FACTS about the JAVA 7 'Zero Day' virus threat!

Questions about applications and software
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Locked
GeneC

FACTS about the JAVA 7 'Zero Day' virus threat!

Post by GeneC »

I ususally dont pay much attention to worries about virus/malware in Linux. I have been on this forum for over two years and have read many posts on worries about them, but NEVER an actual case.
But, I do have some concern about this one.
-----------------------------------------------
Is anyone else as confused about the JAVA 'Zero Day' malware threath? I read so many conflicting and seeming erroneous reports. I'd like to have a clear understanding (if there is one).

1. It can effect LINUX. (Can it?)
Thousands of computer users - whether they favour Windows, Mac or Linux operating systems - are at risk from a newly discovered Java vulnerability for which there is currently no fix.
It appears the flaw allows the Blackhole exploit kit to target the Java system using a Pre.jar file that lets it install malware, in this case a banking Trojan, onto users machines, through a variety of methods.
Security firm FireEye warned that criminals have already begun targeting the flaw using the Blackhole exploit kit. Some versions of the malware toolkit were updated to include the ability to exploit the vulnerability earlier this week, the company claimed.
"This morning we started getting the first indication of a large scale attack. So far we have observed over a dozen domains actively attacking systems with this exploit, and the count is increasing rapidly," read FireEye's blog.
"After seeing the reliability of this attack, I have no doubt in my mind that within hours the casualties will be in the thousands."
FireEye went on to criticise Oracle - which owns Java - for its lack of action regarding the flaw.
"It's very disappointing that Oracle hasn't come forward and announced a date for an emergency update patch," wrote FireEye's Atif Mushtaq.
At the time of publishing Oracle had not responded to V3's request for comment on the exploit or when a patch may be released.
The flaw was uncovered earlier in August and reportedly works on Windows, Linux and OSX operating systems, according to Errata security.
"I have tested the following operating systems: Windows7, Ubuntu 12.04, OSX 10.8.1. I have tested the following browsers: Firefox 14.0.1 (Windows, Linux, OSX), IE 9, Safari 6. The same exploit worked on all of them," an Errata representative wrote on a company blog.
The Blackhole exploit kit is an automated attack kit available for sale in several online black markets. It allows cyber criminals without sophisticated IT skills to mount automated cyber campaigns.
http://www.v3.co.uk/v3-uk/news/2201420/ ... rs-at-risk

http://threatpost.com/en_us/blogs/nasty ... -it-011013

2. Its only JAVA, not javascripts? (So, the tips of using NO SCRIPTS is not effective?)

http://noscript.net/

3. Protect by disabling JAVA in your browser?

http://www.computerweekly.com/news/2240 ... t-zero-day
In Chrome/Chromium
chrome://plugins/ > Java > Disable
------
In Firefox: Tools > Addons > Plugins > IcedTea > Disable

4. Do we really need JAVA? I thought we did, but I disabled it in Google-Chrome and the sites I tried work fine?

5. Today I just recieved an update to Oracle JAVA.
From this repo
http://www.duinsoft.nl/packages.php?t=en

Code: Select all

gene@lmdexfce-rc:~$ java -version
java version "1.7.0_11"
Java(TM) SE Runtime Environment (build 1.7.0_11-b21)
Java HotSpot(TM) Server VM (build 23.6-b04, mixed mode)
Its supposed to address the threat, but maybe not?

http://arstechnica.com/security/2013/01 ... s-that-is/
Earlier this week, a security hole in the latest version of Java was being "massively exploited in the wild." Hackers were turning compromised websites into platforms for installing silent keyloggers or other malicious software. And at the time news broke, even fully patched Java installations were at risk.

