First Java 0-Day In 2 Years Exploited By Pawn Storm Hackers

An anonymous reader writes with Help Net Security's report that a new zero-day vulnerability in Java is being exploited, quoting from which: The flaw was spotted by Trend Micro researchers, who are closely monitoring a targeted attack campaign mounted by the economic and political cyber-espionage operation Pawn Storm. The existence of the flaw was discovered by finding suspicious URLs that hosted the exploit. The exploit allows attackers to execute arbitrary code on target systems with default Java settings. Until a patch is made, disabling Java is the recommended course of action.

There hasn't been a zero day?

[Anonymous Coward]

There hasn't been a zero day for Java in two years?

If that's true, that sounds like the real news here.

Re:

[Joce640k]

"Disabling Java is the recommended course of action" ..and has been for several years now, Zero-day exploits or otherwise.

Re:

[cbhacking]

Who the hell modded this Troll? Oracle fanboys (do those even exist?) getting modpoints?

Java in the browser was a bad idea to begin with, and is damn near inexcusable today. If it absolutely must exist, it should do so on a whitelist system, rather than just allowing arbitrary websites to run arbitrary applets.

Just because we don't *know* about Java applet 0-days (that's what makes them 0-days, after all) doesn't mean they don't exist. Proper use of NoScript (even if we assumed NoScript didn't block Java) m

Here we go again.

[sproketboy]

It's an exploit in the Java Plugin - not Java itself but whatever - let's get the Oracle hate going.

Irrelevant

[Anonymous Coward]

Who gives a fuck about the Java plugin? The point is that Java is not the shitty java plugin, it's a programming language and JVM. People conflating the two are ignorant of Java's significance in the software industry. Like it or hate it for its own sake, but it's not the fucking browser plugin!

Re:

[hummassa]

Who gives a fuck about the Java plugin?

Every single adult who has a bank account?

(At least in my country, every single bank uses the java plugin in the internet banking site.)

Re:

[Anonymous Coward]

You live in a backward country. I'm sorry.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[SScorpio]

At least it's better than South Korea who's bank used to all run off ActiveX.

Re:

[jeffryan]

Brazil? Not all. I have a Bradesco personal ("Pessoa Física") account, java is disabled on my browser and I use Internet Banking normally. As of now, Bradesco is the second largest private bank in Brazil. I think the problem is mostly with the state owned banks.

Re:

[CauseBy]

Not in the USA. I haven't used a Java plugin for a long time, certainly not for banking. The only time I'm confronted with plugins at all is when I try to watch videos of... um... of cats, yeah definitely cats.

Re:

[KGIII]

Are you confusing Java with JavaScript?

Re:

[CauseBy]

I don't think so. I use JavaScript on pretty much every webpage I visit. But I have plugins disabled (click-to-play) so I know when I'm dealing with content that requires a plugin. I can't think of the last time I clicked-to-play without it being a video. If I ever use Java at all it is showing me a moving picture.

Re:

[KGIII]

I can't recall anything that took Java to show a moving picture, at least not in a very long time. That was why I was curious if you were confusing the two. JavaScript is sometimes used to load content in Flash it seems as I have come across videos that will not play without it. *shrugs*

Re:

[Anonymous Coward]

Well, Oracle hating is well justified. Java on the other hand not.

Re:Here we go again.

[Big Hairy Ian]

I was just going to suggest everyone just change their brand of coffee! Problem solved

Re:

[TheRaven64]

When the last Java plugin zero-day came out, I went to disable Java and then remembered that I'd done it the last time. I have not once noticed during browsing that a site has failed to work because it needs Java.

Re:

[KGIII]

I can not recall the last time I saw an applet, servlet. or JaveServer Page... My banks, all of them, have never used Java ever, ever, ever... I do tend to use smaller banks and, mostly, credit unions so that may have something to do with it. They have used JavaScript but most of that devolves to pain HTML if there is no JavaScript enabled.

