Tag Archives: Java

Year 2012 Main Exploitable Vulnerabilities Interactive Timeline

You can find, by clicking on the following image, a visualization timeline of the main exploitable vulnerabilities of year 2012.

Start date of a slide is corresponding to:

  • the date of discovery of the vulnerability, or
  • the date of report to the vendor, or
  • the date of public release of the vulnerability

End date of a slide is corresponding to:

  • the date of vendor security alert notification, or
  • the date of Metasploit integration, or
  • the date of fix, or
  • the date of PoC disclosure
Year 2012 Main Exploitable Vulnerabilities Interactive Timeline
Year 2012 Main Exploitable Vulnerabilities Interactive Timeline

Bye Bye Java SE 6, Security Enhancements in Java SE 7U10

As you may known Oracle Java SE 6 major release will be end-of-life (EOL), or more precisely Oracle will no more release public updates, after February 2013. But Oracle customers could buy a commercial support for Oracle Java SE 6 in order to have support until December 2016 and more. Also Oracle will force update to JSE 7 through an auto-update process who will start in December 2012 (wasn’t I forced to update in July ?).

Oracle has release his new Java SE 7 major release since July 2011 and push users to update to JSE 7 since the release of JSE 6U33 minor release.

2012 is surely the year of Java vulnerabilities. On 58 vulnerabilities reported for year 2012 (February CPUJune CPU, CVE-2012-4681 Security Alert and October CPU), 2 (3.45%) of them were discovered exploited in the wild and 3 (5,17%) others were developed by white hat security researchers.

The median CVSS score for the 58 vulnerabilities was 7.5, 31 (53,45%) of them had a CVSS score upper than 7.0, 21 (36,21%) of them had a CVSS score upper to 4.0 to 6.9, and 6 (10,34%) of them had a CVSS score from 0.0 to 3.9.

2012-oracle-java-CVSS score-repartition

CVE-2012-4681 was discovered exploited in the wild at end of August, targeting JSE 7 and JSE 6, and has force Oracle to push an out-of-band patch. CVE-2012-5076 was discovered exploited in the wild in November, targeting JSE 7, but was already patched during October CPU.

CVE-2012-0500, targeting JSE 7 and JSE 6, was fixed during February CPU, the 14th, and the vulnerability was integrated into Metasploit the 23 February after details disclosure by a white hat security researcher. CVE-2012-0507, JSE 7 and JSE 6, was also fixed during February CPU, the 14th, and the vulnerability was integrated into Metasploit the 29 March after details disclosure by a white hat security researcher. CVE-2012-1723, JSE 7 and JSE 6, was fixed during June CPU, the 12th, and the vulnerability was integrated into Metasploit the 9 July after details disclosure by a white hat security researcher.

On the 58 vulnerabilities patched in 2012 CPU’s and alerts, 100% of them were targeting JSE 7 and 84,48% (49) were targeting JSE 6. On the total 5 public exploits, 4 of them are targeting JSE 7 and 6, and the last one is targeting only JSE 7.

2012-oracle-java-cvss

All the datas are available by clicking on the following link.

All the exploited, or disclosed, JSE vulnerabilities have been integrated into Exploit Kits like BlackHole, Gong Da, Kaixin, Cool, etc. If you take a look at the DeepEnd Research Common Exploit Kits 2012 Poster, contagio Exploit Pack tables and to my recent studies regarding Gong Da, Kaixin and Cool Exploit Kits, you can see the integration repartition. I also recommend you to read @kafeine blog in order to monitor EK evolutions.

Black Hole EKCool EKGong Da EKKaiXin EKPhoenix EKProPack EK
CVE-2012-0500X
CVE-2012-0507XXXX
CVE-2012-1723XXXXX
CVE-2012-4681XXXXX
CVE-2012-5076XXXXX

java-7u10-new2

JSE 7U10 has been released one week ago and has introduce some security enhancements. These security enhancements are probably an Oracle response to the uninstallation of all Oracle Java browser plug-ins by Apple in October, and includes:

  • The ability to disable any Java application from running in the browser. This mode can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument.
  • The ability to select the desired level of security for unsigned applets, Java Web Start applications, and embedded JavaFX applications that run in a browser. Five levels of security are supported, plus a custom security level settings. This feature can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument.

java-7u10-un-security-levels

  • New dialogs to warn you when the JRE is insecure (either expired or below the security baseline) and needs to be updated.

Take care in some upgrade cases from JSE 6 to JSE 7, the Java Control Panel has disappear from the Windows Control Panel. If it is the case, you have to explore C:\Program Files\Java\jre7\bin Windows folder and execute javacpl.exe binary.

Regarding the security levels, the five levels are:

  • Custom: You can customize all the security settings based on you’re needs.

jre-7u10-security-settings

  • Low: Most unsigned Java apps in the browser will run without prompting unless they request access to a specific old version or to protected resources on the system.
  • Medium: Default security level. Unsigned Java apps in the browser will run without prompting only if the Java version is considered secure (screenshot bellow). You will be prompted if an unsigned app requests to run on an old version of Java.

java-7u10-med

  • High: You will be prompted before any unsigned Java app runs in the browser (screenshot bellow).

java-7u10-high

  • Very High: You will be prompted before any Java app runs in the browser. If your version of Java is insecure, unsigned apps will not run.

java-7u10-very-high

Java SE 7 is really immature, regarding the number of vulnerabilities and existing bugs, but Oracle don’t give user the choice. You have to migrate to JSE 7. So bye bye JSE 6.

KaiXin Exploit Kit Evolutions

Beginning August, Kahu Security discovered a new Chinese named KaiXin EK (Exploit Kit). This exploit kit was using, like his brother in blood Gong Da (Gondad) EK, javascript obfuscation “Yszz vip“.

The August version of KaiXin was supporting:

November version of KaiXin has involve by removing support of Oracle Java CVE-2012-0507 and CVE-2012-0754 vulnerabilities, and adding support of Oracle Java CVE-2012-1723 (fixed in Jun 2012 CPU), of Oracle Java CVE-2012-4681 (fixed in End August Oracle Security Alert) and of Oracle Java CVE-2012-5076 (fixed in October 2012 CPU).

Here under a VirusTotal analysis of all involved files:

The following diagram describe you the way November version of KaiXin EK is working.

 

Cool Exploit Kit Remove Support of Java CVE-2012-1723

Beginning November, @Kafeine discovered that Cool EK (Exploit Kit) had integrate an exploit for a Oracle Java vulnerability fixed in 7U9. The new exploit was exploiting CVE-2012-5076 vulnerability through the “new.jar” file.

November version of Cool EK was supporting :

The following diagram describe you the way November version of Cool EK was working.

Since few days, Cool EK has involve by removing support of Oracle Java CVE-2012-1723 vulnerability, replacing “new.jar” file with a “java.php” streamed file. The new “java.php” is only catched by 3/44 anti-viruses on VirusTotal. November version, aka “new.jar” was catched by 28/46 anti-viruses on VirusTotal.

In November version “file.jar” requested “myfile.dll” through “/r/f.php?k=1&e=0&f=0” request and “new.jar” requested the same DLL file through “/r/f.php?k=2&e=0&f=0” request. All these requests have been replaced, in the December version, with a unique request to “/r/f.php?k=1“.

The following diagram describe you the way December version of Cool EK is working.