An exploit for a recently disclosed Java vulnerability that was previously only available for purchase in the criminal underground has now been rolled into the open source Metasploit exploit framework. Metasploit researchers say the Java attack tool has been tested to successfully deliver payloads on a variety of platforms, including the latest Windows and Mac systems.

The Java exploit is being sold on cybercrime forums and incorporated into automated crimeware kits like BlackHole. Since then, security researchers @_sinn3r and Juan Vasquez have developed a module for Metasploit that makes the attack tool available to penetration testers and malicious hackers alike. According to a post on the Metasploit blog, the Java vulnerability “is particularly pernicious, as it is cross-platform, unpatched on some systems, and is an easy-to-exploit client-side that does little to make the user aware they’re being exploited.”

Metasploit also posted the results of testing the exploit against a variety of browsers and platforms, and found that it worked almost seamlessly to compromise systems across the board, from the latest 64-bit Windows 7 machines to Mac OS X systems. 

This development should not be taken lightly by any computer user. According to Sun’s maker Oracle, more than three billion devices run Java. What’s more, Java vulnerabilities are by some accounts the most popular exploit paths for computer crooks these days. On Monday, Microsoft’s Tim Rains published a blog post noting that the most commonly observed type of exploits in the first half of 2011 were those targeting vulnerabilities in Oracle (formerly Sun Microsystems) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK).

From that blog post:

“During the one year period starting in the third quarter of 2010 (3Q10) and ending in the second quarter of 2011 (2Q11), between one-third and one-half of all exploits observed in each quarter were Java exploits[1]. During this one year period, Microsoft antimalware technologies detected or blocked, on average, 6.9 million exploit attempts on Java related components per quarter, totaling almost 27.5 million exploit attempts during the year.”

The exploit attacks a vulnerability that exists in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier. If you are using Java 6 Update 29, or Java 7 Update 1, then you have the latest version that is patched against this and 19 other security threats. If you are using a vulnerable version of Java, it’s time to update. Not sure whether you have Java or what version you may be running? Check out this link, and then click the “Do I have Java?” link below the big red “Free Java Download” button. Apple issued its own update to fix this flaw and other Java bugs earlier this month.

If you don’t need Java, get rid of it. Most people who have it won’t miss it. For those who need Java for the occasional site or service, disconnecting it from the browser plugins and temporarily reconnecting when needed is one way to minimize issues with this powerful program. Leaving the Java plugin installed in a secondary browser that is only used for sites or services that require Java is another alternative. Below, is a chart showing java being the top exploit for the past four quarters.

Just so your aware,  your browser automatically sends a Browser User Agent string for EVERY page request. This includes your phones browser, touchpad browser, and the integrated TV browsers… This user agent contains things such as Java, .NET, Silverlight, what browser it is and a couple other informational pieces. Pretty much all web servers log this information so they can not only target the html to popular browsers but to also see how many unique visitors visit. This is how websites find out information about you when you visit.

http://analyze.privacy.net/Default.asp
This site analyzes the privacy of your Internet connection and shows some of the information web sites can know about you when you visit.  The information can be used to display web content based on things such as country of origin and web browser.

http://www.iwebtool.com/browser_details
Find out your IP address and hostname, your browser details (User-Agent, Cookies Enabled, Java Enabled , JavaScript Status, Screen Width & Height, CPU class/type, Screen Colour Depth, Window Width & Height) and browser headers.

Many don’t have an option but to use Java. Since around April 2011, Chrome blocks the java plug-in by default. Before the plug-in runs, you have to approve. Here is an example image:

Unfortunately someone who uses java regularly may get in the “click before thinking” habit with the prompt.

This entry was posted on Tuesday, December 13th, 2011 at 20:49 by dsmith and is filed under Best Practices, Browser, Chrome, Exploit, Java, MacOS, Microsoft, Oracle, OS X, Patch, Updates, Windows, Windows 7. You can follow any responses to this entry through the RSS 2.0 feed.