Cisco Blogs


Cisco Blog > Security

Latest Oracle Java Patches and Security Best Practices

Java exploits account for 87% of total web exploits - Cisco 2013 Annual Security Report

This month’s release of the Oracle Java SE Critical Patch Update includes patches for 42 vulnerabilities. Vulnerabilities in the Oracle Java SE Java Runtime Environment (JRE) component have received widespread attention as of late because of the potential for an attacker to bypass security restrictions, access sensitive information, execute arbitrary code, or cause a denial of service condition. To make matters worse, Java vulnerabilities are often harnessed by exploit packs with tremendous success.

Many in the industry, as well as Cisco analysts, advise against having Java installed unless absolutely necessary. And if you must have Java installed, they advise using only the Java plug-in and Java Web Start provided with the latest JDK or JRE 7 release. But is there more to it than that?  Read More »

Tags: , , , , ,

New Java Vulnerability Being Exploited in the Wild

January 11, 2013 at 5:45 pm PST

The new Oracle Java arbitrary code execution vulnerability  has not only hit many news wires and social media outlets, but many victims as well, and it has been incorporated into several exploit kits. This critical vulnerability, as documented in IntelliShield alert 27845, could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system with the privileges of the user. If the user has administrator privileges, the attacker could completely “own” the system. A fix is currently not available.

Update: Oracle released a software update (JDK7 update 11) that fixes this vulnerability. The update is available on their website. If you disabled Java in the Java Control Panel, you will need to manually re-enable it after installing the patch by using the check box in the Security tab of the Java Control Panel. Oracle’s security advisory and JDK7 update 11 release notes includes more information about the patch.

The exploit is now found in several exploit kits!

There are many reports that the vulnerability is being “exploited in the wild”. Not only is the exploit publicly available, but it has been incorporated into exploit kits such as BlackholeCool, and Nuclear Pack. Exploit kits make it easy for criminals to spread malicious software using exploits that take advantage of well-known and new vulnerabilities. New exploit kits are loaded with some of the most dangerous zero-day exploits (including this one) and other features, which allow criminals to increase their profits.

The impact to the public is huge!  Java is used by millions of users around the world. It is used in Microsoft Windows, Apple’s Mac OS-X, and Linux systems, as well as many mobile devices.   Read More »

Tags: , , , ,

Oracle Java Zero Day Vulnerabilities Risks and Mitigations Part 2

In the previous Part 1 post, I discussed the initial response, risk, and mitigations for the recently-disclosed zero day Oracle Java vulnerabilities that attackers have used in attacks against vulnerable end-user systems. Since then, Oracle has released software updates that correct the original flaw documented in IntelliShield alert 26751, as well as for additional vulnerabilities, as documented in IntelliShield alert 26831.

Attacks leveraging the Java vulnerabilities have increased, with reports indicating that tens of thousands of systems have been compromised. The malicious software toolkit BlackHole, documented in IntelliShield alert 25108, has incorporated the previously-reported Metasploit exploit and can be used to build exploits for use in attacks. Observed exploits have installed the Poison Ivy remote access trojan, and other malicious software may also be downloaded and installed using Poison Ivy, once installed on a vulnerable system.

Read More »

Tags: , , , ,

New Java Vulnerability Used in Targeted Attacks

Security researchers discovered a Java vulnerability (documented in IntelliShield alert 26751) that attackers are using to install malicious software on a victim’s systems. No software updates are available that correct the vulnerability (Updates are now available, see Part 2 of the blog).  The attacks are currently limited in nature. There have been few reports of attacks that rely on the vulnerability. Now that Metasploit developed a functional exploit, continued attacks that leverage this vulnerability increase in likelihood as time goes on. US-CERT has issued a related vulnerability note. Administrators can monitor this and other ongoing activity at the Cisco Security Intelligence Operations portal.

It is not yet clear what attackers hope to gain out of the attacks observed in the wild. Goals may differ between individual attacks. Current exploits appear to install a malicious software dropper that may install other malicious software, but to what end is unknown. Attackers may attempt to install malicious software that monitors keyboard input and network communication, hoping to gain user credentials for either external resources to aid in fraudulent activity or to access other internal systems within the targeted site.
Read More »

Tags: , , ,