Java Miscellaneous Stuff (inc Security)

[menotu]

Brian Krebs 11 February 2013 (krebsonsecurity)

Yahoo! Pushing Java Version Released in 2008  (Java 6 Update 7)

At a time when Apple, Mozilla and other tech giants are taking steps to prevent users from browsing the Web with outdated versions of Java, Yahoo! is pushing many of its users in the other direction: The free tool that it offers users to help build Web sites installs a dangerously insecure version of Java that is more than four years old.

Yahoo! users who decide to build a Web site within the Internet firm’s hosting environment are steered toward using a free tool called SiteBuilder, which is designed to make building simple Web sites a point-and-click exercise. Yahoo! has offered SiteBuilder to its millions of users for years, but unfortunately the tool introduces a myriad of security vulnerabilities on host PCs.

SiteBuilder requires Java, but the version of Java that Yahoo!  bundles with it is Java 6 Update 7. It’s not clear if this is just a gross oversight or if their tool really doesn’t work with more recent versions of Java. The company has yet to respond to requests for comment.

But this version of Java was first introduced in the summer of 2008 and is woefully insecure and out-of-date. Oracle just released Java 6, Update 39, meaning that SiteBuilder installs a version of Java that includes hundreds of known, critical security vulnerabilities that can be used to remotely compromise host PCs.

There are two reasons why this is a big deal: Java is the biggest source of malware infections across an entire industry of exploit packs — crimeware toolkits that are stitched into hacked and malicious Web sites and designed to exploit known browser flaws. Also, Yahoo! is a major Internet company that ought to know better. Sadly, this Yahoo! offering is aimed at small businesses, who are least likely to understand the importance of updating apps like Java and who are most frequently the targets of extremely costly cyberheists.

Incredibly, this is the version of Java you’ll have after installing Yahoo’s SiteBuilder program.



https://krebsonsecurity.com/2013/02/yahoo-pushing-java-version-released-in-2008/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+KrebsOnSecurity+%28Krebs+on+Security%29

[menotu]

Andy Greenberg - 2/15/2013 - Forbes  (Security)

Facebook Hacked Via Java Vulnerability, Claims No User Data Compromised

Another Friday afternoon, another hacking victim confession.

Facebook’s announcement includes more information than most of those victims about the method used to breach its defenses. The company explains in its post that its staff’s computers were infected with malware when they visited a mobile developer’s website that had been compromised by hacker. That infected site used a previously unknown vulnerability in Oracle’s notoriously buggy Java software to gain access to the users’ machines via their browser, despite the company’s claim that the computers were using fully patched and running antivirus software.

That description of a Java-based attack echoes a warning from Twitter when it admitted that 250,000 users’ accounts had been potentially breached two weeks ago. Twitter suggested that users disable Java, which has been subject to an endless stream of security vulnerabilities, without explicitly saying that Java served as the initial entrypoint for the attack.

Given the wording of Facebook’s blog post, it’s easy enough to connect the dots between its attackers and those that targeted Twitter. “Facebook was not alone in this attack. It is clear that others were attacked and infiltrated recently as well,” the post reads

“As one of the first companies to discover this malware, we immediately took steps to start sharing details about the infiltration with the other companies and entities that were affected. We plan to continue collaborating on this incident through an informal working group and other means.”

http://www.forbes.com/sites/andygreenberg/2013/02/15/facebook-hacked-via-java-vulnerability-claims-no-user-data-compromised/

https://www.facebook.com/notes/facebook-security/protecting-people-on-facebook/10151249208250766

[menotu]

By Lucian Constantin, IDG News Service |  Security

Oracle released new Java security updates on Tuesday and announced plans to accelerate the release of future Java patches following recent attacks that have infected computers with malware by exploiting zero-day vulnerabilities in Java browser plug-ins.

The new updates, Java 7 Update 15 and Java 6 Update 41, address five additional vulnerabilities that couldn't be included in the emergency Java update that Oracle released on Feb. 1 due to time constraints. At the time, Oracle broke out of its scheduled 4-month Java patching cycle in order to patch a vulnerability that was being actively exploited by hackers.

http://www.pcworld.idg.com.au/article/454292/oracle_releases_new_java_fixes_speeds_up_patching_cycle/
============================================================

Unsure how/if this affects PCLinuxOS but..........

