In the previous Part 1 post, I discussed the initial response, risk, and mitigations for the recently-disclosed zero day Oracle Java vulnerabilities that attackers have used in attacks against vulnerable end-user systems. Since then, Oracle has released software updates that correct the original flaw documented in IntelliShield alert 26751, as well as for additional vulnerabilities, as documented in IntelliShield alert 26831.
Attacks leveraging the Java vulnerabilities have increased, with reports indicating that tens of thousands of systems have been compromised. The malicious software toolkit BlackHole, documented in IntelliShield alert 25108, has incorporated the previously-reported Metasploit exploit and can be used to build exploits for use in attacks. Observed exploits have installed the Poison Ivy remote access trojan, and other malicious software may also be downloaded and installed using Poison Ivy, once installed on a vulnerable system.
Another related malicious software sample downloaded from a malicious website, identified as Trojan.Jorik by many anti-virus detections, was observed by Cisco IronPort and is documented in IntelliShield alert 26543. The malicious website was observed distributing malicious software on August 1st, 2012 in relation to exploits against the Java vulnerability CVE-2012-4681. Cisco IronPort Web Security Appliance devices using the detection can block attempts to exploit the vulnerability and deploy the discovered malicious software.
Anti-virus applications can detect both the Poison Ivy remote access trojan and Trojan.Jorik. Host-based intrusion prevention and anti-virus protections can block known malicious software samples and malicious activity on local systems.
Signature-based detections in IPS devices can block attempts to exploit this vulnerability. Cisco IPS signature packages that contain these signatures are available in signature pack S664.
Administrators are advised to apply the available patch. Software updates for Java are available in the Oracle Security Alert for CVE-2012-4681. The available Java 7 update 7 patch is available from Oracle. However, when the patch was released, researchers quickly reported that the fix was incomplete, and that a vulnerability still remained in Java. Oracle has not responded to this report, and the incomplete fix cannot be verified.
Sites that do not rely on Java for critical business operations may consider disabling the Java browsers plug-in to avoid attacks that rely upon malicious Java content in websites. Chrome users can visit the chrome://plugins/ URL and select Disable for the Java plugin. Firefox users can access the Add-ons Manager by selecting Add-ons from the Tools menu or using the Ctrl+Shift+A keyboard shortcut, and disable the Java plugin from the Plugins tab. Internet Explorer users can disable Java by selecting Internet Options from the Tools menu, selecting the Programs tab, and selecting the Manage Add-ons button to disable Java ActiveX controls and browser helper objects. Opera users can set Java to run only on demand in the Advanced Preferences. Safari users can select the Security tab from the Preferences window and uncheck the Enable Java option.
Security managers must decide appropriate mitigations for each environment. Best practices dictate disabling services and features not necessary to operations, so disabling Java in user’s browser may be performed even in the absence of a vulnerability. Completely removing the application may also be desirable if not required. Administrators should apply available patches from Oracle on systems that require Java. Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.
The Cisco Security Intelligence Operations portal will continue to track additional activity regarding the vulnerabilities. Read Part 1 of this blog for initial findings. Administrators should monitor Cisco Security Intelligence Operations, as well as alerts 26751 and 26831 for new information.