Trey Posted August 28, 2012 Share Posted August 28, 2012 Bear with me while I try to format this on mobile. http://www.theregister.co.uk/2012/08/27/disable_java_to_block_exploit/ The Register is reporting on a java exploit that "allows attackers to use a custom web page to force systems to download and run an arbitrary payload for example, a keylogger or some other type of malware." [hide=Article explaining the exploit]A new browser-based exploit for a Java vulnerability that allows attackers to execute arbitrary code on client systems has been spotted in the wild and because of Oracle's Java patch schedule, it may be some time before a fix becomes widely available. The vulnerability is present in the Java Runtime Environment (JRE) version 1.7 or later, Atif Mushtaq of security firm FireEye reported on Sunday, while PCs with Java versions 1.6 or earlier installed are not at risk. The vulnerability allows attackers to use a custom web page to force systems to download and run an arbitrary payload for example, a keylogger or some other type of malware. The payload does not need to be a Java app itself. In the form in which it was discovered, the exploit only works on Windows machines, because the payload that it downloads is a Windows executable. But the hackers behind the Metasploit penetration testing software say they have studied the exploit and found that it could just as easily be used to attack machines running Linux or Mac OS X, given the appropriate payload. All browsers running on these systems were found to be vulnerable if they had the Java plugin installed, including Chrome, Firefox, Internet Explorer, Opera, and Safari. Although the actual source of the exploit is not known, it was originally discovered on a server with a domain name that resolved to an IP address located in China. The malware it installed on compromised systems attempted to connect to a command-and-control server believed to be located in Singapore. Oracle has yet to comment on the vulnerability or when users should expect a fix, but it might be a while. The database giant ordinarily observes a strict thrice-annual patch schedule for Java, and the next batch of fixes isn't due until October 16. Downgrading to an earlier version of Java is not advised, because even though earlier versions aren't vulnerable to this particular exploit, they may contain other bugs that expose still other vulnerabilities. In advance of any official patch, and because of the seriousness of the vulnerability, malware researchers at DeepEnd Research have developed an interim fix that they say seems to prevent the rogue Java code from executing its payload, although it has received little testing. Because the patch could be used to develop new exploits if it fell into the wrong hands, however, DeepEnd Research is only making it available by individual request to systems administrators who manage large numbers of clients for companies that rely on Java. For individual users, the researchers say, the best solution for now is to disable the Java browser plugin until Oracle issues an official patch.[/hide] Thoughts? ****UPDATE**** Oracle has released a new Java update that patched the security flaw. http://reviews.cnet.com/8301-13727_7-57503787-263/oracle-patches-java-7-vulnerability/ In response to the findings of a recent vulnerability in Java 7 that was being exploited by malware developers, Oracle has released an official patch that takes care of the problem.In the past week, a new vulnerability was unveiled in Oracle's Java 7 runtime, which has been used by hackers in targeted attacks on Windows-based systems. Similar to the recent Flashback malware in OS X, this vulnerability allows criminals to create a drive-by hack where the only action needed to compromise a system is to visit a rogue Web page that hosts a malicious Java applet.Even though the attacks using this vulnerability so far have been Windows-based, the exploit was demonstrated on other platforms supported by Java 7, including OS X systems where the exploit was successfully run in the latest Safari and Firefox browsers in Mountain Lion.Following the news of this exploit and the potential for it to do harm, concern arose regarding Oracle's release schedule for Java updates which are usually released quarterly and would mean users would have to wait until October to see a patch to this flaw. As a result, some companies issued their own private patches to this vulnerability in the days that followed its initial finding, but Oracle has stepped up and broken its regular release schedule to offer a patched version of the Java 7 runtime.The Java 7 Update 7 patch can be downloaded from the Java SE Downloads Web page, and Oracle recommends that all users of Java 7 apply the update.Do keep in mind that this vulnerability is in new features in the Java 7 runtime and will not work in other versions, so if you have older Java runtimes installed on your system then you will not need to patch them to address this specific vulnerability; however, Oracle has also updated Java SE 6 to address other bugs so it is recommended that you also install the latest update for this runtime. Link to comment Share on other sites More sharing options...
Saradomin_Mage Posted August 28, 2012 Share Posted August 28, 2012 (edited) Switching to client brb Oh wait, 1.7 or later, doesn't affect me! Edited August 28, 2012 by Saradomin_Mage In real life MMO you don't get 99 smithing by making endless bronze daggers. Link to comment Share on other sites More sharing options...
Ned Posted August 28, 2012 Share Posted August 28, 2012 Thanks very much for sharing. Want to help the Tip.It Crew? Visit the Website Updates & Corrections forum! Link to comment Share on other sites More sharing options...
Vezon Dash Posted August 28, 2012 Share Posted August 28, 2012 Switching to client brb Oh wait, 1.7 or later, doesn't affect me! Pretty much this. Good thing to make people aware of though. Link to comment Share on other sites More sharing options...
Youmu Posted August 28, 2012 Share Posted August 28, 2012 Mac user here, nop doesn't affect me. BlogTrimmed | Master Quester | Final BossBoss pets: Bombi | Shrimpy | Ellie | Tz-Rek Jad | Karil the Bobbled | Mega Ducklings120s: Dungeoneering | Invention Link to comment Share on other sites More sharing options...