Today however, KrebsOnSecurity reporter Brian Krebs is reporting Oracle finally shipped its critical security update. Java 7 Update 11 fixes this sticky situation and it's available both via Oracle’s website and through the Java Control Panel in an active program.
Image


========================================


EDIT:
I changed the title to "FACTS" from "QUESTIONS", as sound explanations were given by "Mockturtle" and Zerorzero"
The Kreb's Blog is most informative.
http://krebsonsecurity.com/2013/01/what ... a-exploit/
Just to quote some key points from Krebs...
Update, Jan. 13, 8:14 p.m. ET: Oracle just released a patch to fix this vulnerability. Read more here.
http://krebsonsecurity.com/2013/01/orac ... -for-java/

Q: What is Java, anyway?
A: Java is a programming language and computing platform that powers programs including utilities, games, and business applications. According to Java maker Oracle Corp., Java runs on more than 850 million personal computers worldwide, and on billions of devices worldwide, including mobile and TV devices. It is required by some Web sites that use it to run interactive games and applications.

Q: So what is all the fuss about?
A: Researchers have discovered that cybercrooks are attacking a previously unknown security hole in Java 7 that can be used to seize control over a computer if a user visits a compromised or malicious Web site.

Q: Yikes. How do I protect my computer?
A: The version of Java that runs on most consumer PCs includes a browser plug-in. According to researchers at Carnegie Mellon University‘s CERT, unplugging the Java plugin from the browser essentially prevents exploitation of the vulnerability. Not long ago, disconnecting Java from the browser was not straightforward, but with the release of the latest version of Java 7 — Update 10 — Oracle included a very simple method for removing Java from the browser. You can find their instructions for doing this here.

Q: How do I know if I have Java installed, and if so, which version?
A: The simplest way is to visit this link and click the “Do I have Java” link, just below the big red “Download Java” button.

Q: I’m using Java 6. Does that mean I don’t have to worry about this?
A: There have been conflicting findings on this front. The description of this bug at the National Vulnerability Database (NVD), for example, states that the vulnerability is present in Java versions going back several years, including version 4 and 5. Analysts at vulnerability research firm Immunity say the bug could impact Java 6 and possibly earlier versions. But Will Dormann, a security expert who’s been examining this flaw closely for CERT, said the NVD’s advisory is incorrect: CERT maintains that this vulnerability stems from a component that Oracle introduced with Java 7. Dormann points to a detailed technical analysis of the Java flaw by Adam Gowdiak of Security Explorations, a security research team that has alerted Java maker Oracle about a large number of flaws in Java. Gowdiak says Oracle tried to fix this particular flaw in a previous update but failed to address it completely.

Either way, it’s important not to get too hung up on which versions are affected, as this could become a moving target. Also, a new zero-day flaw is discovered in Java several times a year. That’s why I’ve urged readers to either uninstall Java completely or unplug it from the browser no matter what version you’re using.

Q: A site I use often requires the Java plugin to be enabled. What should I do?
A: You could downgrade to Java 6, but that is not a very good solution. Oracle will stop supporting Java 6 at the end of February 2013, and will soon be transitioning Java 6 users to Java 7 anyway. If you need Java for specific Web sites, a better solution is to adopt a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site(s) that require(s) it.

Q: I am using a Mac/Linux, so I should be okay, right?
A: Not exactly. Experts have found that this flaw in Java 7 can be exploited to foist malware on Mac and Linux systems, in addition to Microsoft Windows machines. Java is made to run programs across multiple platforms, which makes it especially dangerous when new flaws in it are discovered. For instance, the Flashback worm that infected more than 600,000 Macs wiggled into OS X systems via a Java flaw. Oracle’s instructions include advice on how to unplug Java from Safari. I should note that Apple has not provided a version of Java for OS X beyond 6, but users can still download and install Java 7 on Mac systems. However, it appears that in response to this threat, Apple has taken steps to block Java from running on OS X systems.

