Serious Java Bug Exposes Users To Code Execution


Once again a different attack vector, seems to the creative season for discovering bugs. I guess it’s partially due to the fact this time of year tends to be pretty quiet business wise so researchers have plenty of downtime to look at nifty ways to break things.

This might be a tough one to solve as it’s not a typical buffer overflow or programming bug per-se but more of a flaw in the way the Java Virtual Machine functions. Sun don’t consider this vulnerability to be critical, which could be a mistake on their part as that means it won’t be patched until the next patch in the cycle is released – which should be around July.

A Google researcher has published details of a Java virtual machine bug that could be used to run unauthorized programs on a computer.

The attack was disclosed Friday by Google’s Tavis Ormandy, who said he had notified Oracle’s Sun team about the flaw earlier. “They informed me that they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle,” Ormandy wrote. “I did not agree.” Oracle declined to comment on the issue. The company just released a major Java update last week and its next set of patches is due in July.

The attack could give hackers a way to run unauthorized Java programs on a victim’s machine. They can do this because Java allows developers to tell the Java virtual machine to install alternate Java libraries. By creating a malicious library and then telling the JVM to install it, an attacker could run his malicious program.

The attack was actually disclosed by a Google employee, in some articles it stated he did not wish for his company name to be disclosed but it was anyway in this article at least.

It works in a fairly roundabout way by leveraging on the fact Java allows developers to run libraries using the JVM, by installing an alternate malicious library an attacker could compromise the machine.

Oracle is making a mistake, not patching the bug immediately, said Marc Maiffret, chief security architect with FireEye, via instant message.

The bug is particularly nasty because it’s due to a design flaw in Java, rather than the type of programming error that would lead to a more common buffer-overflow attack. “It is a neat bug,” he said.

However, Java-based attacks are still rare, and rather than developing a brand-new type of attack, criminals are more likely to spend their time using known vectors such as the browser or Adobe Reader, said Russ Cooper, a senior information security analyst with Verizon Business.

“Java has not been exploited to any extent that should worry the average consumer, heck, or business for that matter,” he said via instant message.

Risk wise however, I’d have to agree it’s not particularly high as historically Java attacks aren’t really common and attackers will play the numbers game attacking whatever will yield the most infections.

The flaw affects all versions since Java SE 6 update 10 for Microsoft Windows and could possibly effect Linux users – but that hasn’t been verified yet.

More via The Reg here – Critical Java Vulnerability

Source: Network World

Posted in: Exploits/Vulnerabilities, Secure Coding, Web Hacking

, , , , ,


Latest Posts:


APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.
GitLab Watchman - Audit Gitlab For Sensitive Data & Credentials GitLab Watchman – Audit Gitlab For Sensitive Data & Credentials
GitLab Watchman is an app that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally, this includes code, commits, wikis etc
GKE Auditor - Detect Google Kubernetes Engine Misconfigurations GKE Auditor – Detect Google Kubernetes Engine Misconfigurations
GKE Auditor is a Java-based tool to detect Google Kubernetes Engine misconfigurations, it aims to help security & dev teams streamline the configuration process
zANTI - Android Wireless Hacking Tool Free Download zANTI – Android Wireless Hacking Tool Free Download
zANTI is an Android Wireless Hacking Tool that functions as a mobile penetration testing toolkit that lets you assess the risk level of a network using mobile.
HELK - Open Source Threat Hunting Platform HELK – Open Source Threat Hunting Platform
The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing etc
trape - OSINT Analysis Tool For People Tracking Trape – OSINT Analysis Tool For People Tracking
Trape is an OSINT analysis tool, which allows people to track and execute intelligent social engineering attacks in real-time.


One Response to Serious Java Bug Exposes Users To Code Execution

  1. Agamemnon April 12, 2010 at 7:54 pm #

    I tested out this POC today throughout my environment and it defintely works I can remotely have user click a link and it runs Java which could imbed any code I wanted. It doesn’t work in updates 6 and 7 for sure but updates 10-19 I’m pretty sure are all gonna suffice for this to work. Also, there are currently no signature files in Finjan for this, blink works on full on block mode and Cisco’s CSA product will let this sucker right on through..