
First Java Zero-Day Attack in Two Years Targets NATO and US Defense Organizations - wglb
http://blog.trendmicro.com/pawn-storm-first-java-zero-day-attack-in-two-years-targets-nato-us-defense-organizations/
======
StevePerkins
I wish to God that Oracle would simply deprecate and discontinue browser-side
Java applet support.

Whenever people see a headline like "Java Vulnerability Found!", it is
virtually always referring to the client-side applet plugin. Yet 99% of
readers don't understand that, and think that Java is insecure in general.

Whenever people see snark about Java installing the "Ask.com Toolbar", it is
referring to the client-side JRE installer (i.e. applet plugin). That's
virtually irrelevant to developers, because we install the full SDK which
contains no crapware and never has. Yet 99% of readers don't understand that,
and think that being a Java developer means dodging malware with every
upgrade.

Java applets are basically the non-Microsoft business world's answer to
ActiveX. A dead 1990's technology that no one has cared about in 15 years or
more, which only still exists to support backwards-compatibility for some
horrible crusty shops still running on XP or even NT/2000\. No contemporary
Java developer gives a ___fuck_ __about applets, and by "contemporary" I mean
"any greenfield development done since 9/11". However, we're all sick to death
of having to defend our ecosystem against constant FUD, due to this horrible
piece of obsolete legacy cruft.

Just kill it. Seriously.

~~~
1ris
I need java support in the Browser. Have you ever tried to use it? You have to
do no less then 10 clicks with lots of warnings and restart the browser in
order to activate it, and that's only for one site. And you have to repeat
that for every website that uses java-applets.

It's a way easier to download a binary and execute that.

It's dead for the end-user for every meaningful definition of "dead".

Also ActiveX was the MS answer to Java, not the other way round.

~~~
philbarr
> It's dead for the end-user for every meaningful definition of "dead".

Unfortunately not, there are MANY institutions that still rely on Java
Applets.

~~~
jessaustin
That's why this might be a noble thing for Oracle to do. Institutions around
the world are harming their users using this tool, and it's possible Oracle
could encourage them to stop doing that. (Although frankly just mentioning the
possibility that an action might be the right thing to do, seems to make it
less likely that Oracle would do it.)

~~~
iso8859-1
Practically nobody is exploitable! Only signed Java applets on a whitelist can
be run:
[https://www.java.com/en/download/help/jcp_security.xml](https://www.java.com/en/download/help/jcp_security.xml)

You must be either exaggerating or not up to date (not aware that not every
applet is automatically run). I don't think anybody is getting harmed. What do
you think a realistic attack scenario using Java applets looks like? You'll
have to break RSA, or how are you going to fool the browser plugin to run your
exploit?

~~~
jessaustin
GGP comment observed that many people can't avoid using Java applets. Others
have observed that the Java people have to use for applets is often quite old,
so it is perhaps as old as the Java I used the last time I _had_ to use Java
applets. I'm sure that very few of us are "up to date"; that's kind of the
point. Perhaps there are strange applet fetishists who keep their Java package
installs at the bleeding edge of postmodern Java applet specialness. Even so,
forcing normal people to use Java applets _is_ harming your users, because
normal people _turn it off_.

------
jph
Reporting says this is for Java in the browser, on Windows, and the target
must visit a malicious URL.

"[Emails] contained links to malicious domains hosting the Java exploit
(JAVA_DLOADR.EFD). The exploit is designed to deliver a Trojan dropper
(TROJ_DROPPR.CXC) that drops a payload detected as SPY_FAKEMS.C to the “login
user” folder."

"The security firm noted that the vulnerability affects the latest version of
Java, 1.8.0.45, but older versions such as 1.6 and 1.7 are not impacted."

"Disabling Java in your preferred browser is for now is a better option. Use a
secondary browser with Java enabled to view sites you absolutely must visit
and which require it."

"The attack leverages a three-year-old vulnerability in Microsoft Windows
Common Controls CVE-2012-015."

[https://www.securityweek.com/java-zero-day-used-attacks-
nato...](https://www.securityweek.com/java-zero-day-used-attacks-nato-member-
us-defense-organization)

~~~
chinathrow
"Use a secondary browser within a throwaway VM with Java enabled to view
sites. Also, do complain loudly to the org running that website."