Q: Okay, I think I’m covered on Java. But what about Javascript?
A: Because of the unfortunate similarity of their names, many people confuse Java with Javascript. But these are two completely different things. Most Web sites use JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. To protect yourself, it is critically important to have an easy method of selecting which sites should be allowed to run JavaScript in the browser. It is true that selectively allowing JavaScript on known, “safe” sites won’t block all malicious scripting attacks: Even legitimate sites sometimes end up running malicious code when scammers figure out ways to sneak tainted, bogus ads into the major online ad networks. But disallowing JavaScript by default and selectively enabling it for specific sites remains a much safer option than letting all sites run JavaScript unrestricted all the time.

Firefox has many extensions and add-ons that make surfing the Web a safer experience. One extension that I have found indispensable is NoScript. This extension lets the user decide which sites should be allowed to run JavaScript, including Flash Player content. Users can choose to allow specific exceptions either permanently or for a single browsing session.

Chrome also includes similar script- and Flash blocking functionality that seems designed to minimize some of these challenges by providing fewer options. If you tell Chrome to block JavaScript on all sites by default, when you browse to a site that uses JavaScript, the upper right corner of the browser displays a box with a red “X” through it. If you click that and select “Always allow JavaScript on [site name]” it will permanently enable JavaScript for that site, but it doesn’t give you the option to block third-party JavaScript content on the site as Noscript does. In my testing, I had to manually refresh the page before Chrome allowed scripting on a site that I’d just whitelisted. In addition, there is a very handy add-on for Chrome called NotScripts that works very much like Noscript.

(more on Krebs web site)
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 4 times in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
altair4
Level 20
Level 20
Posts: 11419
Joined: Tue Feb 03, 2009 10:27 am

Re: Confused about the JAVA 'Zero Day' virus threat?

Post by altair4 »

I commented here that there are other questions that I have:

** Does openjdk / icedtea have the same problem?

** Is it confined to Java7? Mint13 LTS users are running with a Java6 vintage not 7.
Please add a [SOLVED] at the end of your original subject header if your question has been answered and solved.
GeneC

Re: Confused about the JAVA 'Zero Day' virus threat?

Post by GeneC »

altair

Yes, thanks for that. Some reports are that openjdk / icedtea is ok, some not.
It just adds to the confusion...
GeneC

Re: Confused about the JAVA 'Zero Day' virus threat?

Post by GeneC »

Just found this..
If you want to install the latest JAVA in Ubuntu or Debian based distros.

http://www.webupd8.org/2013/01/oracle-r ... update-11-
Quick update: Oracle has released Java 7 update 11 which fixes a critical security vulnerability in update 10, so if you're using our PPA, update to the latest JDK 7u11 as soon as possible.
mockturtl

Re: Confused about the JAVA 'Zero Day' virus threat?

Post by mockturtl »

GeneC wrote:2. Its only JAVA, not javascripts? (So, the tips of using NO SCRIPTS is not effective?)
Right. The naming is a historical accident: the marketing wizards at Netscape decided this embedded web-browser language, "LiveScript," would benefit from Java's brand recognition, so they changed the name. The two languages, confusingly, have nothing to do with each other.

To make matters worse...

Code: Select all

3.  Protect by disabling JAVA in your browser?

http://www.computerweekly.com/news/2240175907/Disable-Java-to-protect-from-latest-zero-day
In Chrome/Chromium
chrome://plugins/  > Java > Disable
------
In Firefox: Tools > Addons > Plugins > IcedTea > Disable

4.  Do we really need JAVA?  I thought we did, but I disabled it in Google-Chrome and the sites I tried work fine?
...Java ships with a browser plugin. It never caught on the way Flash did, or even QuickTime, or RealPlayer. The only Java-applet sites I can think of are university physics demonstrations from the 1990's.