What is odd, and an aside, is the number of low UIDs that seemingly are conflating Java and JavaScript. I would, and do, think that they have seen this conversation enoug

Re:

[myowntrueself]

The exploit resides in a plugin for Java - and it goes without saying that if there is no Java there the buggy plugin would not exist, either

But the most important question is this - How soon can the world have the Net _without_ having to enable Java?

You might be surprised at how much hardware has control interfaces that require Java. The people who manage the servers that the websites you visit often need Java and the browser options for this are shrinking all the time.

If Java were to disappear from the Internet then data centers would be fucked. They'd have to get new hardware whose control interfaces didn't need Java. This would be expensive. Who is gonna pay?

Re:

[mlts]

This is what VMs are for. There are appliances (older Sun disk arrays for example) that not just require Java, but only work with one version of the JVM, and will just throw exceptions and crash if one uses the latest version.

So, to interface with the legacy controllers, a browser and that correct Java runtime go into a VM and when it is done being used, it gets shut down and rolled back.

Re:

[K. S. Kyosuke]

So...you need your (J)VM in a VM? Yo dawg...

Re:

[myowntrueself]

Do they control hardwares with Java plugin? You must be confused with Java the language/VM and Java plug-in for browsers.

The hardware has web-based control panels which use Java in the browser requiring a plug-in.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[myowntrueself]

Well, yeah, Oracle hate is totally justified, so let's do it! (Besides, who wrote the plugin?)

But yes, Java hate is OTT. It's a decent language/concept. Microsoft did it better with .NET/C#, but beyond the painful programming patterns Java's frameworks enforce on everyone, it's not a bad system.

The plugin needs to go though.

I hate Java as much as anyone. But I need Java every day; a lot of servers I manage around the world can only be accessed by Java based KVM consoles. Theres tons of hardware out there thats built with control interfaces that need Java.

Its sad but its true.

Re:

[Rob Y.]

So enable the plugin for your KVM console's URL only. If that's not possible, there should be a browser extension that makes it possible.

Re:

[myowntrueself]

Rest assured, no one hates you "system admins" more than developers.

Tell you what, go and 'develop' an alternative.

Re:

[myowntrueself]

It's an exploit in the Java Plugin - not Java itself but whatever - let's get the Oracle hate going.

The Java plugin thats disabled by default in the latest Chrome and will soon be completely unusable in Chrome thereby forcing sysadmins to use a different browser to administer hardware that needs Java in order to manage it, like IPMI, KVM, SAN's etc etc. That Java plugin?

Re:

[putaro]

No, it's not a small program because these exploits are usually not against the JVM but against the sandbox. The problem is that the basic idea of a sandbox that lets you do almost anything and has fine-grained controls over what APIs you can and cannot call is fundamentally flawed. The attack surface is huge and the security code threads through all kinds of libraries.

Re:

[putaro]

The basically stupid idea is the ability to download and run Turing-complete code from unknown sources in supposed "safety". This has nothing to do with actual applications written in Java which is a reasonably secure language, certainly more secure than C or C++ (no buffer overflows, etc.).

The broken sandbox is completely orthogonal to whether or not Java is a POS. It's a feature, a broken feature, but not one that you're required to use and a well-written application, in any language, does not attempt t

Re:Disable Java == Broken Websites

[amalcolm]

Java != JavaScript There havn't been many sites with Java Applets for a long while. This was the only use case for the plugun, and it's unrelated to 99.9% of the use of Java 'the langauge' and the JVM

Re:

[KGIII]

Both are 20 years old this year. I think LiveScript changed to JavaScript in 1997 though. I too have no idea why they went and made the name so close as Java was already out and applets were already in use when LiveScript changed their name to JavaScript. The oft cited "fact" that Java was made for coffee makers is not true either. (It was for cable television. It was too complex for interactive television at the time.)

Re:

[myowntrueself]

Java != JavaScript

There havn't been many sites with Java Applets for a long while. This was the only use case for the plugun, and it's unrelated to 99.9% of the use of Java 'the langauge' and the JVM

You don't do much system administration on physical hardware, do you.

