
New Zero Day Java Vulnerability Being Exploited in the Wild - derpenxyne
http://thenextweb.com/insider/2013/01/10/new-java-vulnerability-is-being-exploited-in-the-wild-disabling-java-is-currently-your-only-option/
======
jsaxton86
This family of JRE attacks is far too common. Basically, when an unsigned
applet runs, the JRE tries really hard to prevent it from creating a
ClassLoader object. However, if you manage to create a ClassLoader object,
it's game over -- you can break out of the sandbox and do whatever you please.

<shameless plug> For those interested, a recent blog post of mine analyzes a
similar attack that uses CVE-2008-5353: [http://jsaxton.com/fun-with-
wireshark-and-ie-java-exploits-p...](http://jsaxton.com/fun-with-wireshark-
and-ie-java-exploits-part-2/) </shameless plug>

------
jmitcheson
If anyone's interested in how the exploit works, here is my humble
interpretation of the pastebin link:

jsaxton86's comment sets the scene nicely so I'll just copy it here:

"This family of JRE attacks is far too common. Basically, when an unsigned
applet runs, the JRE tries really hard to prevent it from creating a
ClassLoader object. However, if you manage to create a ClassLoader object,
it's game over -- you can break out of the sandbox and do whatever you
please."

The exploit is very clever, it never actually creates an instance of the
ClassLoader object, but rather it uses Java reflection to call a particular
method on a ClassLoader object, which was tricked into creation inside a
separate exploit involving the JMX (Java Management Extensions) framework.

JMX has its own methods to instantiate classes, and a subclass of ClassLoader
("sun.org.mozilla.javascript.internal.GeneratedClassLoader") is passed in as a
String; then the method defineClass is called via reflection in a way that
deceives all the ClassLoader protection. Once this method is allowed to be
invoked via reflection, it's "game over" as explained at the start.

<http://pastebin.com/raw.php?i=cUG2ayjh>
[http://www.oracle.com/technetwork/java/javase/tech/javamanag...](http://www.oracle.com/technetwork/java/javase/tech/javamanagement-140525.html)
[http://www.cs.rit.edu/usr/local/pub/swm/jdoc6/com/sun/jmx/mb...](http://www.cs.rit.edu/usr/local/pub/swm/jdoc6/com/sun/jmx/mbeanserver/MBeanInstantiator.html)

------
benmmurphy
Someone has posted the source code here:

<http://pastebin.com/raw.php?i=cUG2ayjh>

This is a result of two vulnerabilities one of which Oracle tried to fix in
the last patch release with CVE-2012-5088.

[http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/...](http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/43113374306c)

<https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5088>

------
mark-r
Is there any reason to keep Java on your browser anymore? I can't remember the
last time I needed it.

~~~
tquai
No, and in fact, Java should be completely uninstalled. 99/100 people never
use it for anything, browser or otherwise. The small percentage that does can
just reinstall it as needed, as Java is a free download.

Uninstall it, completely, and the next time this article is posted (with the
dates changed and little else), you'll be glad it has nothing to do with you.

~~~
Florin_Andrei
Minecraft players are currently staring at you, frowning.

~~~
outworlder
They should just use the standalone version then. I see no reason one would
prefer to play inside a browser.

~~~
RobAtticus
The poster he's replying to said 99% of people don't need Java AT ALL. Not
just the browser.

~~~
Florin_Andrei
Exactly.

------
xSwag
The exploit has already made it to exploit packs:
[http://krebsonsecurity.com/2013/01/zero-day-java-exploit-
deb...](http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-
crimeware/\[1\])

------
benmmurphy
Metasploit module has been made available:
[https://github.com/rapid7/metasploit-
framework/blob/master/m...](https://github.com/rapid7/metasploit-
framework/blob/master/modules/exploits/multi/browser/java_jre17_jmxbean.rb)

------
anuraj
How many use Java applets still? It is high time browser plugins for Java are
killed. But the article advises to uninstall Java, not understanding Java
browser plugin is different from Java.

------
yxhuvud
Does this apply to server side java as well, or is it only the browser client
crap that noone has used this decennium?

~~~
foohbarbaz
No, it does not. This is non-news. Agreed, nobody uses that anymore, nobody
should.

~~~
freehunter
All the people commenting on this saying Java is never used by anybody and no
one should be having it installed are way off, seriously. There's a reason
Java is #2 on the TIOBE language list. Just because _you_ never _see_ it
doesn't mean it's not being used. You might not know this, but Gmail is Java
powered on the backend. Many banking sites use Java for a backend. In the
corporate world, Java rules and is required to be installed on their machines.