Java 6 End of Public Updates extended to February 2013

Earlier this year I announced that the EOL for Oracle JDK 6 had been extended from July 2012 to November 2012. JDK 6 was the default JDK for over 5 years, and so it seems fair that it have a longer publicly available support time-frame than past major releases.

After further consultation and consideration, the Oracle JDK 6 End of Public Updates will be extended through February, 2013. This means that the last publicly available release of Oracle JDK 6 is to be released in February, 2013

https://blogs.oracle.com/henrik/entry/java_6_eol_h_h

[menotu]

Related to Java 7
===========

By Eduard Kovacs - February 25th, 2013 - softpedia

Researchers from Polish firm Security Explorations have identified another serious vulnerability in Java 7. The experts say Java SE 7 Update 15 and all earlier versions are affected.

Adam Gowdiak, the CEO of Security Explorations, has told Softpedia that they’ve uncovered security-explorations two security issues  which they’ve dubbed “issue 54” and “issue 55.”

When combined, the flaws can be leveraged to achieve a complete bypass of the Java security sandbox.

Oracle has been provided with the details of the newly uncovered bugs, but so far, it has only confirmed receiving the information. Most likely, the company will confirm the existence of the flaws in the upcoming days.

“Both new issues are specific to Java SE 7 only. They allow to abuse the Reflection API in a particularly interesting way,” Gowdiak noted. “Without going into further details, everything indicates that the ball is in Oracle's court. Again.”

The experts have tested their findings against the initial release of Java SE 7, Java SE 7 Update 11, and Java SE 7 Update 15, which is the version released a few days ago.

Oracle released its February Critical Patch Update (CPU) ahead of schedule. The CPU released on February 1 addressed a total of 50 Java vulnerabilities.

However, the company released an updated CPU on February 19 to fix an additional 5 security issues.

The next CPU is scheduled for April 16, but if experts discover that issue 54 and issue 55 are exploited in the wild, Oracle could release another out-of-band patch.

In the meantime, experts keep advising users to disable Java if they don’t need it for their everyday tasks. The new advisories come in light of the recent breaches reported by Facebook, Apple and Microsoft.

In all of these incidents, it’s believed that cybercriminals have leveraged a Java vulnerability to distribute malware onto the organizations' computers.

http://news.softpedia.com/news/Zero-Day-Vulnerability-Affecting-Java-7-Update-15-and-Earlier-Versions-Identified-332157.shtml

[menotu]

From F-Secure - February 25, 2013

The Lowest Hanging Fruit: Java

By all measures, Java is the current title holder for the lowest hanging fruit in computer security. (And by Java, we mean JRE and its various browser plugins.) It wasn't always so. How did it happen? Let's review some highlights in the history of low hanging fruit.

From 2004 to 2008: Attacks shifted from Windows to Office.

2004, August — Windows XP Service Pack 2 was released.

2005, February — At RSA Conference, Microsoft announced the first beta of Microsoft Update.

2005, June — The initial release of Microsoft Update.

Result: Over time, fewer Microsoft Office vulnerabilities in the wild as Microsoft Update replaced Windows Update.

From 2008 to 2010: Attacks increasingly focused on Adobe.

2009, February — "Adobe Reader has become the new IE"

From my point of view, Adobe Reader has become the new IE. For security reasons, avoid it if you can.

2009, March — Adobe started a quarterly update schedule, available on "Patch Tuesday".

  •  ASSET Blog: Adobe Reader and Acrobat Security Initiative

2009, April — Oracle buys Sun, became owner of Java.

2010, March — PDF Based Targeted Attacks are Increasing

•  Computerworld: Hackers love to exploit PDF bugs, says researcher

Adobe wasn't surprised by the data. "Given the relative ubiquity and cross-platform reach of many of our products, Adobe has attracted — and will likely continue to attract — increasing attention from attackers."

Given the relative ubiquity and cross-platform reach of many of our products…

2010, July — Adobe Joins Microsoft's MAPP Program.

  •  ASSET Blog: Working Together: Adobe Vulnerability Info Sharing via Microsoft Active Protections Program (MAPP)

Result: Adobe became a team player… and has the results to show for it.

From 2010 to 2013: Java claims the title lowest hanging fruit (on multiple OS).

2012, April — Adobe ends "quarterly updates", responds monthly, as needed, still aligned with Microsoft's update schedule.

 •  ASSET Blog: Background on Security Bulletin APSB12-08

2012, August — Java Runtime Environment = Perpetual Vulnerability Machine

2013, January — ZDNet reporter, Ed Bott, declared Java the new king of foistware.

  •  ZDNet: A close look at how Oracle installs deceptive software with Java updates

2013, February — Numerous companies admit to security breaches due Java.

  •  The Verge: After so many hacks, why won't Java just go away?

Result: Java's browser plugin is deemed public enemy number one.

But wait, is disabling Java's browser plugins enough?

2011, March — Spotify Free users attacked via malicious ads. At least one attack used a Java exploit.

http://news.netcraft.com/archives/2011/03/25/spotify-free-users-attacked-by-malware.html

  •  SC Magazine: Spotify in malvertising scare

http://www.scmagazineuk.com/spotify-in-malvertising-scare/article/199434/

Seems it isn't just "browsers" that can trigger Java.

From 2013 to 201X: Oracle either evolves or JRE becomes increasingly irrelevant.

Oracle releases its critical patch updates on the Tuesday closest to the 17th day of January, April, July and October. By releasing such updates on a day other (and later) than "Patch Tuesday", Oracle currently forces IT departments to schedule an additional patch maintenance assessment and testing meeting.

Something really ought to change.

F-Secure and linksl

[menotu]

heise Security (via FireEye) 1-Mar-2013

New attack on current Java version

Security firm FireEye reports that cyber criminals are exploiting previously unknown vulnerabilities in the current Java versions to deploy malware. The hole allows attackers to access the memory of the Java Virtual Machine (JVM). There, the exploit will look, for example, for the area that determines whether Java's Security Manager is active, and it will then try to overwrite this area with a zero. The Security Manager controls which system resources can be accessed by the code running in the JVM; once it is disabled, the exploit is free to execute the downloaded malware.

The FireEye researchers say that the discovered exploit isn't very reliable because it will try to overwrite large memory data blocks; however, it is likely only a matter of time before the approach is perfected. The hole is found both in Java version 7 update 15 and in version 6 update 41. The version 6 branch is no longer actively maintained by Oracle.

To protect themselves, users can completely uninstall Java or at least disable it in their browser. Another useful option is the click-to-play feature in Firefox and Chrome; which, when enabled, will require explicit user approval before a plugin can be executed. Talking to

The H's associates at heise Security, researcher Adam Gowdiak confirmed that the exploited vulnerability is not one of the flaws he recently discovered and reported to Oracle.

http://www.h-online.com/security/news/item/New-attack-on-current-Java-version-1814716.html

FireEye

================================
More info on the click_to_play option is  here

[menotu]

A bit more info from Brian Krebs on the latest Java "hole" found by FireEye
================================================
1-Mar-2013

FireEye said the Java exploit used in this attack downloaded a remote access Trojan called McRat.

This threat, also known as HiKit and Mdmbot.F, calls home to a malicious control server at the Internet address 110.173.55.187. Turns out, this is the same malware and control server that was used in the attack on Bit9, according to details that Bit9 released in a blog post this week documenting a sophisticated attack that resulted in a breach of its own systems last year.

Alex Lanstein, a senior security researcher at FireEye, said it’s unlikely in this case that multiple attack groups are using the same infrastructure and malware.

“Same malware, same [command and control server], I’d have to say it’s the same group that hit Bit9,” Lanstein said.