Re:

[amalcolm]

Not sure what you mean by this. Can you elaborate?

Re:Disable Java == Broken Websites

[_merlin]

Most rack mount servers have an integrated management controller that lets you access the system over a network connection as though you had a local display/keyboard/mouse/storage. The client is usually a Java Web Start application, Java applet or similar. Hence you need Java to administer servers unless you can physically get to the rack and connect stuff to it.

Re:

[Anonymous Coward]

Webstart is not a plugin, webstart is a "native" program with its own sandbox. You can disable the applet plugin just fine and still run jplp by just having those handled by javaws.
So disabling the applet will not break the equipment you are talking about, it will break stuff like iLO.

Re:

[cbhacking]

Sorry, I'd play you some music but I put my tiny violin somewhere and now I can't find it without a magnifying glass. Found a megaphone, though:

FUCKING STOP FINANCIALLY REWARDING COMPANIES THAT REQUIRE JAVA APPLETS!

When was the last time you refreshed your hardware, any of it? If it was in the last five years (and I'm being generous there, Java applets were known to be idiotic before that, too) and you purchased anything that requires a Java applet, then you are part of the problem and I have *no* sympath

Re:

[_merlin]

Dell iDRAC doesn't depend on the Java browser plugin, it uses a Java Web Start application. But assuming you mean you want to get rid of the Java requirement altogether, rather than just the browser plugin, how do you suggest doing that? How would you make an OS-agnostic remote keyboard/mouse/video/storage client? The storage part is very important, we need to be able to mount virtual media to install operating systems and perform firmware upgrades. Java is the shittiest solution to the problem, apart f

Re:

[BadgerRush]

In certain niches Java Applets are still very common, online banking being one very important example. So for many people the options are simply: a) enable Java plugin; or b) have no access to your money.

Re:

[rogoshen1]

c) enable java and let everyone else have access to your money (apparently?)

Re:

[KGIII]

They do not just keep your money if you have no access to the web interface. "no access to your money." No, you still have access. You just do not have it with your computer if you do not use their Java applet in some cases. You can still visit them or, sometimes, use an app on a phone or even just use your little plastic card to get access to your money.

Re:Disable Java == Broken Websites

[gstoddart]

I very much doubt a significant majority of websites use Java. Javascript, maybe.

And you know what? If you hit a website which requires you run unsecure shit which allows arbitrary code execution? Maybe you should realize that's a good time to leave it disabled and find another site.

If you're letting every site on the planet run Java, Javascript, and Flash ... well, congratulations, you're who they make zero day exploits for.

I haven't seen a non-work related website requiring actual Java in years.

I consider those "please enable cookies and disable all security" warnings as a sure sign of either a badly done website, or one which is so focused on marketing and analytics that I don't give a crap if I can't reach their site.

It's your security, either you take ownership of it, or you throw your hands up and decide that the world will end if you don't allow some website to run Java. You can't have it both ways.

Re:

[KGIII]

Speaking of talking out of one's ass... I do not recall a time when the majority of sites required Java to render their pages properly. In fact, Java has pretty much nothing to do with page rendering. Perhaps you do not know what you are talking about...

Re:

[Zontar The Mindless]

Nvidia: Unlike (apparently) some people, I know what card, platform, and OS I'm using, and so get along just fine without the driver scanner, thanks.

KeepVid: Um, there's a Firefox extension for that, you know.

Re:

[Anonymous Coward]

As a network engineer, I hate to say it, but ICMP packet loss testing is as good as dead these days. I have not found a provider in the last 5 years that doesn't have some form of ICMP restriction baked into various levels of infrastructure.

Seeing ICMP packet loss these generally days does not correlate with link loss; it usually just displays that you're hitting a route that rate-limits ICMP traffic.

Re:

[Khyber]

>using a website to test shit that has the same functionality built into the OS.

Learn to use your brain. No reason to use a website to test packet loss when the functionality is built into the OS. Hell, I even have speed test software on my system. No need for Java, or Javashit.

