The article went on to say that over 550,000 Macs were compromised with botnet software that was controlling them and stealing all kinds of sensitive information. All you had to do to get infected was browse the wrong site (probably in Russia), and poof: your host is toast. Hey, thanks for the heads-up!
But, it might have been nice to get a footnote or two about the couple million Windows PCs being infected.
However, my inner geek was still confused. The big claim to fame for Java is its OS independence. It runs the same on Windows, OS X and Linux. One article after another touted the danger to Macs. So, what about the other platforms? It turns out they are also vulnerable. ComputerWorld said in a later article that 1 in 20 Windows PCs were now infected with this malady. It would have been nice to mention this to us back in February. The omission can be explained. Maybe you’ve heard the publisher’s axiom, “Dog bites man is not news; Man bites dog is news.” By corollary, saying “Windows is vulnerable” is not news; “Macs are vulnerable” is big news. Alright, they have page hit quotas to meet. Well played. But, it might have been nice to get a footnote or two about the couple million Windows PCs being infected.
What if you want to find out if your computer is vulnerable? With this fuzzy information being tossed around, it’s time to go to an official outlet. Common Vulnerabilities and Exposures (CVE) is the world’s repository for published vulnerability information. It is run by Mitre as an independent body that publishes vulnerability information. The new Java vulnerability is now well-known. Exploits are circulating. Surely I can get the straight story here. Several blogs referenced CVE-2012-0507. Here is what awaited me five months after exploits first appeared.
This means Oracle (the company that manages Java) was not quite ready to fully own up to the issue. Huh? I guess they don’t want to stampede the herd with scary information. But, exploits are rampaging and patching is available. Maybe it’s because research from Rapid7 indicates that Java patching adoption after three months tops out at 38%. With a little searching, I found Oracle has its own advisory from late February. Good news: they list specific versions that need remediation. Bad news: They dumbed down the seriousness of the problem.
According to Oracle, the vulnerability can only partially affect your computer. In the illustration below, you see the results when I took Metasploit and loaded it with this Java exploit. I visited my rogue server with a Windows 7 PC. The exploit was able to gain SYSTEM-level access and steal passwords. Partial access, really?
By the way, I got conflicting and flat-out wrong patching information from several other sites. Also, Oracle was very reluctant to push out an emergency patch for this problem. At first, they wanted to wait until June 2012. Mozilla developers became concerned and disabled its Java plug-in during April.
So, how do you make sure your systems are properly patched? First, Windows and Linux can get updates from Java.com. Macs have to go Apple for updates. Second, don’t rely solely on your Java auto-update. My own PC is set to auto-update monthly but has yet to apply the patches. I guess I forgot to click “Yes, Install” when the little task bar floater last showed up. This might explain the 38% patched thing.
Do this to protect yourself:
By the way, Learning Tree’s course Penetration Testing Tools and Techniques features this vulnerability.