think it’s very useful right now,” Blasco said. “I think right now you won’t find Java applets on most websites; regular users don’t need Java right now.”
Oracle rushed Java 1.7u11 out the door on Sunday, less than a week after the discovery of the vulnerability and exploits in the wild. The most noteworthy enhancement is that Oracle has changed Java’s default security level setting to high from medium. As a result, unsigned or self-signed Java applications will no longer run by default; users will have to approve applets to run them.
“With the ‘High’ setting, the user is always warned before any unsigned application is run to prevent silent exploitation,” Oracle said in its advisory.
Blasco said while this is a good first step, it would not prevent an attacker from tricking the user via social engineering, for example, to execute a malicious applet manually. Also, an attacker with a valid, stolen digital certificate could also, in theory, sign and execute a malicious applet.
The call to disable Java began again in earnest last Thursday when French researcher Kafeine reported that he found websites hosting exploits for a new zero-day and that exploit kits such as Blackhole had already incorporated the exploit. Soon, most of the major exploit kits including Cool, Nuclear Pack, Sakura, and Redkit, had the exploits. By Friday, an exploit module for the zero-day had been added to Metasploit, and it was game-on.
HD Moore, Metasploit creator, said the issue in Java 7u10 was a privilege-escalation vulnerability (CVE-2013-0422) in the MBeanInstantiator.
“A lot of the recent Java exploits use a technique similar to this one where they find a class that’s already loaded in memory that accesses an object outside the sandbox, and then they use that object to load arbitrary code,” Moore told Threatpost last week. “It’s about as bad as you can get in terms of a reliable Java exploit that affects the latest version of Java 1.7. It’s already being used by all the bad guys and at this point, it’s just catch-up and how fast Oracle can respond.”
FireEye reported last week, and Blasco confirmed today, that some exploits are serving up ransomware. Now that the exploits are part of kits, any payload from banking Trojans, to keyloggers or botnets can be added, researchers said.
“Having this in the exploit kits is the worst possible scenario; exploit kits are one of the biggest security issues users are facing,” Blasco said. “If you are a cybercriminal and have money, you will get something that works. You can buy anything, even without knowing anything about coding exploits.”
Java’s availability on numerous platforms from Windows to Linux to Mac OS X makes it an attractive target for exploit writers. A reliable exploit will run anywhere.
“If you have an exploit for memory issues and the exploit is reliable, you don’t have to code a different exploit for different languages or platforms, it just works everywhere. You will have 100 percent probability of exploiting the target if it is vulnerable to that issue.”