Re:

[The Raven]

I'm sure millions of college students, when sent to an educational site that uses Java, will heed your advice. Java is still widely used in academia as well as the corporate world. It may be frustrating, but a lot of people are required to have Java running to get the shit that they are required to do done. Does it suck? Yes. Can you just disable and ignore vulnerabilities like this? No.

Re:

[cbhacking]

You can petition the professor (and loop in whoever is responsible for IT security, and work your way up the university bureaucracy as needed, pointing out that Java browser plugins are insecure and the university is putting student data and university network infrastructure at risk by requiring them to be enabled. Far better cause than most of the things I saw student petitions about, and a lot of those were addressed anyhow.

For the record, I completed my Bachelors in Computer Engineering in 2010, in the U

Re:

[qubezz]

>> For the record, I completed my Bachelors in Computer Engineering in 2010, in the US. I never once needed a Java web plugin. I don't know how "widely used" it was back then, much less today, but it certainly wasn't required.

You're lucky, in the late 90's it was impossible to get a CS degree without at some point installing Java in your brain. Still not as bad as the C++ course where the lab portion was some crashtastic IDE on Mac OS 9.

Re:

[Announcer]

Tell that to my bank.

Re:

[wonkey_monkey]

The PROBLEM with disabling Java, is that a significant majority of sites use it heavily

Uh, really? Can you name one website that uses Java heavily?

Re:

[Anonymous Coward]

The PROBLEM with disabling Java, is that a significant majority of sites use it heavily

Uh, really? Can you name one website that uses Java heavily?

Here is one: Verify your Java Version [java.com]

Re:

[dissy]

Uh, really? Can you name one website that uses Java heavily?

Here is one: Verify your Java Version [java.com]

Doesn't look too heavy of use to me.

With no Java in my browser, I can read all the text on that page, see all the menu links and even click them to go to the target pages, and see only a single Java applet (well, after clicking their agree button)

Even better, when I do try to detect my Java version I see text output on the page that is both
A) there and readable, and
B) factually correct!

It says it can't determine my Java version, which is fairly accurate as I have no Java for it to detect the version of.
It d

Re:

[Anonymous Coward]

Oracle employee here. We have VERY strict corporate standards regarding accessibility, governed in part by the Americans with Disabilities Act. And a team specifically tasked with dropping in on other teams, unannounced, to review their work to make sure it meets these guidelines.

Re:

[dissy]

As much as I tend to poke fun at your corporate overlords policies, a big congrats and thumbs up are in order to both the review team and whomever made that part of the java.com website!

Re:

[SkimTony]

All of the management pages for:
- EMC Storage
- Brocade FC switches
- Dell and HP managed ethernet switches
- Dell and HP DRAC/iLO remote management components
- Dell and Avocent IP KVMs
And I'm sure there are more. The best part is, none of the above works correctly with anything newer than Java 6! I have a VM running Windows 7, a working version of Firefox ESR, and Java 6. And I still have to constantly tell the VM that I don't want to update anything, and to just enable

Re:

[Anonymous Coward]

No you're wrong. They use JavaScript, not Java. Totally different things with similar names. I haven't had the Java plugin installed in any of my browsers for years and have never encountered one website that didn't work.

Re:

[mlts]

That's the problem. Java consists of a ton of moving parts which get lumped into one concept:

1: The Java language.
2: The Java bytecode.
3: The JVM/JRE.
4: The JDK.
5: The Web plugins.

The Java language is decent. It is arguably the modern day BASIC, where it is fairly easy to get a "hello world" program, and has decent functionality as a general purpose language.

The Java bytecode is also robust. It would be nice if it were more like .NET's IL, where one can use any language of choice, and the compiled o

Re:

[cbhacking]

Great post.