The discovery of the new Java zero-day comes just days after Oracle released an update to fix at least five security flaws in Java, flaws that were apparently used in attacks on Apple, Facebook, Twitter and at least 37 other companies. 

https://krebsonsecurity.com/2013/03/new-java-0-day-attack-echoes-bit9-breach/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+KrebsOnSecurity+%28Krebs+on+Security%29

[menotu]

What is NVIDIA GPU Reader?

NVIDIA GPU Reader is a web-based applet that identifies your GPU and finds the latest graphics driver for your GPU.

How does the GPU reader work?

A small Java Applet is downloaded the first time you run the service. This Java Applet only looks at and verifies your system components when you instruct it to do so from the website. This system information is then used to determine the best driver for your GPU.

==========================

If anyone uses this please be aware that it uses Java

It doesn't affect me as I don't use it but thought it best to mention it.

[menotu]

Brian Krebs 04 Mar 13 (krebsonsecurity)

Oracle Issues Emergency Java Update

Oracle today pushed out the third update in less than a month to fix critical vulnerabilities in its Java software. This patch plugs a dangerous security hole in Java that attackers have been exploiting to break into systems.

Java 7 Update 17 and Java 6 Update 43 address a critical vulnerability (CVE-2013-1493) in Java that security experts warned last week was being used in targeted attacks against high-profile targets. Oracle had intended to quit shipping updates for Java 6 at the end of February, but apparently reversed course for the time being to help Java 6 users address this latest crisis.[/b]

I thought this was unusually speedy patch response for Oracle, that is until I read an Oracle blog post that accompanied the patch release. Oracle said that while reports of active exploitation against the vulnerability were recently received, this bug was originally reported to Oracle on Feb. 1, 2013, “unfortunately too late to be included in the Critical Patch Update that it released on Feb. 19.

“The company intended to include a fix for CVE-2013-1493 in the April 16, 2013 Critical Patch Update for Java SE (note that Oracle recently announced its intent to have an additional Java SE security release on this date in addition to those previously scheduled in June and October of 2013),” wrote Oracle’s Eric Maurice.  “However, in light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert.”

What makes Java vulnerabilities so dangerous is that Java is a cross-platform product, meaning exploits against vulnerabilities in Java can be used to deliver malicious payloads to Mac and Linux systems just the same as they can Windows PCs. .  The previous Java update released on Feb. 19 came amid revelations by Apple, Facebook and Twitter that employees at these organizations and dozens of others were hacked using exploits that attacked Java vulnerabilities on Mac and Windows machines.

Oracle blog post
https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493

https://krebsonsecurity.com/2013/03/oracle-issues-emergency-java-update/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+KrebsOnSecurity+%28Krebs+on+Security%29

[pinoc]

java 1.6-43 for 32/64 sent to upload queue.
I'm tired of this ... 
-p.

[menotu]

java 1.6-43 for 32/64 sent to upload queue.
I'm tired of this ... 
-p.

I bet you are pinoc

They sure are coming very quickly and in part (or whole) I think this may be down to Oracle being "pressured" by the likes of Apple ,Facebook, Microsoft etc...

Mind you coincidences do happen 

[menotu]

heise Security - 07 March 2013

Java certificate checks botched (When a Signed Java JAR file is not Proof of Trust)

dict.tu-chemnitz.de

While the focus regarding the recent Java 0day exploits has been on blocking unsigned applets – ones with no verifiable digital signature – security researcher Eric Romang reports on a new problem, signed Java JARs that carry malware. The malware in question was found on dict dot tu-chemnitz dot de  a German online dictionary which had apparently been infected by the g01pack exploit kit.

The code in the web page named the JAR file as "ClearWeb Security Update" and said it had been signed by "CLEARESULT CONSULTING INC.". The company is a real company and the signature gives the jar file the appearance of it being secure and therefore the security measure to stop unsigned applets running did nothing.



Instead, a dialog was displayed asking whether the user wanted to run the application with no hint of any problem; even opening up the "More details" and "Certificate Details" gave no indication of issues. Only there were two problems.

Firstly, the applet had been signed with a presumed stolen private key and, as Avast's Jindrich Kubec found, that key had been revoked on 7 Dec 2012. If the user pressed run, the application would have begun installing malware onto the system.

