Threats spreading silently despite Java updates…

I don’t often publish on the English version of my blog (My blog in French is available here). Once again, it will be about Java and the spreading of threats. Last August, I detailed the way I felt about how information on vulnerabilities is distributed by the security community, updates are made by vendors and how all this contributes or not to a better security for end-users.

Once again, bad timing, and the lack of coordination and communiction are leading to an increased distribution of malware.

Monitoring the activity of Exploit kits with the research community at botnets.fr, we are also following the use of particular exploits by those exploit platforms. Two of them are quite active at the moment:

The exploit platforms are using those techniques, among others, to target victim’s machines depending on their actual configuration.

What we are seeing right now is that some exploit platforms manage to infect up to 20% of targetted machines, doubling their usual success rates !

Why is it so efficient ?

Recently, Java introduced a new security functionality that warns the users when code from an unknown platform tries to execute on the machine. This has helped a lot prevent the execution of unwanted code on targetted machines. For instance, you would get the following message when trying to check your version of Java  on the official website (here in French, in English it says “Do you want to run this application?”):

2013-04-28_11h05_17

In this case, you can safely click “Run”. This has been a great improvement and has had great impact on malware spreading… But it is without counting on the discovery of other vulnerabilities.

Recently discovered vulnerabilities in Java allow to circumvent this warning message and execute arbitrary code. Today’s success rates of exploit platforms are directly related to the absence of proper updates for Java on victim’s machines.

I am not going to blame any particular inviduals in this article, but once again, there is something wrong with the timing:

  • April 16 2013 Oracle publishes a critical update 7 u 21 for Java branch 7 which corrects a large number of vulnerabilities
  • April 17 2013 blogs start distributing proof of concept code that exploits some of those vulnerabilities described above. Metasploit includes some of them in its testing platform on April 20th.
  • Of course, exploit developers read those same blogs and have swiftly included those vulnerabilities. For instance, F-secure notes the use as soon as April 21st !
  • A seemingly not properly documented vulnerability used in combination with CVE-2013-2423 (I am voluntarily not linking to messages detailing it) manages to bypass the security warning message and is now in the wild, used in a number of exploit kits. This second vulnerability is corrected in recent Java updates too. A similar situation was described in January (read US CERT advisory).

What should people do?

As Timo Hirvonen from F-Secure is saying:

2013-04-28_13h55_06

If Java is installed and necessary on your computer, please check that you have the latest version and if not, please update ! Normally, Java should offer an automatic update process for your system, but the success rates we are seeing for exploit kits shows that not everyone has configured properly that option.

If you don’t need Java, please disable it in your browser (advice in this Infoworld article).

What could the security community do?

We cannot keep seeing those timelines of events and not react. Some questions and proposals:

  • Is full disclosure of proof of concept code the right solution to improve security?
  • Is the timing of disclosure of vulnerabilities and proof of concepts correct? Shouldn’t it be properly coordinated with information to the public?
  • Shouldn’t the community in general (including vendors), properly inform the end users to update their software and operating systems? Shouldn’t the mass media be involved in such information spreading, considering today’s importance of computers and electronic devices in general?
  • Is there no way for end users to find in one single location the configuration for their security updates? The example here of checking updates for Java and its configuration is one example of the difficulties users are facing.
  • And more specifically, why is it not always possible to find information adapted to people’s technical level?
Advertisements

About Éric Freyssinet
Officier de gendarmerie. Docteur en informatique. Travaille depuis 1998 dans le domaine de la lutte contre la cybercriminalité, actuellement conseiller auprès du Préfet en charge de la lutte contre les cybermenaces au Ministère de l'intérieur. Les idées publiées sur ce blog le sont à titre personnel. Law enforcement officer (colonel with the Gendarmerie nationale in France). PhD in computer science. Working since 1998 in the fight against cybercrime. Views published on these blogs are personal.

3 Responses to Threats spreading silently despite Java updates…

  1. Pingback: Les menaces se propagent silencieusement malgré les mises à jours (de Java) | Criminalités numériques

  2. Wunderbarb says:

    The paper of Bilge and Dumitros provides an excellent analysis of the different timings of exploits related to zero-days. The average time an exploit whose patch has been published is still active (and successful) is impressive.

    [1] L. Bilge and T. Dumitros, “Before we knew it,” Raleigh, NC, USA: 2012.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: