The Dark Side Of Java

  /     /     /  
Publicated : 22/11/2024   Category : security


The Dark Side Of Java


Metasploit adds new module for latest Java attack as Java becomes cybercriminals new favorite target



Its a declining tool on the developer side, but Java remains a major yet oft-forgotten presence on the desktop that is increasingly being targeted by the bad guys.
Why Java as an attack vector? Its pervasiveness and inordinate number of out-of-date versions running out there on desktops are making Java the black hat hackers choice of late. The numbers say it all: Some 80 of enterprise systems run outdated, unpatched versions of Java, according to data from Qualys. And since the third quarter of 2010, Microsoft has detected or blocked some 6.9 million exploit attempts on Java each quarter, with a total of 27.5 million attempted exploits during that 12-month period.
Overall, 3 billion devices and 80 percent of browsers worldwide use Java. Meanwhile, some security-savvy users are disabling or uninstalling it altogether as a precaution.
Developers of the wildly popular open-source Metasploit penetration-testing tool this week added a new module for the latest Java attack that abuses a recently patched vulnerability in Oracles Java implementation, Rhino. The flaw in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier versions, which initially was publicized by researchers
here
and
here
and then was quickly productized into a crimeware kit in the underground,
as blogger Brian Krebs discovered
. Krebs On Security reported that the attack also was getting rolled into the BlackHole crimeware kit.
Java is everywhere, and no one updates it properly, says HD Moore, creator and chief architect for Metasploit and CSO at Rapid7. Very few enterprises update it on desktops.
Oracle does offer an auto-update feature for Java, but it requires admin privileges for the desktop user to use it, something most enterprises dont allow, Moore says.
Microsofts director of Trustworthy Computing, Tim Rains, earlier this week
noted in a blog post
that patched flaws in Oracles Java software have been under siege for months. Vulnerabilities in Oracle’s Java software have been getting attacked on a relatively large scale for many months and, as I already mentioned, security updates for these vulnerabilities have been available for some time, Rains said. If you haven’t updated Java in your environment recently, you should evaluate the current risks.
Among other things, organizations need to be aware that they might have multiple versions of Java running, he said.
The Oracle Java flaw, which was patched by Oracle last month, basically lets a Java applet run arbitrary code outside of the Java sandbox. Rapid7s Moore says the so-called java rhino exploit -- which works across multiple platforms, including Windows, iOS, and Linux -- happens in the background, unbeknown to the user hit by the drive-by exploit. Interesting, Linux is most vulnerable to the attack right now: Oracle patched it; Apple pushed an update at the software level. But most Linux vendors … havent pushed updates, Moore says.
Its typically used as a first stage in a multistage attack, used for downloading an executable file or installing a bot.
Wolfgang Kandek, CTO of Qualys, says having Metasploit supporting the latest exploit will help raise awareness about the dangers of out-of-date Java apps. The benefit of having it in Metasploit is that the good guys can demonstrate how this [attack] works, he says.
Many of the organizations found running outdated Java apps in Qualys customer data were large enterprises, he says. There tends to be no good process for patching Java. It flies under the radar, he says.
What about disabling Java altogether? Kandek says he doesnt use it, and its possible to survive without it. But some companies need it, and they should figure out how to be sure they are on the latest version of it, he says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
The Dark Side Of Java