Behind this problem is the simple issue that by default, although Java runtimes verify certificates, they do not check them for revocation. This is made worse by the fact that they also, as a default setting, grant both signed applications and self-signed applications elevated privileges. Although attackers have used stolen certificates before, the current settings on Java runtimes mean that just because a package is signed doesn't mean it can be trusted because the certificate is not being tested for revocation.

Users should at least consider going to the Java control panel to activate the certificate revocation test and reduce the privileges of signed applications. Given the sorry state of the Java web plugin's security handling at the moment though, it would be simpler to enable the click-to-play functionality for plugins or just disable the Java plugin in the browser to stop exposure to all Java code on the web.

http://www.h-online.com/security/news/item/Java-certificate-checks-botched-1817879.html

==========

Eric Romang blog

When a Signed Java JAR file is not Proof of Trust

Today, Malware Domain List, reported strange behaviours regarding a Java app executed with the latest version of Java 6.

Java 0day ? bit.ly/12nWSC1 Machine is running latest 1.6 JRE. Source: pastebin.com/BiND6qZt

— Malware Domain List (@_MDL_) 4 mars 2013

As you can observe, VirusTotal didn’t find something wrong (0/46) regarding the Java app, but after few hours, some analysis and some discussions on Twitter, it appear that this file is a malicious file (3/46) dropping malwares and that Oracle still need to enhance the security level of Java.

===========================================

Note - Looking at the malicious file on VirusTotal it's now showing it as 11/46

[menotu]

By Stewart Mitchell - 18 Mar 2013 - pcpro

Security Explorations claims to have discovered a security flaw in the Java SE platform, but says Oracle has dismissed its concerns, saying the weakness is "allowed behaviour" for code.

The gripe concerns a potential weakness tagged Issue 54, which the security researchers claim can be used as part of a package to bypass sandboxing in Java.

"Described Issue 54 is not sufficient to implement a functional and successful attack code in the environment of Java SE 7," Security Explorations said in its announcement. "Security Explorations discovered another issue (number 55) affecting Oracle’s Java SE 7 that allows to do this.

Issues 54 and 55, when combined together can be used to successfully achieve a complete Java security sandbox bypass in a target system. Proof of concept code illustrating the impact of both vulnerabilities has been successfully tested in the environment of Java SE 7 Update 15 and Java SE 7 Update 17."

Oracle said allowing code to access an element of the software called Method Handle was normal procedure, but according to the researchers other examples of similar attacks were blocked, leading to a lack of consistency in policy.

A general rule in security is that same circumstances and constraints should lead to consistent security access-related decisions," the researchers argue. "In case of Issue 54, resolving protected members of superclasses should be either always allowed or denied for all code paths available to untrusted code."

Oracle has yet to respond to a request for comment.

http://www.pcpro.co.uk/news/security/380635/security-researchers-attack-inconsistent-oracle-over-java

Security Explorationsl

[menotu]

By Jerome Segura - April 5, 2013 - Malwarebytes

Exploit Kit authors must really love Java . (Redkit)

Not only is it ripe with vulnerabilities but its own language provides a great platform to write and deliver malware in different ways. We are used to seeing encrypted payloads (XOR, AES encryption), applets containing both the exploit itself and the binary payload. Today we will talk about yet another combination which we nicknamed the “split”.

(for images associated with the following info use link below)

What appears to be a singled encrypted file (setup.exe being a bogus name anyway) is not. Instead of having a single payload, we have two binaries:

C:\Documents and Settings\user\Local Settings\Temp\sjskstrk.exe
C:\Documents and Settings\user\Local Settings\Temp\deruaeru.exe

The first clue we got came from a file size discrepancy. Seeing an encrypted payload is not unique but usually the file size matches the dropped binary. The other clue was that we had two drops on disk but only one point of origin.

sjskstrk.exe: Size on disk 94,208 bytes
deruaeru.exe: Size on disk 45,056 bytes
28.html: Size on disk 139,264 bytes

A little math confirmed our suspicions:
94,208 + 45,056 = 139,264

The split happens within the jar file itself, in a class where we see the two (unobfuscated) strings that correspond to our file names:

full blog with associated images

====================================================

5 Apr, 2013 Jane McCallion - itpro

Java exploit delivers double dose of malware in first of its kind attack.

