JAVA CVE 2012-4861 Vulnerability – Let’s become more responsible !

En français francais

Update : 30/08/2012 20:10

Oracle just released an update to its Java standard engine (versions 6 and 7). It is highly recommended to upgrade your computer with this release if you have Java installed.

An update to information about this vulnerability has been published by Oracle. An analysis of the updates made is published here.

Where it all begins

You certainly have read on various specialised IT news platforms about this security event. Here, here or there.

It is a vulnerability (actually a combination of two vulnerabilities) currently qualified as a 0-day, because previously unrevealed and still exploitable for the product that is targeted has not been corrected. This vulnerability referenced under the code name “ CVE-2012-4681 ” in the U.S. CVE database from MITRE concerns the most recent version of the Oracle Corporation Java engine, 1.7. The US CERT also provides a detailed review.

Chronology

We can observe the following chain of events: (Eric Romang also gives his analysis of this timeline)

  • 04/2012 … (more about this date below)
  • 26/08/2012 , FireEye publishes on their blog an announcement of this previously unknown vulnerability. It is revealed through their study of what they describe as a targeted attack on one of their clients (other specialists such as Eric Romang or Trend Micro do not completely agree with this qualification of the facts as the vulnerability may have already been circulating in the recent months, on the other hand Symantec describes a link between those attacks and a group they have named Nitroin the past)
    • FireEye has been recently very popular when announcing by mistake the discovery of a command and control server for botnet Gauss, on the same IP address as the one for a similar botnet,  Flame. Actually, it is the antivirus company Kaspersky Lab had implemented that server to regain control of these botnets.
  • The announcement is reproduced many times on social networks and IT security blogs, sometimes including proof of concept code. Not being dependent on operating systems, purely coded in Java, this type of attack can be potentially used against all kinds of machines, running Microsoft Windows, Linux or MacOSX, should they host a vulnerable version of Java.
  • 27/08/2012 , it seems that developers of various malicious exploit platforms are advertising towards their customers that they would make available an update to take advantage of this vulnerability quickly (Brian Krebs writes on Monday about BlackHole and quickly security researchers locate active malicious servers) and according to Kafeine in several blog posts  (and here), the exploit kits Sakura as well as Sweet orange appear to be running the attack. I talked about exploits (articles published in French) in my December 2011 article about the gendarmerie ransomware or February post about the Citadel botnet.
  • 27/08/2012 continues with Rapid7 announcing the addition of this particular vulnerability to its Metaspoloit penetration testing and security assessment platform.
  • 28/08/2012 at the end of the day, the team at Kaspersky Lab publishes a small rant. It is unclear if this is against FireEye (again, IT security businesses at war ?), or against those who have posted very quickly “proof of concept” code.

  • 29/08/2012 , we can learn that Oracle was notified of these vulnerabilities starting in April (according to ComputerWorld) by the Polish company Security Explorations. It can take up to a few weeks or months for a company to be able to develop, test and publish a security patch, the development of a correction sometimes requiring extensive testing to ensure that new faults or malfunctions are not created by these changes. One of the questions that will arise is the right number of months between awareness and publication of a patch.
  • 30/08/2012, to date, Oracle has yet to publish any warning about this vulnerability and are not publicly commenting about the situation:

Something is wrong within the IT security world

This recent sequence of events demonstrates that something is not being managed properly in terms of vulnerability disclosure and security patch management:

  • one security company publishes short but precise enough information about a vulnerability being exploited live at a scale that still needs to be documented,
  • a few hours later, researchers are eager to publish, almost racing to be the first to publish a working proof of concept code, thanks to the elements released by said company,
  • one software publisher who does not communicate to the public on the measures it intends to take immediately or in the near future,
  • a few hours later, the proof of concept codes are introduced in malicious exploit platforms used by criminal groups
  • very quickly, victims are exploited on a massive scale, especially to disseminate ransomware and other banking malware which are particularly active at the moment.

It is high time that security professionals come to an agreement on proper procedures for the responsible disclosure of vulnerabilities, in a coordinated manner (developers, as well as security researchers are concerned) . It is likely that more than 100,000 euros have already been diverted from victims around the world from the use of upgraded malicious exploit kits (it is still difficult to evaluate the share of victims who are specifically attacked thanks to this vulnerability but 100 K€ is the average income generated in a few days by such botnets and there are dozens of them running in the wild), and numbers will keep rising as their is no visibility on the availability of a security patch. Moreover, since Monday, thousands of IT systems managers scratch their heads around the world on how to secure their networks and exchange scripts to quickly disable Java 1.7 on their users’ systems.

What can I do now?

On a personal computer , it is likely that you do not need Java very often, even if it is sometimes necessary for certain applications available online. It is therefore reasonable to consider disabling Java on the computer, at least if you are using version 1.7.

Many sites explain the procedures: such as this one. You can prevent this type of attacks and many more by installing security extensions such as NoScript (http://noscript.net/ on Firefox, Notscripts or Scriptno for Chrome) that allow you to have a strict control on what sites you allow to run scripts on your computer as well as launching Java modules from a web page.

In corporate environments, many may be still using the previous version of the Java engine which certainly has other vulnerabilities but can be mandated by applications used internally. If Java is not required in your business, it now seems urgent to disable it to avoid incidents. If Java 1.7 is required in your environment, there are unofficial patches that may help you.

And as a final notice, keep informing yourself and sharing that information!

Update : 30/08/2012 20:10

Oracle just released an update to its Java standard engine (versions 6 and 7). It is highly recommended to upgrade your computer with this release if you have Java installed.

An update to information about this vulnerability has been published by Oracle.

Advertisements

About Éric Freyssinet
Officier de gendarmerie. Docteur en informatique. Travaille depuis 1998 dans le domaine de la lutte contre la cybercriminalité, actuellement conseiller auprès du Préfet en charge de la lutte contre les cybermenaces au Ministère de l'intérieur. Les idées publiées sur ce blog le sont à titre personnel. Law enforcement officer (colonel with the Gendarmerie nationale in France). PhD in computer science. Working since 1998 in the fight against cybercrime. Views published on these blogs are personal.

One Response to JAVA CVE 2012-4861 Vulnerability – Let’s become more responsible !

  1. Pingback: Threats spreading silently despite Java updates… | Digital crime

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: