More Java Flaws Threaten All Web Browsers
CREDIT: Steve Cukrov/Shutterstock.com
UPDATED April 2, 2013: It appears that one of the Java flaws mentioned in this article was part of an elaborate hoax. Scroll to end of story for details.
Oh, Java, Java, Java.
No sooner had Oracle patched a widely reported critical flaw in its cross-platform software environment than another Java zero-day exploit — one against which there's no defense — reared its ugly head.
Meanwhile, two different security firms independently reported that Oracle's patch, released late Sunday (Jan. 13), only partly fixed the first exploit — which itself may have been the result of a flawed patch for a still older Java zero-day exploit.
Such a bargain
Security blogger Brian Krebs, who monitors underground hacker forums, spotted a posting Monday (Jan. 14) from a malware developer offering to sell an entirely new Java zero-day for $5,000.
"What you get?" the seller said in broken English. "Unencrypted source files to the exploit ... Encrypted, weaponized version, simply modify the url in the php page that calls up the jar to your own executable url and you are set. You may pm [private message] me."
Without a copy of the source code or a demonstration of the exploit in action, it can't be verified if the seller was telling the truth. Krebs said the posting was later deleted, perhaps indicating that a buyer had been found.
But the incident illustrates how leaky Java, which was developed by Sun Microsystems nearly 20 years ago, can be.
As we reported last week, it's probably best just to disable Java entirely for Web browsers. Each new Java exploit is quickly built into browser exploit kits that lie in wait on infected Web pages.
It doesn't matter if you're on a Windows PC, a Mac or a Linux box. Java's built to run exactly the same way on all platforms.
Only halfway there
As for this week's patch being ineffectual, the two doubting security companies, Japan's Trend Micro and Immunity, Inc., of Miami Beach, Fla., aren't saying it doesn't work — for now.
But the critical flaw you heard about over the weekend was the result of two different flaws being combined into an effective exploit, and the Oracle patch apparently fixed only one of them.
Hence, the exploit no longer works, but the unfixed flaw is still there, waiting for someone to figure out another way to exploit it.
"The patch did stop the exploit, fixing one of its components," wrote Esteban Guillardoy of Miami Beach, Fla.-based Immunity Inc. on his company's blog. "But an attacker with enough knowledge of the Java code base and the help of another zero day bug to replace the one fixed can easily continue compromising users."
Dan Goodin of tech blog Ars Technica tried to get Oracle to comment on both new developments, but was instead referred to the company's patch announcement from Sunday.
Krebs has his own theory for why Oracle, a well-run company known for its solid big-business database software, has been unable to get ahead of the Java security issue.
"I feel strongly that Oracle is an enterprise software company that — through its acquisition of Sun Microsystems in 2010 — suddenly found itself on hundreds of millions of consumer systems," Krebs wrote. "The company lacks any kind of outward sign of awareness that its software is so broadly installed on consumer systems."
UPDATE: In a blog posting on April 2, 2013, Brian Krebs wrote that the $5,000 Java zero-day mentioned on the underground forum was a hoax meant to reveal the alias Krebs used when in the forum.
"When you've gained access to an elite black market section of a closely guarded crime forum to which very few have access, it's easy to let your guard down," Krebs wrote. "That’s what I did earlier this year, and it caused me to chase a false story."
Krebs explained that the forum administrators had developed a system whereby any screenshots of the forum displayed on a Web page would surreptitiously reveal which user had taken the shot. Krebs only learned of this after "gray hat" hackers broke into the forum's administrative settings and exposed user data.
"To Oracle and to any readers I may have upset or misled by my previous story on this apparently bogus zero-day, I heartily apologize," Krebs wrote.