You should disable it. I bet you won't miss it.
http://krebsonsecurity.com/2013/01/zero ... crimeware/
http://krebsonsecurity.com/2013/01/what ... a-exploit/
5. Today I just recieved an update to Oracle JAVA.
From this repo
http://www.duinsoft.nl/packages.php?t=en

Code: Select all

gene@lmdexfce-rc:~$ java -version
java version "1.7.0_11"
Java(TM) SE Runtime Environment (build 1.7.0_11-b21)
Java HotSpot(TM) Server VM (build 23.6-b04, mixed mode)
Its supposed to address the threat, but maybe not?
Sounds like 7u11 is the fix. I don't have time to look just now, but I'll see if I can find more detail later today.
Last edited by mockturtl on Mon Jan 14, 2013 12:41 pm, edited 1 time in total.
zerozero

Re: Confused about the JAVA 'Zero Day' virus threat?

Post by zerozero »

mockturtl wrote:You should disable it. I bet you won't miss it.
done long time ago (and never missed it)
Image
but some might not be so lucky (see Denko's post)
GeneC

Re: Confused about the JAVA 'Zero Day' virus threat?

Post by GeneC »

'mock', and 'zz'

Thanks for the clarifications. That does explain a lot...:)

Disabled Java and IcedTea, and found that I do not miss them at all. Quite surprised, I thought they were essential for most web sites. NOT...

Wish I had disabled them a long time ago. So much fuss for nothing.... :roll:

click for full size
Image
zerozero

Re: Confused about the JAVA 'Zero Day' virus threat?

Post by zerozero »

the second link mockturtl gave us above from Krebs deserves a special emphasis (just in case it gets a bit lost in the middle of all the other info :D )

what you need to know about the java exploit
GeneC

Re: Confused about the JAVA 'Zero Day' virus threat?

Post by GeneC »

Now that (Krebs) is the most clear and comprehensive explanation so far. "Google-ing" only brings many mixed and potentially harmful "fixes" (i.e. Using 'NO SCRIPTS" will protect you... WRONG, (as Mockturtle thoroughly explained above...thanks.)

Just to quote some key points from Krebs...
Update, Jan. 13, 8:14 p.m. ET: Oracle just released a patch to fix this vulnerability. Read more here.
http://krebsonsecurity.com/2013/01/orac ... -for-java/

Q: What is Java, anyway?
A: Java is a programming language and computing platform that powers programs including utilities, games, and business applications. According to Java maker Oracle Corp., Java runs on more than 850 million personal computers worldwide, and on billions of devices worldwide, including mobile and TV devices. It is required by some Web sites that use it to run interactive games and applications.

Q: So what is all the fuss about?
A: Researchers have discovered that cybercrooks are attacking a previously unknown security hole in Java 7 that can be used to seize control over a computer if a user visits a compromised or malicious Web site.

Q: Yikes. How do I protect my computer?
A: The version of Java that runs on most consumer PCs includes a browser plug-in. According to researchers at Carnegie Mellon University‘s CERT, unplugging the Java plugin from the browser essentially prevents exploitation of the vulnerability. Not long ago, disconnecting Java from the browser was not straightforward, but with the release of the latest version of Java 7 — Update 10 — Oracle included a very simple method for removing Java from the browser. You can find their instructions for doing this here.

Q: How do I know if I have Java installed, and if so, which version?
A: The simplest way is to visit this link and click the “Do I have Java” link, just below the big red “Download Java” button.

Q: I’m using Java 6. Does that mean I don’t have to worry about this?
A: There have been conflicting findings on this front. The description of this bug at the National Vulnerability Database (NVD), for example, states that the vulnerability is present in Java versions going back several years, including version 4 and 5. Analysts at vulnerability research firm Immunity say the bug could impact Java 6 and possibly earlier versions. But Will Dormann, a security expert who’s been examining this flaw closely for CERT, said the NVD’s advisory is incorrect: CERT maintains that this vulnerability stems from a component that Oracle introduced with Java 7. Dormann points to a detailed technical analysis of the Java flaw by Adam Gowdiak of Security Explorations, a security research team that has alerted Java maker Oracle about a large number of flaws in Java. Gowdiak says Oracle tried to fix this particular flaw in a previous update but failed to address it completely.

Either way, it’s important not to get too hung up on which versions are affected, as this could become a moving target. Also, a new zero-day flaw is discovered in Java several times a year. That’s why I’ve urged readers to either uninstall Java completely or unplug it from the browser no matter what version you’re using.

Q: A site I use often requires the Java plugin to be enabled. What should I do?
A: You could downgrade to Java 6, but that is not a very good solution. Oracle will stop supporting Java 6 at the end of February 2013, and will soon be transitioning Java 6 users to Java 7 anyway. If you need Java for specific Web sites, a better solution is to adopt a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site(s) that require(s) it.

Q: I am using a Mac/Linux, so I should be okay, right?
A: Not exactly. Experts have found that this flaw in Java 7 can be exploited to foist malware on Mac and Linux systems, in addition to Microsoft Windows machines. Java is made to run programs across multiple platforms, which makes it especially dangerous when new flaws in it are discovered. For instance, the Flashback worm that infected more than 600,000 Macs wiggled into OS X systems via a Java flaw. Oracle’s instructions include advice on how to unplug Java from Safari. I should note that Apple has not provided a version of Java for OS X beyond 6, but users can still download and install Java 7 on Mac systems. However, it appears that in response to this threat, Apple has taken steps to block Java from running on OS X systems.

Q: Okay, I think I’m covered on Java. But what about Javascript?
A: Because of the unfortunate similarity of their names, many people confuse Java with Javascript. But these are two completely different things. Most Web sites use JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. To protect yourself, it is critically important to have an easy method of selecting which sites should be allowed to run JavaScript in the browser. It is true that selectively allowing JavaScript on known, “safe” sites won’t block all malicious scripting attacks: Even legitimate sites sometimes end up running malicious code when scammers figure out ways to sneak tainted, bogus ads into the major online ad networks. But disallowing JavaScript by default and selectively enabling it for specific sites remains a much safer option than letting all sites run JavaScript unrestricted all the time.

Firefox has many extensions and add-ons that make surfing the Web a safer experience. One extension that I have found indispensable is NoScript. This extension lets the user decide which sites should be allowed to run JavaScript, including Flash Player content. Users can choose to allow specific exceptions either permanently or for a single browsing session.

Chrome also includes similar script- and Flash blocking functionality that seems designed to minimize some of these challenges by providing fewer options. If you tell Chrome to block JavaScript on all sites by default, when you browse to a site that uses JavaScript, the upper right corner of the browser displays a box with a red “X” through it. If you click that and select “Always allow JavaScript on [site name]” it will permanently enable JavaScript for that site, but it doesn’t give you the option to block third-party JavaScript content on the site as Noscript does. In my testing, I had to manually refresh the page before Chrome allowed scripting on a site that I’d just whitelisted. In addition, there is a very handy add-on for Chrome called NotScripts that works very much like Noscript.

(more on Krebs web site)
[My NOTE]
I use 'Quick JavaScipt Switcher for Chrome. (Allows you to turn on/off javascript with a mouse click.)
https://chrome.google.com/webstore/deta ... dggiiccfje
grizzler

Re: Confused about the JAVA 'Zero Day' virus threat?

Post by grizzler »

GeneC wrote:Now that (Krebs) is the most clear and comprehensive explanation so far. "Google-ing" only brings many mixed and potentially harmful "fixes" (i.e. Using 'NO SCRIPTS" will protect you... WRONG, (as Mockturtle thoroughly explained above...thanks.)
Actually, NoScript does have an option to disallow Java and other plugins as well. No idea how effective this is though. I always switch off the Java plugin manually.
GeneC

Re: FACTS about the JAVA 7 'Zero Day' virus threat!

Post by GeneC »

Thanks for pointing that out grizzler.