~~~
foohbarbaz
This has nothing to do with Java. It's a browser plugin issue. Disable the
plugin and forget.

~~~
freehunter
You must have missed my last sentence. People work at the companies who are
running Java on the server. People work at the companies who are developing
Java on the desktop. A lot of people. A significant enough number of people
that the language makes #2 on the TIOBE list. Debates about the TIOBE
relevancy aside, it's at least somewhat of an indicator.

People are working for companies that use Java, and these employees cannot
disable Java in their browser because it's required for their job. I happen to
work at one of these shops, and I can confirm to you 12,000 people in the US
from just my company alone who must have Java in their browser and running
constantly. We're not alone in this regard. We're all vulnerable, and the
suggestion to disable the plugin doesn't help much.

------
ccdan
Nonsense... I have never heard of anyone being attacked in any way through
java... it's just "security" firms that come up with all kinds of obscure
things and try to scare people for pretty much nothing...

------
tomjen3
If this is known, why hasn't Sun fixed the issue?

~~~
freehunter
Wondering why Oracle hasn't patched a vulnerability is an exercise in
frustration. You pretty much have to expect that if you're running Java,
you're running a insecure program that will never be secured. Historically, by
the time Oracle has patched the current flaw, there will be a couple more they
haven't patched again.

~~~
yuhong
Would Oracle patching Java monthly instead of quarterly help?

------
rundmc
[http://superuser.com/questions/201613/disable-java-plugin-
in...](http://superuser.com/questions/201613/disable-java-plugin-in-google-
chrome)

------
martinced
Damn... I thought it was another remote DoS (like the semi-recent hashmap
degenerating that could be triggered by using parameters in URL like aa=xx,
ab=yy, ac=zz, etc. or the floating-point 12-years old bug that people noticed
could be remotely triggered on any Tomcat server) and that, once again, I'd
have to apply a workaround on my Java servers.

Thankfully this one is only concerning Java applets.

Java applets where probably the stupidest thing ever. They surely did s _ck
and did bring terribly bad reputation to Java : (

Don't know who's still using them.

Can Google Chrome even be made to run Java applets?

I know latest OS X don't even _ship* with Java anymore...

~~~
Chris_Newton
Java applets are still in wider use than you seem to realise. For example, in
some places, they seem to be the norm for things like on-line banking or
interaction with government web sites. As a second example, they are also used
for UIs on network-accessible devices. As a third, I’ve seen quite a few used
for interactive illustrations on academic/training web sites. People have been
doing these things with Java for at least as long as they’ve been doing them
with Flash. And there are plenty more cases: tomjen3 already mentioned games,
IIRC the conference call/screen sharing service used by one of my clients is
Java-based, etc.

The likes of Google and Mozilla might want us all to drop these tried and
tested technologies and move to shiny new ones like HTML5 and the latest JS
and CSS developments, but realistically, it takes time for users to move on.
Most of us don’t have the luxury of controlling our customers’ platforms so we
can ensure they run up-to-date builds of Firefox or Chrome with all the latest
toys.

It takes time for developers to move on, too. I’m currently working on a
project that uses a Java applet for a client. If I were starting the same
project today, I’d probably chose different tools, but it wasn’t started
today, and not so many years ago when the architectural decisions were being
made, those new tools didn’t exist yet.

The main thing holding Java applets back today seems to be the second rate
support they now get from the major browsers and/or Oracle, assuming they are
supported at all. The number of blatant, show-stopping bugs in browser/Java
interactions is getting silly, and code that has worked for years is breaking
because someone installed a software “upgrade”. That’s a pity, IMHO, because
the JVM is still a decent platform, and there are several interesting modern
programming languages other than Java itself that we could be using to develop
web apps otherwise.

~~~
nwh
I've literally never seen Java in the wild that's not part of an exploit kit.
I've disabled Java in every browser / OS since about 2007, and I'm yet to be
unconvinced by not having it.

Can you show me any examples of what I might be missing out on?

~~~
Chris_Newton
The applet I’m working on is rather specialised, so talking about that isn’t
going to prove much. Others have pointed out some common examples from among
the fields I mentioned, such as Minecraft, WebEx, and Danish government web
sites. Each of these has a significant user base relying on Java applets.

~~~
SiVal
Does Minecraft use applets or is it just a standalone desktop Java app? Does
installing Minecraft create any vulnerability to this bug on a machine whose
browsers have deactivated any Java plugin?

~~~
Aticus_Finch
There are unrelated.

Besides downloading the Java app, you can play Minecraft in the browser
through an applet at <https://minecraft.net/play>.

So no, if you are not running Java in the browser, a malicious web page can't
run neither Minecraft nor other Java apps that you have locally installed.

------
drivebyacct2
Please, please, please turn on Click-to-Enable in your browser. You'll
appreciate it even if not for the security benefits.

[http://howto.cnet.com/8301-11310_39-57536917-285/enable-
clic...](http://howto.cnet.com/8301-11310_39-57536917-285/enable-click-to-
play-for-chrome-plug-ins/)

