New analysis of a zero-day Java exploit that surfaced last week indicates that it takes advantage of not one but two previously unknown vulnerabilities in the widely-used software. The latest figures suggest that these vulnerabilities have exposed more than a billion users to attack.
Esteban Guillardoy, a developer at the security firm Immunity Inc., said the underlying vulnerability has been around since July 28, 2011.
“There are 2 different zero-day vulnerabilities used in this exploit,” Guillardoy wrote in a lengthy analysis of the exploit. “The beauty of this bug class is that it provides 100% reliability and is multi-platform. Hence this will shortly become the penetration test Swiss knife for the next couple of years (as did its older brother CVE-2008-5353).”
ONE BILLION USERS AT RISK?
How many systems are vulnerable? Oracle Corp., which maintains Java, claims that more than 3 billion devices run Java. But how many of those systems run some version of Java 7 (all versions of Java 7 are vulnerable; this flaw does not exist in Java 6 versions).
To get an idea, I asked Secunia, whose Personal Software Inspector program runs on millions of PCs. Secunia said that out of a random sampling of 10,000 PSI users, 34.2 percent had some version of Java 7 installed. In the same data set, 56.4 percent of users had an update of Java 6 installed. Assuming that Secunia’s 10,000 user sample is representative of the larger population of computer users, more than a billion devices could be vulnerable to attack via this exploit.
EXPLOIT WORKS AGAINST OS X, LINUX
Not long after news broke that miscreants were exploiting an unpatched security hole in Java to break into PCs, I began seeing tweets from non-Windows users urging people to switch to Mac OS X or Linux. Unfortunately, this latest Java exploit has been shown to work flawlessly to compromise browsers on all three operating systems.
According to Rapid7, the Java exploit found being used in targeted attacks (CVE-2012-4681) is now available as a plug-in to Metasploit, a free software tool built to test the security of networks. Rapid7 said the exploit has been successfully tested to work against nearly all browser configurations on Windows systems, and against Safari on OS X 10.7.4 and Mozilla Firefox on Ubuntu Linux 10.04.
WHO BURNS THROUGH TWO-ZERO DAYS IN ONE SHOT?
On Monday, I interviewed the author of the BlackHole exploit kit, an extremely popular software package sold in the underground that is designed to be stitched into hacked sites and use browser exploits to drop malware on visiting PCs. The BlackHole author said he intended to (and did, it appears) fold the exploit into his kit, but said he was surprised that someone would just leak such a reliable exploit, which he said would fetch at least $100,000 if sold privately in the criminal underground.
But lost in all of the coverage of this vulnerability is the growing body of evidence suggesting this Java exploit was first wielded in targeted espionage attacks of the sort used to extract corporate and government secrets. So who burns through two zero day flaws to execute a targeted attack? In all likelihood, an individual or group motivated by a non-materialistic ideology, or at least a certainty that what will be gained is worth far more than the vulnerability itself.
Experts at Silicon Valley-based AlienVault published an analysis that highlighted some interesting text strings in the exploit (“xiaomaolv” and conglaiyebuqi”) which suggest the initial attacks were paired with Chinese crimeware known as the Gondad Exploit Kit.
Other curious markers in the exploit code indicate that the targeted attacks were carried out using Internet servers that have been connected with other targeted espionage attacks traced back to Chinese threat actor groups. Among the control servers used in this latest attack was “domain.rm6.org,” an Internet address that played a central role in the Nitro attacks of 2011, which according to Symantec and other security firms was a series of Chinese-based espionage attacks directed against at least 48 chemical and defense companies.
Unfortunately, the miscreants involved in these targeted attacks have been finding success using the same resources and tools well into 2010 and earlier. That’s according to a presentation given in 2010 by researchers exploit and malware researchers Val Smith and Anthony Lai, called “Balancing the Pwn Deficit” (PDF).
The paper details the history and methods of Chinese hacking groups, and notes that the two strings found in the most recent Java exploit are a favorite invocation for script variables that are re-used in various attack tools of Chinese origin. The terms “xiaomaolv” and conglaiyebuqi” and several others used, they found, come from lyrics from songs by the artist known as Jay Zhou.
“The fact that there are embedded song lyrics, potentially tells us several things,” they wrote. “One, it helps to confirm that this attack was created in the geographic region assumed. It is unusual for attackers from one country and language, to take lyrics from a popular song in another country and language and embed them in their attacks.”
As I noted earlier this week, Oracle has moved Java to a patch cycle of every four months, and its next security update is not scheduled until October. On Tuesday, I contacted Oracle to find out if they intended to address this problem separately before then, but I have not yet received a response. Nor could I find any mention of this problem on any of the various Java blogs that Oracle inherited when it took control of Java from Sun a few years ago. In fact, most of those Java blogs seem to have gone missing.
In the meantime, it’s a good idea to either unplug Java from your browser or uninstall it from your computer completely.
Windows users can find out if they have Java installed and which version by visiting java.com and clicking the “Do I have Java? link. Mac users can use the Software Update feature to check for any available Java updates.
If you primarily use Java because some Web site, or program you have on your system — such as OpenOffice or Freemind — requires it, you can still dramatically reduce the risk from Java attacks just by disabling the plugin in your Web browser. In this case, I would suggest a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it.
For browser-specific instructions on disabling Java, click here. If you want to test whether you’ve successfully disabled Java, check out Rapid7’s page, isjavaexploitable.com.