Cisco Blogs


Cisco Blog > Security

Oracle Java Zero Day Vulnerabilities Risks and Mitigations Part 2

In the previous Part 1 post, I discussed the initial response, risk, and mitigations for the recently-disclosed zero day Oracle Java vulnerabilities that attackers have used in attacks against vulnerable end-user systems. Since then, Oracle has released software updates that correct the original flaw documented in IntelliShield alert 26751, as well as for additional vulnerabilities, as documented in IntelliShield alert 26831.

Attacks leveraging the Java vulnerabilities have increased, with reports indicating that tens of thousands of systems have been compromised. The malicious software toolkit BlackHole, documented in IntelliShield alert 25108, has incorporated the previously-reported Metasploit exploit and can be used to build exploits for use in attacks. Observed exploits have installed the Poison Ivy remote access trojan, and other malicious software may also be downloaded and installed using Poison Ivy, once installed on a vulnerable system.

Read More »

Tags: , , , ,

New Java Vulnerability Used in Targeted Attacks

Security researchers discovered a Java vulnerability (documented in IntelliShield alert 26751) that attackers are using to install malicious software on a victim’s systems. No software updates are available that correct the vulnerability (Updates are now available, see Part 2 of the blog).  The attacks are currently limited in nature. There have been few reports of attacks that rely on the vulnerability. Now that Metasploit developed a functional exploit, continued attacks that leverage this vulnerability increase in likelihood as time goes on. US-CERT has issued a related vulnerability note. Administrators can monitor this and other ongoing activity at the Cisco Security Intelligence Operations portal.

It is not yet clear what attackers hope to gain out of the attacks observed in the wild. Goals may differ between individual attacks. Current exploits appear to install a malicious software dropper that may install other malicious software, but to what end is unknown. Attackers may attempt to install malicious software that monitors keyboard input and network communication, hoping to gain user credentials for either external resources to aid in fraudulent activity or to access other internal systems within the targeted site.
Read More »

Tags: , , ,

Resurrecting MPI and Java

Back in the ’90s, there was a huge bubble of activity about Java in academic circles.  It was the new language that was going to take over the world.  An immense amount of research was produced mapping classic computer science issues into Java.

Among the projects produced were several that tried to bring MPI to Java.  That is, they added a set of Java bindings over existing C-based MPI implementations.  However, many in the HPC crowd eschewed Java for compute- or communication-heavy applications because of performance overheads inherent to the Java language and runtime implementations.

Hence, the Java+MPI=HPC efforts didn’t get too much traction.

But even though the computer science Java bubble eventually ended, Java has become quite an important language in the enterprise.  Java run-time environments, compilers, and programming models have steadily improved over the years.  Java is now commonly used for many different types of compute-heavy enterprise applications.

Read More »

Tags: , ,

Downloading, Carts and Java

More than a year ago, we introduced a feature in the Cisco.com download flow that allows you to download multiple images at once, which are stored in a cart.  This feature was created at the request of customers and partners, some 42% of whom told us they really needed multi-file downloads.  At the time, the cart feature only used Java, which was a challenge for some users. But back in October we introduced a “non-Java” setting for the cart.  Even though this has been active for a few months, I thought I would point it out in case you haven’t noticed it yet.

Here’s how it works.  If you want a simple list – rather than the Java-based Download Manager – just look for the “Non Java Download” option when you get to the download cart screen:

If you select this as your default, you’ll see the following screen instead of the download manager.  No Java needed. This is all customizable by you!

We’re continuing to work on the download flows in order to support a wide range of download scenarios. I know the Cisco.com download team would like to hear from you about specific needs you have around the download experience, and if you leave a (polite, honest and thoughtful) comment here they will read your comments and can follow up with your directly.

P.S. Just so you don’t complain that I’m a complete Java-hater of some kind, here is my coffee cup :-)

Tags: , ,

Java Exploits Another Example of Tomorrow’s Threat Landscape, Today

The last two years seem dominated by PDF vulnerabilities. As far as the specification and its various readers are concerned, there is likely more sour fruit yet to be uncovered; it’s simply too complex and full of dangerous “features.” But a few blogs have recently hinted that there may be a new vector emerging with surprising popularity. Brian Krebs suggests that exploit crimeware packages have begun reporting significant success rates with Java exploits; data collected by the Microsoft Malware Protection Center (MMPC) seems to agree. After taking a look at what Cisco ScanSafe had to share on the topic, it seems clear that the threat landscape appears to be shifting under our noses.

Read More »

Tags: , ,