Further to Pierre-Marc's blog yesterday about in-the-wild exploitation of the Java Development Kit vulnerability publicised by Tavis Ormandy, David Kennedy has brought to our attention a comprehensive article on the same topic published yesterday by FireEye's Atif Mushtaq. You may remember that Atif exchanged thoughts and info with us a while ago in relation to
Further to Pierre-Marc's blog yesterday about in-the-wild exploitation of the Java Development Kit vulnerability publicised by Tavis Ormandy, David Kennedy has brought to our attention a comprehensive article on the same topic published yesterday by FireEye's Atif Mushtaq. You may remember that Atif exchanged thoughts and info with us a while ago in relation to the Hexzone brouhaha about a year ago. HIs article on on the JDK issue is mandatory reading if you want to understand this issue, so I won't attempt to summarize it. However, I will quote part of his conclusion.
It's pretty obvious that the simplicity and reliability of this exploit will make it a lethal weapon for the bad guys in coming days. Plus, the unavailability of any working patch is making the overall picture scarier. I am pretty sure that in the coming days, this exploit will become part of underground exploit kits. This means that even a kiddie with basic computer skills and bad intentions can start making money out of this.
He's right. While most attacks we've seen to date have had an amateur, script kiddy whiff about them, there's no reason they can't be incorporated into a more sophisticated attack. And while the release of JRE 6 Update 20 was initially heralded as a fix, there is some doubt as to whether it's a complete fix. Tavis's advisory at http://seclists.org/fulldisclosure/2010/Apr/119 includes some mitigations, and you might want to check those out. Particularly good advice:
As always, if you do not require this feature, consider permanently disabling it in order to reduce attack surface.
A good general rule!
Other relevant links:
- Sun/Oracle take: http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1
- Brian Krebs: Java patch targets latest attacks, removes feature that hackers were abusing. http://bit.ly/aDl92X
- http://www.heise.de/newsticker/meldung/Java-Luecke-Spiel-mir-das-Lied-vom-Trojaner-Update-978119.html (in German, but casts some doubt on the effectiveness of the patch)
Tips of the hat to Dave Kennedy and Ken Bechtel f or their input.
David Harley CISSP FBCS CITP
Research Fellow & Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Also blogging at: