This Thursday, the security blogger Kafeine posted a blog post where he disclosed information about a severe 0day for Java. According to security researchers, this vulnerability has been exploited since mid December. Java has had quite a few problems with security vulnerabilities for the last 12 months, and ironically, the new 0day appears to be introduced by an incomplete patch from October, meant to fix one of these security bugs. The vulnerability is present on all platforms and browsers and could let an attacker to execute code on your computer with administrator privileges. This can be considered as the attacker having full control of your system.
The folks over at Metasploit and Rapid7 have already created a module for exploiting this vulnerability. You can download the framework over at metasploit.com or read the CVE report of the vulnerability here.
According to Dan Goodin of Ars Technica, “Exploits of the latest Java vulnerability are the combination of two bugs. The first involves the Class.forName() method and allows the loading of arbitrary (restricted) classes. The second bug relies on the invokeWithArguments method call and was also a problem with Issue 32 that Oracle purportedly patched in October.”
Adam Gowdiak says that the patch Oracle issued in October only partly addressed the bug, and that it was still possible to exploit it using a trusted system class as a target method caller. However, the other bug allows the attacker to use members of the new Reflection API, which was introduced in Java 7.
The result of this is that Java applets with normal security privileges can access restricted classes. By combining these exploits, the applet can employ the setSecurityManager() function to escalate its privileges freely. This means that the attacker will be able to execute code on your computer with administrator privileges, and this can be considered as the attacker having full control of your system. This type of vulnerabilities is often used for distribution of Ransomware. It affects all versions of Java 7 (Update 10 and earlier).
Older versions of Java are vulnerable from other exploits, if not from this, which makes downgrading useless. In other words, the best thing to do until Oracle releases an update, is to disable Java.
Update
Oracle has released Java 7u11, which fixes the bug. The security update can be found at java.com. Oracle’s Eric Maurice wrote a post at Oracle’s security blog regarding this update, where he can tell that the default security settings are now set to “High”. This means that self-signed and unsigned Java applets now require authorization from the user to run. He also informed of the fact that Java 7u10 introduced the ability to disable Java in browser through the Java Control Panel. If you don’t know whether you have the latest version of Java or not, you can visit this link to verify your Java version.
So, I suppose we are safe. For now.
How to disable Java:
If you can’t find any Java plugins following these instructions, you don’t have any.
Firefox:
- Write about:addons in the address bar and hit enter.
- You are now viewing the Add-on Manager. Click Plugins to the left.
- These entries are your Plugins. Navigate to the ones whose names contain Java, and click the Disable button on the right.
- You have now disabled use Java in Firefox.
Chrome:
- Write chrome://plugins in the address bar and hit enter.
- These are your plugins. Find Java and click the disable link.
- You have now disabled use of Java in Chrome.
Internet Explorer:
- Go to Tools -> Manage Add-ons.
- If you can’t find Tools, try hitting the Alt key.
- In the Add-ons window, select Java and click Disable down to the right.
- You have now disabled use of Java in Internet Explorer.
Opera:
- Write opera:plugins in the address bar and hit enter.
- Find the entries related to Java, and click Disable to the right.
- You have now disabled use of Java in Opera.
Safari:
- Click Safari -> Preferences.
- Select the Security tab.
- Uncheck Enable Java.
- You have now disabled use of Java in Safari.
Author: Håkon Vågsether