BloodAngel Posted August 28, 2012 Share Posted August 28, 2012 Mac user here, nop doesn't affect me. http://www.mactrast.com/2012/08/new-java-7-exploit-super-dangerous-for-mac-users/ "Unfortunately, the real world isn't the same as a fairy tale." Link to comment Share on other sites More sharing options...
aspeeder Posted August 28, 2012 Share Posted August 28, 2012 So I have to visit custom webpages to do this? I'll just stick to trusted sites then. http://i700.photobucket.com/albums/ww6/aspeeder/Siggy_zpsewaiux2t.png 99 Strength since 6/02/10 99 Attack since 9/19/10 99 Constitution since 10/03/10 99 Defense since 3/14/11 99 Slayer since 8/30/11 99 Summoning since 9/10/11 99 Ranged since 09/18/11 99 Magic since 11/12/11 99 Prayer since 11/15/11 99 Herblore since 3/29/12 99 Firemaking since 5/15/12 99 Smithing since 10/04/12 99 Crafting since 9/16/13 99 Agility since 9/23/13 99 Dungeoneering since 1/1/14 99 Fishing since 2/4/14 99 Mining since 2/28/14 99 Farming since 6/04/14 99 Cooking since 6/11/14 99 Runecrafting since 10/10/14 9 Fletching since 11/11/14 99 Thieving since 11/14/14 99 Woodcutting since 11/20/14 99 Construction since 12/03/14 99 Divination since 2/22/15 99 Hunter since 2/23/15 99 Invention since 01/20/17 99 Archaeology since 5/14/22Quest Point Cape since 08/20/09 Maxed since 2/23/15 Fire Cape since 02/27/13 Slayer: 3 Leaf-Bladed Swords, 8 Black Masks, 2 Hexcrests, 26 Granite Mauls, 5 Focus Sights, 32 Abyssal Whips, 9 Dark Bows, 1 Whip Vine, 3 Staffs of Light, 15 Polypore Sticks Dragon: 9 Draconic Visages, 7 Shield Left Halves, 20 Dragon Boots, 40 Dragon Med Helms, 8 Dragon Platelegs, 6 Dragon Spears, 20 Dragon Daggers, 5 Dragon Plateskirts, 1 Dragon Chainbody, 63 Off-hand Dragon Throwing Axes, 19 Dragon Longswords, 27 Dragon Maces, 1 Dragon Ward Treasure Trails: Saradomin Full Helm, Ranger Boots, Rune Body (t), Saradomin Vambraces, Various God Pages Misc:1 Onyx,1 Ahrim's Hood, 1 Guthan's Chainskirt, 1 Demon Slayer Boots Link to comment Share on other sites More sharing options...
Leoo Posted August 28, 2012 Share Posted August 28, 2012 I have Java 6 13.8.0, does this affect me? Link to comment Share on other sites More sharing options...
Sy_Accursed Posted August 28, 2012 Share Posted August 28, 2012 Oh noes I can get a keylogger if I visit a dodgey site built expressly for installing the keylogger on to my system? This is going right to the top of my shit I need to worry about list right above having my phone bill abused via a bluetooth hack and having my bank account robbed when I respond to that nigerian prince/lotto. Oh no wait my bad, this is my list of security issues that I don't care about because they can be easily avoided by not being stupid. 4 Operation Gold Sparkles :: Chompy Kills :: Full Profound :: Champions :: Barbarian Notes :: Champions Tackle Box :: MA RewardsDragonkin Journals :: Ports Stories :: Elder Chronicles :: Boss Slayer :: Penance King :: Kal'gerion Titles :: Gold Statue Link to comment Share on other sites More sharing options...
Lord Paul Posted August 28, 2012 Share Posted August 28, 2012 I have Java 6 13.8.0, does this affect me? It shouldn't. Working on max and completionist capes. 2435/2475 Link to comment Share on other sites More sharing options...
Kaur Posted August 28, 2012 Share Posted August 28, 2012 Someone invented a RAT. QUICK BURN EVERYTHING AND USE MAGNETS ON HARDDRIVE! Link to comment Share on other sites More sharing options...
Robert_R Posted August 28, 2012 Share Posted August 28, 2012 Things like this aren't new. And you'd have to visit a sketchy website for this to happen. Stick to trusted websites instead of panicking? Link to comment Share on other sites More sharing options...
Kimberly Posted August 28, 2012 Share Posted August 28, 2012 Oh noes I can get a keylogger if I visit a dodgey site built expressly for installing the keylogger on to my system? This is going right to the top of my shit I need to worry about list right above having my phone bill abused via a bluetooth hack and having my bank account robbed when I respond to that nigerian prince/lotto. Oh no wait my bad, this is my list of security issues that I don't care about because they can be easily avoided by not being stupid. By all means, tell us how you really feel. I agree with everything you said but hot damn that was harshly worded and felt directed towards the OP. o_O Link to comment Share on other sites More sharing options...
