Just after the day Oracle pushed a patch for the Java vulnerability. A new Java exploit was released for sale in an under-ground forum at the price of $5,000. The price will fetch you not only the “weaponized” version of the executable file but also the source code so that it could be used it other type of attacks. Experts say that Oracle did not patched all the vulnerability and released the patch in a rush.
Krebs said the latest attack exploited “a different and apparently still-unpatched zero-day vulnerability in Java.” His article came around the same time researchers from antivirus provider Trend Micro warned that the Oracle patch may not be effective at blocking some attacks.
“Based on our analysis, we have confirmed that the fix for CVE-2013-0422 is incomplete,” Trend Vulnerability Research Manager Pawan Kinger wrote in a blog post. Kinger went on to explain that the vulnerability stemmed from flaws in two parts of the Java code base: one involving the findclass method and the other involving the invokeWithArguments() method. While Sunday’s patch fixed the latter issue, the findclass method can still be used to get references to restricted classes, leaving a hole that attackers can exploit.
The post from the underground forum by the seller of the vulnerability.
“New Java 0day, selling to 2 people, 5k$ per person
And you thought Java had epically failed when the last 0day came out. I lol’d. The best part is even-though java has failed once again and let users get compromised… guess what? I think you know what I’m going to say… there is yet another vulnerability in the latest version of java 7. I will not go into any details except with seriously interested buyers.
Code will be sold twice (it has been sold once already). It is not present in any known exploit pack including that very private version of [Blackhole] going for 10$k/month. I will accepting counter bids if you wish to outbid the competition. What you get? Unencrypted source files to the exploit (so you can have recrypted as necessary, I would warn you to be cautious who you allow to encrypt… they might try to steal a copy) Encrypted, weaponized version, simply modify the url in the php page that calls up the jar to your own executable url and you are set. You may pm me.”
For more details click the source link.
Source: Kerbs on Security
A new 0-day vulnerability is found in the wild and is being exploited currently. At present the only way to save yourself from it is to disable the Java plugin in your browser.
The US Computer Emergency Readiness Team (US-CERT) which is under the National Cyber Security Division of the Department of Homeland Security said the following.
Overview – Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, online casino unauthenticated attacker to execute arbitrary code on a vulnerable system.
Description – Java 7 Update 10 and earlier contain an unspecified remote-code-execution vulnerability. This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits.
Impact – By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.
The full report can be found here.
It seems like the first one to find about the vulnerability is a French researcher named Kafeine For more details about the vulnerability hit the source link.
Source: Malware don”t need Coffee.
The security flaw of Java that was included in the Blackhole exploit kit, got patched today by Oracle. Oracle released this patch today which was Slot bonus models require gamers to twist and switch their device, Curler roulette mobile.the-best-casinos-online.info/roulette.php enables the consumer to spin the reel and toss the ball in – neither which are ground-breaking ideas but both add an additional facet of play that other mobile casinos don't. originally to be pushed in October.
Install the Patch for CVE-2012-4681
It is advisable to install the patch for Java on your computer. To know more about CVE-2012-4681 and its patch please do visit the following official link of Oracle.
Recently there has been lot of malwares and virus designed with help of Java, to make the malicious code run anywhere, be it Windows , Linux or Mac. But a flaw in the Java itself which was informed to Oracle , in the month of April, has still not being patched. And thus the exploit has been public which is now included in Blackhole exploit kit, to spread virus to Windows machine.
Brain Krebs was first to find out the that CVE 2012-4681 was being added casino to the Blackhole exploit kit,security company SophosLabs also confirmed it. As of now its only known to be spreading virus on Windows computers, if Mac or Linux are effected is not confirmed yet. The version which is effected in Java 7 , as Mac”s Java version is updated by Apple that version is not yet known to be effected. But as Java 7 has been made available for Mac OS X by Oracle , if user has updated to the new version, they are at risk.
Its is wise to keep Java disabled for the time, till patches are being applied.
Go to http://isjavaexploitable.com/ to check if you Java is vulnerable to exploit.
Generally it is considered that only Windows computers are the ones that can get infected with backdoor trojan but the scenario has changed overtime. Recently a large number of Macs (600,000 plus Macs including 247 from Cupertino: its the Apple HQ) were found infected with a backdoor trajan Flashback ( Trojan-Downloader.OSX.Flashfake.ab ) . Its is to be noted that the trojan works on venerability of Java ( Java 6 update 31.) and not the core Mac OS.How ever the fault which I see of Apple is that they did not patch the CVE-2012-0507 exploit even after 6 weeks.
If you are reading this on your shiny new MacBook Pro or a Mac you should be thinking by now how to remove it. Well here is a guideline on finding if you are infected with Flashback trojan.
Manually removing Flashback Trojan.
Manual Removal Instructions
- 1. Run the following command in Terminal:defaults read /Applications/Safari.app/Contents/Info LSEnvironment
- 2. Take note of the value, DYLD_INSERT_LIBRARIES
- 3. Proceed to step 8 if you got the following error message:”The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist”
- 4. Otherwise, run the following command in Terminal:grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step2%
- 5. Take note of the value after “__ldpath__”
- 6. Run the following commands in Terminal (first make sure there is only one entry, from step 2):sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironmentsudo chmod 644 /Applications/Safari.app/Contents/Info.plist
- 7. Delete the files obtained in steps 2 and 5
- 8. Run the following command in Terminal:defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
- 9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:”The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”
- 10. Otherwise, run the following command in Terminal:grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step9%
- 11. Take note of the value after “__ldpath__”
- 12. Run the following commands in Terminal:defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIESlaunchctl unsetenv DYLD_INSERT_LIBRARIES
- 13. Finally, delete the files obtained in steps 9 and 11.
Please note that I cant assure you that following these steps will remove ALL traces of the Flashback trojan, its highly recommended that you install a antivirus for Mac and run a through scan after updating it.
Steps to help protect your Mac from future attacks.
1 Create a non admin account in your Mac. And use it for daily purpose like checking emails and surfing internet.(the account that is generally created by default and you use has admin rights)
2 Download and use a secure browser. I recommend to use Google Chrome as it got a sandboxing plus it also comes with a sandboxed flash player of its own.
3 After you have downloaded and installed the new browser dont forget to make it your default browser.
4 Uninstall or update the default flash player (Apple does not update the flash player regularly) Note: As you have default Google Chrome you no longer need the default flash player as Chrome comes with the updated flash player.
5 Uninstall/Disable Java, Apple does not regularly updates the Java it generally does after months since the release of it, and its not possible to manually update it on Mac. So if you don’t want to uninstalled it because you use some java web applets it is recommended that you at least disable it from Safari browser.
6 Update your Mac software on a regular basis, it wont cost you a dime but will save you from known vulnerabilities.
7 Install a good antivirus for Mac. And update and run the antivirus from time to time.
8 Install the Little Snitch, it is a firewall program that shows you which application is trying to use the network and offers you to allow or block that application to connect to network.
Apple has yet to come up with a tool to remove the Flashback Trojan but guys from Kaspersky has come up with a tool which can be downloaded from here.