This Java Threat Is Really Confusing

For several months, there were rumblings in the hacker underground about some serious threats to Java and Apple’s OS X.  ComputerWorld reported in late February 2012 that a new variant of an exploit called Flashback was making its rounds of Macs by using the browser and Java to get in.  CNN followed by reporting that Apple had been alerted to a serious Java vulnerability and had fixed it. The byline read: “Compare [sic] to Windows, OS X is nearly malware free. But it does run JavaScript.”  JavaScript?  But, the articles talked about Java.  Maybe you’re not a techie, but real geeks are fussy.  Java and JavaScript are two different things.   It turns out the CNN author was a Wall Street analyst.  OK, that explains it.

The article went on to say that over 550,000 Macs were compromised with botnet software that was controlling them and stealing all kinds of sensitive information.  All you had to do to get infected was browse the wrong site (probably in Russia), and poof: your host is toast. Hey, thanks for the heads-up!

But, it might have been nice to get a footnote or two about the couple million Windows PCs being infected.

However, my inner geek was still confused.  The big claim to fame for Java is its OS independence.  It runs the same on Windows, OS X and Linux.  One article after another touted the danger to Macs. So, what about the other platforms?  It turns out they are also vulnerable.  ComputerWorld said in a later article that 1 in 20 Windows PCs were now infected with this malady. It would have been nice to mention this to us back in February.  The omission can be explained.  Maybe you’ve heard the publisher’s axiom, “Dog bites man is not news; Man bites dog is news.” By corollary, saying “Windows is vulnerable” is not news; “Macs are vulnerable” is big news.  Alright, they have page hit quotas to meet.  Well played.  But, it might have been nice to get a footnote or two about the couple million Windows PCs being infected.

What if you want to find out if your computer is vulnerable? With this fuzzy information being tossed around, it’s time to go to an official outlet. Common Vulnerabilities and Exposures (CVE) is the world’s repository for published vulnerability information.  It is run by Mitre as an independent body that publishes vulnerability information.  The new Java vulnerability is now well-known.  Exploits are circulating.  Surely I can get the straight story here. Several blogs referenced CVE-2012-0507.  Here is what awaited me five months after exploits first appeared.

CVE description of the Java vulnerability
CVE description of the Java vulnerability.

This means Oracle (the company that manages Java) was not quite ready to fully own up to the issue. Huh?  I guess they don’t want to stampede the herd with scary information.  But, exploits are rampaging and patching is available.  Maybe it’s because research from Rapid7 indicates that Java patching adoption after three months tops out at 38%. With a little searching, I found Oracle has its own advisory from late February. Good news: they list specific versions that need remediation.  Bad news: They dumbed down the seriousness of the problem.

According to Oracle, the vulnerability can only partially affect your computer. In the illustration below, you see the results when I took Metasploit and loaded it with this Java exploit. I visited my rogue server with a Windows 7 PC. The exploit was able to gain SYSTEM-level access and steal passwords.  Partial access, really?

Metasploit attacking a browser
Once a browser connects to this rogue site, the attacker escalates privileges and dumps the password database.

By the way, I got conflicting and flat-out wrong patching information from several other sites. Also, Oracle was very reluctant to push out an emergency patch for this problem.  At first, they wanted to wait until June 2012. Mozilla developers became concerned and disabled its Java plug-in during April.

So, how do you make sure your systems are properly patched? First, Windows and Linux can get updates from Java.com.  Macs have to go Apple for updates.  Second, don’t rely solely on your Java auto-update. My own PC is set to auto-update monthly but has yet to apply the patches.  I guess I forgot to click “Yes, Install” when the little task bar floater last showed up.  This might explain the 38% patched thing.

Do this to protect yourself:

  1. Go to http://www.java.com/en/download/installed.jsp and let the applet tell you what version you’re running.
  2. If you are at Java 7 Update 2 or less, 6 Update 30 or less, or 5.0 Update 33 or less, 1.4.2_35 or less, install the newest version.  Then, verify the new installed version.
  3. If you do not need Java, uninstall it.  If it’s not there, it can’t hurt you. For Windows and Linux, go to http://java.com.  OS X users must get it from Apple at http://support.apple.com/kb/HT5228.

By the way, Learning Tree’s course Penetration Testing Tools and Techniques features this vulnerability.

Randy Williams

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.