Threat Level: green Handler on Duty: Pasquale Stirparo

SANS ISC: InfoSec Handlers Diary Blog - CERTs warn about java bug being exploited InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

CERTs warn about java bug being exploited

Published: 2006-01-13
Last Updated: 2006-01-13 21:04:36 UTC
by Swa Frantzen (Version: 4)
0 comment(s)
US-CERT and AUSCERT warn about a bug in java being exploited. They claim bug was made public in November 2005.

Aside of the obvious patch and turn off java support, the warnings include text as "avoid clicking on any links in emails or instant messages, unless the email was already expected beforehand" and "by only accessing Java applets from known and trusted sources the chances of exploitation are reduced."

To the best of my knowledge the general user population expects email. They use email to communicate with people they never met before. And they will click on anything in it. Similarly they call it "surfing the web", they will click on links that lead to other sites. Telling them not to do that is going to have as much effect as asking them not to laugh at you. There are unfortunately only a very few exceptions where you might have users and applications where you can limit the exposure. But as a general recommendation it is rather worthless IMHO.

So download that latest greatest java environment now if you haven't done so already and upgrade. Better yet: in addition to upgrading all java versions, also check those browser settings and turn java off for all sites that you either not trust 100% to execute code on your machines or that don't absolutely need it to work.

UPDATE

We have been informed multiple times the hostile java seems to be at a webserver at fullchain [dot] net. Might be interesting to check your logs in a corporate environment. The supposedly hostile code is still there so we won't be providing detailed URLs for now. The class file on that website is not detected as malicious by any anti-virus product participating in virustotal.

Vince told it's also necessary to remove the old java environments, not just get the new ones as an attacker can target the old environments when they are still present.

UPDATE

According to the bulletins you need at least:
  • Version 1.3.1_16 or later 
  • Version 1.4.2_09 or later
  • Version (1.)5 update 4 or later
to be safe.

UPDATE

In a session of following malware my fellow handlers Daniel and Lorna found most of the exploits coming from netblocks we had already put in the hall of fame of bad netblocks: 195.225.176.0/22 and  85.255.112.0/20. What do you get should you go there: spyware.

--
Swa Frantzen
Keywords:
0 comment(s)
Diary Archives