Fixed that for them.

~~~
mwill
>complain loudly to the org running that website

I lodge my sales tax via a java applet, recently I straight up could not get
the applet to run on any of my machines after they went down for an update.

I called them up, and their answer was basically: "We can send you a paper
form to submit but it will take x days to do that, you will be charged late
fees and interest for not lodging on time"

~~~
Aldo_MX
One complain will accomplish nothing, hundreds (or thousands) of complains
will do.

------
dboreham
This story is odd. Perhaps it is pure click-bait? Why would an attack that
depends on a vulnerability Microsoft fixed three years ago be successful or
even attempted today?? And...if someone were running a machine without this MS
patch, and presumably also without a browser that makes you perform handstands
while singing "There's no business like show business" before it will run
Java, then wouldn't they also be vulnerable to hundreds of other issues fixed
in the past few years??

~~~
crisnoble
> then wouldn't they also be vulnerable to hundreds of other issues fixed in
> the past few years?

That is a scary thought. I guess this is what happens when you cling to using
XP and IE8 after Microsoft has ended support.

------
JustSomeNobody
So, this is the Java plugin for browsers, right?

Why is there never a clear distinction?

~~~
smackfu
What would a security exploit in Java outside the browser look like?

~~~
dikaiosune
Buffer overflow to a network socket opened by the JVM? Or a similar attack
executed against the standard library's file IO?

~~~
thefreeman
To achieve what? If you are executing Java locally it already has full disk
and network access?

~~~
nkassis
I think he's implying something that would be remotely exploitable on a server
running the JVM for a service with an open socket. Which is very common. Also
the the File API could potentially be exploitable (if a vulnerability exist)
remotely also if for example it was used for file uploads or something. Seems
non-trivial but I can see how it could happen.

~~~
smackfu
True, if there was a vulnerability where reading a byte stream could trigger a
JVM exploit, that is exploitable. But that would be a really weird bug, since
the JVM isn't going to be the one parsing a byte stream.

~~~
nkassis
There is also the standard library, it does a lot of stuff that could hide a
vulnerability.

------
gesman
>> The attack leverages a three-year-old vulnerability in Microsoft Windows
Common Controls CVE-2012-015

MSFT provided a patch long time ago for this. Wouldn't it imply that applying
MSFT's patch is enough?

~~~
sigzero
Oh no, we must disable Java.

------
terminado
There's a typo in the CVE number. It's: CVE-2012-0158

[http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2012-0...](http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2012-0158)

...and how is this not a Windows vulnerability, and instead Java?

~~~
Someone1234
My guess would be that Java continues to run an unpatched copy of
MSCOMCTL.OCX. If you look at the CVE-2012-0158 patches[0] you'll notice that
Microsoft had to patch a lot of software individually, I guess Java just was
never fixed.

So it is a Java issue only in the sense that Oracle needs to update it.
Obviously the original "bad code" was from Microsoft.

[0] [https://technet.microsoft.com/en-
us/library/security/ms12-02...](https://technet.microsoft.com/en-
us/library/security/ms12-027.aspx) [1]
[https://community.emc.com/community/connect/rsaxchange/netwi...](https://community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/02/12/triaging-
malicious-microsoft-office-documents-cve-2012-0158)

~~~
ackalker
Isn't the "Malicious Software Removal Tool" from Microsoft supposed to scan
for such things? Obviously it isn't a full-fledged virus scanner, but I would
expect scanning the system for outdated DLLs and such to be well within its
reach.

~~~
Someone1234
As far as I know the MSRT is just a virus and or malware scanner. At the
moment looking for old binaries it beyond its scope. But that could change.

The closest thing to that is this, Securia PSI:

[https://secunia.com/vulnerability_scanning/personal/](https://secunia.com/vulnerability_scanning/personal/)

------
bmir-alum-007
JVM & CLR runtimes probably account for 75% of all enterprise backend apps
running on server gear in production right now. Both have been beaten on for
so long that they're both fairly reliable, which is not to say either bug free
(reliable or secure), resource efficient or maximally productive, just more
usable in production on average.

On the client side (browser-land), JavaScript (and HTML & CSS) is ubiquitous.
The issue of course is that every browser is "especially" different. So it
makes no sense to deploy browser extensions unless things need to talk to
other local apps. It makes more sense to develop hybrid native apps which are
mostly html5 using something like QtWebKit and add your own per-platform goop
rather than try to use something like node-webkit, phonegap (cordova) or
appcelerator, because, inevitably, system-specific code will be needed, and
not having direct access to APIs because of limited proxy/thunk/trampoline
code doesn't make for happy developers. Java tried to do the hybrid way using
JNI, which could load dll's, dylib's and so's dynamically (I wrote a custom,
cross-platform (Linux, Windows), CD-ROM-based app installer using Java + JNI
in 1995 by the way, it was trivial.. And then I wrote a Java source to MIPS
binary, direct, non-JIT compiler in C++ in 1999.).

~~~
iso8859-1
Is your installer open-source? I'd like to read it.

~~~
bmir-alum-007
It was written clean-room in some client's office (no NDA, but still,
engineering ethics), but I may have a copy somewhere on a backup in offline
IRL storage, but it was written for JDK 1.2-1.4 IIRC so it won't run and it's
chocked full of confidential / proprietary apps (which it installs). It called
a few C Win32 APIs to create icons and write registry entries, on Linux I
think it just wrote files and maybe ran `ldconfig`. It was super dumb, fugly
but it shipped and worked consistently. There was even Swing (pre-AWT)
skinnable branding background images. It was probably 450 lines of Java and 80
lines of C. Autoplay even worked decently on Windows and it came up in under 8
seconds because I optimized the ISO image for file load order to minimize
seeks, and that's booting an entire 1.4 JRE from a 4x CD-ROM drive to a
usable, interactive state.

~~~
iso8859-1
Thanks for the interesting reply. How did you optimize for file load order?
Using
[http://www.fifi.org/doc/mkisofs/README.sort](http://www.fifi.org/doc/mkisofs/README.sort)
?

------
skruvmejsel
Someone should update this page:

[http://java-0day.com/](http://java-0day.com/)

~~~
poooogles
I literally just went there to check if it'd updated!

------
gioele
> "Disabling Java in your preferred browser is for now is a better option. Use
> a secondary browser with Java enabled to view sites you absolutely must
> visit and which require it."

Do news sites say things like "Not using Safari is for now a better options"
whenever somebody reports an exploitable security flaw in Safari or WebKit?

~~~
smt88
Neither statement is unreasonable.

In this case, it's an easier statement to make, though, because Java is
totally unnecessary for the vast majority of users. I've had it disabled for
many years.

------
based2
[http://www.reddit.com/r/netsec/comments/3d4cd4/ssd_advisory_...](http://www.reddit.com/r/netsec/comments/3d4cd4/ssd_advisory_trend_micro_threat_intelligence/)

[http://www.oracle.com/technetwork/topics/security/cpujul2015...](http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html)

[http://www.oracle.com/technetwork/topics/security/alerts-086...](http://www.oracle.com/technetwork/topics/security/alerts-086861.html)

[https://news.ycombinator.com/item?id=9877218](https://news.ycombinator.com/item?id=9877218)

[https://news.ycombinator.com/item?id=9877941](https://news.ycombinator.com/item?id=9877941)

------
jebblue
Outside of security, an HTML5/CSS3/JaaScript site still can't do what a Java
Applet could do 2 decades ago.

------
bitwize
Thanks, Hacking Team!