Auror Posted August 28, 2012 Share Posted August 28, 2012 I got java 1.6.0_33 .. I think this doesn't affect me Link to comment Share on other sites More sharing options...
Trey Posted August 28, 2012 Author Share Posted August 28, 2012 Just posting to make people aware of an exploit. Not trying to cause any panic. And don't worry Kimberly, no offense taken from Sy. It's just how he is. 2 Link to comment Share on other sites More sharing options...
Sy_Accursed Posted August 28, 2012 Share Posted August 28, 2012 Oh noes I can get a keylogger if I visit a dodgey site built expressly for installing the keylogger on to my system? This is going right to the top of my shit I need to worry about list right above having my phone bill abused via a bluetooth hack and having my bank account robbed when I respond to that nigerian prince/lotto. Oh no wait my bad, this is my list of security issues that I don't care about because they can be easily avoided by not being stupid. By all means, tell us how you really feel. I agree with everything you said but hot damn that was harshly worded and felt directed towards the OP. o_O Did not mean it towards the OP, more towards the scare mongering journalist who wrote this article trying to up sell this exploit as some HUGE security flaw whereby if we do not turn java off we WILL get a keylogger. Operation Gold Sparkles :: Chompy Kills :: Full Profound :: Champions :: Barbarian Notes :: Champions Tackle Box :: MA RewardsDragonkin Journals :: Ports Stories :: Elder Chronicles :: Boss Slayer :: Penance King :: Kal'gerion Titles :: Gold Statue Link to comment Share on other sites More sharing options...
RU_Insane Posted August 28, 2012 Share Posted August 28, 2012 I just downloaded the latest version of Java -.- Time to downgrade ... for now. :P RIP RU_Insane. August 3rd, 2005 - November 11th, 2012. My Stats on Old School RuneScape: Reform Customer SupportCheck Out My Threads Link to comment Share on other sites More sharing options...
decebal Posted August 28, 2012 Share Posted August 28, 2012 There are so many loopholes possible I'm not worried about this one. I'd post something like this only if the virus/keylogger/whatever can hijack trusted applets, then I'll be worrying. Link to comment Share on other sites More sharing options...
Riptide Mage Posted August 28, 2012 Share Posted August 28, 2012 By not updating to Java 7 however; you are vulnerable to older exploits, the safest thing to do is be fully updated and use something like noscript to only allow java to run on sites you allow. 1 You make it sound like running through a few level 87 monsters is hard which it really shouldn't be at your level. Link to comment Share on other sites More sharing options...
Sy_Accursed Posted August 28, 2012 Share Posted August 28, 2012 By not updating to Java 7 however; you are vulnerable to older exploits, the safest thing to do is be fully updated and use something like noscript to only allow java to run on sites you allow. Or just not go to strange sites, seeing how this exploit requires visiting a custom made website for the sole purpose of infecting the user... Operation Gold Sparkles :: Chompy Kills :: Full Profound :: Champions :: Barbarian Notes :: Champions Tackle Box :: MA RewardsDragonkin Journals :: Ports Stories :: Elder Chronicles :: Boss Slayer :: Penance King :: Kal'gerion Titles :: Gold Statue Link to comment Share on other sites More sharing options...
Riptide Mage Posted August 28, 2012 Share Posted August 28, 2012 By not updating to Java 7 however; you are vulnerable to older exploits, the safest thing to do is be fully updated and use something like noscript to only allow java to run on sites you allow. Or just not go to strange sites, seeing how this exploit requires visiting a custom made website for the sole purpose of infecting the user... The exploit is insanely simple (Less than 12 lines of code) and to say you need to visit a "custom made website" to be infected is completely ignorant and misleading. All you have to do is visit a website that has been compromised and had a few lines of code automatically added to the bottom of every .php file on the server. It happens all the time and it is usually too late for many, many users by the time it has been noticed. You make it sound like running through a few level 87 monsters is hard which it really shouldn't be at your level. Link to comment Share on other sites More sharing options...
Platinum_Myr Posted August 28, 2012 Share Posted August 28, 2012 Doesn't the exploit require people to click the "i trust this java applet"? Maxed since Sunday, January 9th, 2014Completionist since Wednesday, June 4th, 2014 Link to comment Share on other sites More sharing options...
Riptide Mage Posted August 28, 2012 Share Posted August 28, 2012 Doesn't the exploit require people to click the "i trust this java applet"? Nope, it very specifically bypasses that. You make it sound like running through a few level 87 monsters is hard which it really shouldn't be at your level. Link to comment Share on other sites More sharing options...
Etta Posted August 28, 2012 Share Posted August 28, 2012 :ohnoes: *disables everything, ever* Link to comment Share on other sites More sharing options...
Alg Posted August 28, 2012 Share Posted August 28, 2012 Doesn't the exploit require people to click the "i trust this java applet"?Nope, it very specifically bypasses that.That bit of knowledge would have been useful in the article itself. Perhaps it's because I'm apparently not as computer literate as the rest of the forum, but I failed to get any information out of that article beyond "OMG BIG SECURITY EXPLOIT DISABLE JAVA NOW". 1 I painted some stuff and put it on tumblr Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now