I should point out that NO SCRIPTS is for
Firefox, Iceweasel, and other mozilla-based browsers

I have NOT SCRIPTS (the Chrome/Chromium version), installed and it doesn't have that option.
zerozero

Re: FACTS about the JAVA 7 'Zero Day' virus threat!

Post by zerozero »

GeneC

Re: FACTS about the JAVA 7 'Zero Day' virus threat!

Post by GeneC »

Nice find 'zz'.... :)

Turned JAVA OFF last week, and I find that dont miss it at all.
zerozero

Re: FACTS about the JAVA 7 'Zero Day' virus threat!

Post by zerozero »

hi Gene :wink:
yeahh unless there's something that absolutely requires java the safest option is turn it off

btw, quoting reuters http://www.reuters.com/article/2013/01/ ... ompanyNews (after the 7u11 update
(Reuters) - The U.S. Department of Homeland Security warned that a security update of Oracle Corp's Java software for Web browsers does not do enough to protect computers from attack, sticking to its previous advice that the program be disabled.
mockturtl

Re: FACTS about the JAVA 7 'Zero Day' virus threat!

Post by mockturtl »

(cross-post)
mockturtl wrote:
http://dottech.org/94112/latest-version ... o-experts/

JANUARY 20, 2013
According to two security firms, Trend Micro and Immunity Inc., the most recently discovered Java exploit (the one that hit the headlines on Jan 10) was due to two vulnerabilities in Java. The most recent patch issued by Oracle on Jan 14 (Java 7u11, Java 6u37, Java 5u38, and Java 4u40) patched only one of the vulnerabilities. Both firms independently came to this conclusion (meaning they both studied the patch and figured this out)
xenopeek wrote:Its applicable if you have installed Oracle Java. By default Linux Mint Main Edition comes with OpenJDK
It seems to be a problem for openjdk, too.
http://security.stackexchange.com/quest ... dk-icedtea

Java 7 and OpenJDK share a lot of common code, so, as a general rule, security issues in Java 7 also apply to OpenJDK. In that specific case, it seems that the vulnerability was reported in the Debian OpenJDK package, so yes, they are vulnerable. See this question on another stackexchange site.
justy39

Re: FACTS about the JAVA 7 'Zero Day' virus threat!

Post by justy39 »

I still have no idea why people implement java into things. I hated java the day it was released, and still hate it today. Crummy software. Somethings people first do installing linux is install this or that. First thing I do is delete icedtea and anything java related. That such old recycled software its not even worth using. If a website uses java... Man they old school.. Might as stick with dos..
Orbmiser

Re: FACTS about the JAVA 7 'Zero Day' virus threat!

Post by Orbmiser »

"If a website uses java... Man they old school."
I agree have always considered Java bloated resource hog. But was popular due to fast implementation of functions and features.

And also agree sites should phase it out. But for some that may still be a few years away and have no choice if they need to use a particular site that supports it. Some sites are user specific with no alternatives available to them.
.
mockturtl

Re: FACTS about the JAVA 7 'Zero Day' virus threat!

Post by mockturtl »

Another threat surface I hadn't realized: the embedded browser in Thunderbird.

Disable via Settings -> Add-ons -> Plugins.
mockturtl

Re: FACTS about the JAVA 7 'Zero Day' virus threat!

Post by mockturtl »

"Be comforted that in the face of all aridity and disillusionment, and despite the changing fortunes of time, there is always a big future in computer maintenance."

"Give up."

http://www.zdnet.com/oracle-investigati ... 000011965/

In a posting to the Seclists.org security forum, security researcher Adam Gowdiak said his firm had examined the latest Java 7 software update, released on February 19, and found two new security issues—dubbed Issue 54 and Issue 55—which "when combined together, can be successfully used to gain a complete Java security sandbox bypass in the environment of Java SE 7 (Update 15)."
(repost from kc1di)
Locked

Return to “Software & Applications”