Malwarebytes security researchers claim to have discovered a new type of Java exploit kit that delivers two malwares in one attack – a move they have dubbed “the split”.

The Redkit exploit kit, which exploits Java vulnerabilities, was first detected in the wild in 2012.

“Since I started detecting this trick, I am seeing it a lot more within packet captures. For now it is still only part of the Redkit exploit kit, but it is just a matter of time before someone else copies it,”

Segura said.Segura also explained that while in theory this type of ‘split’ exploit kit could contain any number of malware files, there is a limit to how many can be wrapped together before it starts to cause problems for the kit itself.

http://www.itpro.co.uk/security/19560/malwarebytes-uncovers-malware-double-header?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+ITPro%2FToday+%28IT+PRO+-+Today%29

[menotu]

The Oracle Java SE Critical Patch Update Advisory - April 2013 is
here
============================================
Mathew J. Schwartz  April 16, 2013 - informationweek

Oracle is set to patch more than three dozen Java bugs Tuesday and overhaul Java 7 security defenses to better flag suspect Java apps. (Java 7 update 17, Java 6 update 43, and Java 5 update 41)

"This critical patch update contains 42 new security vulnerability fixes," said Oracle's prerelease announcement. Furthermore, a whopping "39 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password."

"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply critical patch update fixes as soon as possible," said the advisory.

According to Oracle, the update will address security vulnerabilities in Java 7 update 17, Java 6 update 43, and Java 5 update 41, as well as prior versions of each. Although Oracle officially retired Java 6 in February, announcing that it would no longer be updating the software, its most recent emergency Java patch, released March 4, included security updates for not only Java 7, but also Java 5 and 6.

In the face of criticism over rising numbers of Java vulnerabilities and related attacks -- leading to the Department of Homeland Security earlier this year advising users to avoid using the Java browser plug-in whenever possible -- Oracle pledged to squash Java bugs more quickly, and appears to be following through. Notably, the company released the out-of-band Java 7 update 11 in January, Java SE 7 Update 13 and Java 7 update 15 in February, and Java 7 update 17 on March 4, just before the annual Pwn2Own contest.

What changed since then? As of March 8, Michael Horowitz, who maintains the Java Tester website, counted 12 unpatched bugs in Java 7 update 17. That count included four zero-day Java exploits demonstrated at Pwn2Own, including a heap overflow vulnerability employed by French vulnerability seller Vupen.

According to veteran Java bug hunter Adam Gowdiak, CEO and founder of Poland-based Security Explorations, the Java update will fix six vulnerabilities his company has identified, the oldest of which was discovered and reported to Oracle on Jan. 18.

With the new Java 7 update 21 set to be released Tuesday, Oracle will also implement previewed Java Control Panel changes, which include revised security controls for users of the browser plug-in. "All browser-based Java content (applets and applications) will present additional information and require confirmation before being allowed to run," said Oracle.

That change will be backed by new warning messages including a yellow warning triangle with a warning for any application "that cannot be identified because the certificate is untrusted or expired." Meanwhile, a yellow warning shield and text will flag any application that "is unsigned and/or the certificate is not valid," saying that the application's certificate "should not be trusted."

The new version of Java 7, aka the Java Runtime Environment (JRE), will also eliminate a user's ability to fully disable the Java security controls. "We are also removing the 'low' security settings in the Java Control Panel (e.g., low/custom), to prevent users to from inadvertently opting-out entirely from the security remediation we are building into Java," said Oracle. "Users will be better protected by maintaining up-to-date versions of the JRE on their systems, combined with requiring code that is signed by a trusted Certificate Authority (rather than self-signed or unsigned code)."

Oracle has been warning developers that the security changes might break some existing Java applications and encouraging them to get their applications signed by a trusted certificate authority before Tuesday.

https://www.informationweek.com/security/application-security/oracle-preps-massive-java-bug-fix/240152987