For the record, though, IE's sandbox is pretty bad. It allows read (though not write) access a lot of stuff. It also turns off by default when visiting a page on the local network. This sounds sane until you realize that:
A) A sandbox is only useful for containing a browser compromise.
B) A compromised browser can probably run arbitrary code.
C) You can run a web server from inside the sandbox.
D) Localhost counts as a local network page.
E) If you've got a browser compromise, you can definitely direc

Re:

[nitehawk214]

What sites depend on java on the client side? Name me one major site. Hell, even Oracle's site has no Java on it.

(aside from banking websties of a certain unstated country that some other person is complaining about, those banking sites are wrong)

Re:

[fnj]

The PROBLEM with disabling JavaSCRIPT, is that a significant majority of sites use it heavily.

FTFY. Of course you know that JavaSCRIPT has nothing whatever to do with Java, right?

Re:Disable Java* == man broken sites

[Announcer]

OK, fine. From now on, I will just say Java*

Re:Disable Java* == many broken sites

[Announcer]

OK, so I got the Java* terminology mixed up... with so many variants, it's an easy mistake, so cut me some slack. Why do so many people have to be so bloody vicious? Good grief.

If Java* is left disabled, my bank's WEBsite doesn't work. Facebook doesn't work. Youtube doesn't work. Some online retail sites don't work. The streaming audio from my workplace doesn't work. (We lease a server, it's not our code.) My Web-based e-mail doesn't work... a significant number of sites that I use often, don't work.

So I wi

Until?

[AmiMoJo]

Java is the recommended course of action.

FTFY. No need to include a timeframe.

great!

[0xdeaddead]

if it wasnt for Minecraft, no end user would be left with java.

And in the office world, all the scared of MS tards led us down the java path. Thanks guys!

Re: great!

[hunterkll]

Works fine on java 8 here. Just has to be run as administrator.

Re:

[0xdeaddead]

don't forget ACS! And I have some stupid Avocent OOB thing that of course requires JAVA.

Network people who are scared of windows and force this java crapfest are so damned 1997 annoying. Then there are the Oracle heads. Just wish this crap would finally die.

Re:

[Zontar The Mindless]

I'm sure they felt good about themselves after they wrote it.

Try always...

[TFlan91]

"Until a patch is made, disabling Java is the recommended course of action."

Nope, it's _ALWAYS_ the recommended course of action

Lets just disable java

[cant_get_a_good_nick]

FTFY

Always disabling Java is the recommended course of action.

Java and Flash on the web are technologies that have come and gone. Now that HTML5 video is prevalent, I'm much more likely to get pwn3d by a zero day than I am to find anything in either Java or Flash that I'd actually miss.

Most browsers already block java by default

[bhlowe]

The warning should be "Disabling Java in your preferred browser is the recommended course of action".

But even that might be more than you need. My FireFox always asks if I want to allow Flash or Java to run on any new site.. Another dialog comes up to display the code signing details. This seems pretty safe.

That said, the code signing and sandboxing situation for Java IS a holy mess.

Suspicious URLs ..

[nickweller]

"The existence of the flaw was discovered by finding suspicious URLs that hosted the exploit"

Is it possible to design a browser that can't be compromised by navigating to a 'suspicious URLs'?

Re:

[cbhacking]

In theory, a server should never be able to compromise a browser (no matter what URL the server is hosted at *eye roll*), so yes, it's possible. Is it *practical*? Probably not. Modern browsers are complex beasts, with tons of attack surface and a constant push towards better performance.

Why the Big Deal?

[devent]

Firefox and other browsers (and Flash) had 0-day security exploids like forever, but nobody recomends to just stop using the Internet. Also, you can chose to run the Java Applet in a sandbox. There are tons of very useful Japa Apples still there, why should I deactivate Java and stop using them now? How is that 0-day exploid going to affect me in any way? It isn't and it won't, especially because Java Apps ask for permission to be run.

https://sites.google.com/site/... [google.com]

downgrading to older bad, because vulnerable ?

[Gunstick]

From TFA: "downgrading Java to one of the older versions is not a good idea because they are vulnerable to other attacks"

well, which attacks, and are they not patched?