New Malware Exploiting Java 7 In Windows And Unix Systems

[Maestro]

New malware exploiting Java 7 in Windows and Unix systems

by Topher Kessler January 11, 2013 1:32 PM PST

Mal/JavaJar-B is a cross-platform exploit of a new zero-day vulnerability in the latest Java runtimes.

A new Trojan horse called Mal/JavaJar-B has been found that exploits a vulnerability in Oracle's Java 7 and affects even the latest version of the runtime (7u10).

The exploit has been described by Sophos as a zero-day attack since it has been found being actively used in malware before developers have had a chance to investigate and patch it. The exploit is currently under review at the National Vulnerability Database and has been given an ID number CVE-2013-0422, where it is still described as relatively unknown:

"Unspecified vulnerability in Oracle Java 7 Update 10 and earlier allows remote attackers to execute arbitrary code via unknown vectors, possibly related to "permissions of certain Java classes," as exploited in the wild in January 2013, and as demonstrated by Blackhole and Nuclear Pack."

Read more: http://reviews.cnet....d-unix-systems/

[Maestro]

I am not quite sure what this warning means for my computers use and as a precaution I have uninstalled Java for the time being. No new version seems to be available at the moment.

[craigt3365]

Thanks for the heads up. Will uninstall also!

[klikster]

Another article from the folks at ArsTechnica >> http://arstechnica.com/security/2013/01/critical-java-zero-day-bug-is-being-massively-exploited-in-the-wild/

I also have removed Java, but this article makes me wonder if my machines have already been exploited. Any advice on how to know?

[Ginkas]

Thanks for this information.

Explains what happened to me three days ago.

Spent an hour getting totally rid of "Microsoft Home Security 2013" - a 'rogue' program.

Wondered where it had come from - must have been a website for a well known lighting firm that wanted to run Java.

Usually, when asked, I don't let it run, but allowed it this time!

Lesson learnt.

[Chicog]

Time to remove Java really, innit?

[draftvader]

Nice spot OP and thanks to Klikster.

[pattayadingo]

As said earlier ^^^ Seems it is time to remove Java.

And thanks for the info Maestro.

[Maestro]

My Internet connection has been awfully slow the whole day but I have now done some Google searches. Apparently, JavaJar, also spelt Java Jar or Java-Jar or Java -Jar, has been around since October last year, stands for Java Archive and is not the trojan itself, only a vehicle for the delivery of various trojans by different names (example described here: www.f-secure.com/v-descs/fortnight.shtml). Thus it seems impossible to determine if a computer is infected by JavaJar, and I am at the moment running a complete system scan with my antivirus software Avast!

I wonder if web designers could shed some light on how it works and what precautions we should take, how to check if a computer has already been affected.

[khuncanada]

My Internet connection has been awfully slow the whole day but I have now done some Google searches. Apparently, JavaJar, also spelt Java Jar or Java-Jar or Java -Jar, has been around since October last year, stands for Java Archive and is not the trojan itself, only a vehicle for the delivery of various trojans by different names (example described here: www.f-secure.com/v-descs/fortnight.shtml). Thus it seems impossible to determine if a computer is infected by JavaJar, and I am at the moment running a complete system scan with my antivirus software Avast!

I wonder if web designers could shed some light on how it works and what precautions we should take, how to check if a computer has already been affected.

You can use a vulnerability scanner which are more efficient than antivirus (zero-day updates). I'm using BoomScan from www.boomsecurity.com (good price) for my computers and my business and it's working great.

[draftvader]

As a web designer (I must stress that I work with jscript, php, css and html so I am as clueless as you) I have not come across applications needing java in quite a while. It is an old heavyweight that can be used to write applications without having to worry about install routines (i.e. when an AV pops its head up). Since disabling it I have noticed nothing different on the internet. I think that Java itself is rarely called for in day to day internet usage. Google docs had some java functionality, but I think that has long gone (indeed a quick check has shown that it is still functioning normally even though I have disabled Java...probably in favour of AJAX or Flex). Roughly put I reckon that uninstalling Java will probably find us not noticing for some time, even then we might not be inclined to re-install when prompted.

Here is the link to a blog discussing the demise of Java (written in 2011). http://rothisblog.bl...ax-vs-java.html

For those that can't be bothered to find the reference it is this section

But then I learned that people had one problem with that application: It was the one-time installation of the Java plugin. First I didn't take those guys seriously: I could not believe that people are too lazy to install a plugin - once! Well: They were. Then technologies emerged pimping html with special Javascript code and all this amazing stuff was called Ajax. I even wrote an article about this new technology in the XML magazine (German). Ajax made it's way, Java applets are very old-fashioned nowadays, nobody uses them any longer.

I think the internet connection issues where something else as I suffered those for the past couple of days with a host of sites not responding/responding slowly (TVF included) for the past 48 hours. This morning everything seems to be more responsive. It was a weird selection of sites too (i.e. no common geographic location).

[BlackPuddingBertha]

You dont need to uninstall Java. It is sufficient to turn off the Java browser plugins/helpers/add-ons either from the Java control panel applet or from the individual browser settings. This way you easily turn it back on if you need it for some site.

[Chicog]

You dont need to uninstall Java. It is sufficient to turn off the Java browser plugins/helpers/add-ons either from the Java control panel applet or from the individual browser settings. This way you easily turn it back on if you need it for some site.

I wouldn't take the risk. Dump the shit, they are hopeless at securing it.

[Chicog]

It is comforting to know that Oracle plans a release to fix the Java vulnerability that was uncovered on Thursday. It is not so comforting when the only timeline given is "shortly."

A fix will be available shortly," the company said in a statement released late Friday.

The Department of Homeland Security's U.S. Computer Emergency Readiness Team (US-CERT) and computer security experts said on Thursday that the Java security bug has already been exploited in the wild. Most recommend that the safest -- and easiest -- precaution for end users to take is to uninstall Java, until a fix is issued.

Other companies have taken their own steps, with Apple blocking the use of the Java plug-in on its OS X platform, and Mozilla blocking Java use in its Firefox browser.

http://www.examiner.com/article/oracle-promises-fix-for-new-java-vulnerability-but-gives-no-timeframe

[tombkk]

Today is not day zero any more, so I wonder whether my AV's (avast and Avira, depending on which computer we are talking about) have the antidote already.

My home computer has a brand-new (2 weeks old) Windows 7, and as usual, I installed everything from scratch. No website has asked me to install Java yet, and I just checked for plugins on Firefox and I don't seem to have it. So, this supports daftvader's theory that not many websites use Java now.

[Chicog]

Today is not day zero any more, so I wonder whether my AV's (avast and Avira, depending on which computer we are talking about) have the antidote already.

My home computer has a brand-new (2 weeks old) Windows 7, and as usual, I installed everything from scratch. No website has asked me to install Java yet, and I just checked for plugins on Firefox and I don't seem to have it. So, this supports daftvader's theory that not many websites use Java now.

No, but unfortunately Oracle do!

[draftvader]

Here is a useful link.

http://www.howtogeek.com/122934/java-is-insecure-and-awful-its-time-to-disable-it-and-heres-how/

[MJCM]

Java Update 11 is out !!

http://thenextweb.com/apps/2013/01/14/oracle-ships-java-7-update-11-with-vulnerability-fixes-increased-security-level-for-java-applets/

[Chicog]

I noticed that installing a new Windows today.

Oracle has issued an emergency fix for its Java software, which security experts said is being exploited to carry out identity theft and other crimes — but flaws remain which can still be exploited, researchers say.

The fix, available from the Oracle website, is intended to block an exploit in Java from running in web browsers, which the US Department of Homeland Security said was being "actively exploited".

The new fix from Oracle, which updates Java to Java 7 update 11 (known as 7u11) sets the default Java security settings to "high", so users are prompted before their systems will run Java applets from an unknown source — as a hacker's code would be.

http://www.guardian.co.uk/technology/2013/jan/14/oracle-issues-emergency-fix-java

[ronz28]

On Twitter people are saying even the new patches have security holes so I removed JAVA and will see if I can live without it as many people are saying I can do. If I have problems, I will install the latest JAVA version if I have to.

[tombkk]

Today is not day zero any more, so I wonder whether my AV's (avast and Avira, depending on which computer we are talking about) have the antidote already.

My home computer has a brand-new (2 weeks old) Windows 7, and as usual, I installed everything from scratch. No website has asked me to install Java yet, and I just checked for plugins on Firefox and I don't seem to have it. So, this supports daftvader's theory that not many websites use Java now.

No, but unfortunately Oracle do!

I am not aware of using Oracle on my computer.

BTW, Avira has informed me with today's update on the home computer that they don't need to worry about the Java 7 Exploit any more.

[ronz28]

Really fixing JAVA could take two years so I guess its just not safe to keep on my computer.

http://www.zdnet.com/security-experts-on-java-fixing-zero-day-exploit-could-take-two-years-7000009756/

[ronz28]

US Department of Homeland Security says latest patch does not fix JAVA.

http://www.zdnet.com/homeland-security-warns-java-still-poses-risks-after-security-fix-7000009785/?s_cid=e589

[tombkk]

So, every website owner who uses Java now will change to use something else. It's the end of Java.

[poanoi]

For firefox users

http://noscript.net/

[draftvader]

Updated JAVA last night, ran Avast! boot time scan. 18 infections. Don't do it!

[draftvader]

Just for your information. Here is my virus chest (i.e. secure storage through the antivirus) this morning after the boot-time scan. Remember that I updated my Java yesterday and Avast! updated their definitions yesterday too.

Forgive the black "anonymity" bar . In short - UNINSTALL. See my earlier post for a simple version of the uninstall, but I took no chances and used

http://www.revouninstaller.com/revo_uninstaller_free_download.html and used the "Advanced" option!

[Chicog]

Just for your information. Here is my virus chest (i.e. secure storage through the antivirus) this morning after the boot-time scan. Remember that I updated my Java yesterday and Avast! updated their definitions yesterday too.

Forgive the black "anonymity" bar . In short - UNINSTALL. See my earlier post for a simple version of the uninstall, but I took no chances and used

http://www.revounins...e_download.html and used the "Advanced" option!

It's unlikely that all those files just appeared there because you updated Java. Try emptying your Browser cache and scanning again.

Having already installed v11 I updated AVG and did a full scan and found nothing. In your case it's most likely stuff from dodgy sites you've visited, whereas I am purer than the driven snow.

*Blink*

Edited January 15, 2013 by Chicog

[draftvader]

Just for your information. Here is my virus chest (i.e. secure storage through the antivirus) this morning after the boot-time scan. Remember that I updated my Java yesterday and Avast! updated their definitions yesterday too.

Forgive the black "anonymity" bar . In short - UNINSTALL. See my earlier post for a simple version of the uninstall, but I took no chances and used

http://www.revounins...e_download.html and used the "Advanced" option!

It's unlikely that all those files just appeared there because you updated Java. Try emptying your Browser cache and scanning again.

Having already installed v11 I updated AVG and did a full scan and found nothing. In your case it's most likely stuff from dodgy sites you've visited, whereas I am purer than the driven snow.

*Blink*

Not a bad thought, but I must let you know that the full address is that of the Java deployment cache! It looks like they might be left over from Java 6, but surely part of the upgrade routine should be to clean up the existing problem. If not then it can't be possible to recommend upgrading to the latest version (7) to solve the problem.

Out of curiosity I have found that the only problem program I had on my computer that wanted Java was JDownloader. Sure it is a nice app, but I'm sure a little research will dig up a decent "non-Java" alternative.

Edited January 15, 2013 by draftvader

[ronz28]

Remove/ Uninstall JAVA is the way to go as patch/update fixes nothing.

http://macdailynews....lyNews Comments)

http://www.infoworld.com/t/java-programming/how-kill-java-dead-dead-dead-210860

http://macdailynews....o-disable-java/

Edited January 15, 2013 by ronz28