A serious new vulnerability notice about Java exploits has been issued by the Department of Homeland Security’s Cybersecurity Division. Java 7 Update 10 and earlier contain a vulnerability that can allow a remote attacker to execute malware on vulnerable systems.
A French researcher called Kafeine discovered that a number of websites using the exploit are able to download files directly to the victim’s computer, and execute actions such as installing ransomware. “Hundreds of thousands of hits daily where i found it,” he wrote on his blog. “This could be a mayhem.”
Disable Java in web browsers
Some webpages may include content or apps that use the Java plug-in. There is no fix for this yet, so it is recommended that you protect yourself by disabling Java in your particular browser. Please see our previous blog How do I disable Java in my browser for instructions.
For a higher level of security, it is possible to entirely prevent any Java apps from running in a browser by de-selecting Enable Java content in the browser in the Java Control Panel under the Security tab. Disabling Java through the Java Control Panel will disable Java in all browsers.
Last month we wrote about a flaw in Microsoft’s Internet Explorer that could allow cybercrooks to take control of a Windows-based computer if the user browses to a malicious website. The website making news for that attack was the US-based think tank, the Council on Foreign Relations (CFR). Avast Virus Lab has since discovered that two Chinese human rights sites, a Hong Kong newspaper site, a Russian science site, and weirdly, a Baptist website (see the recent tweet) are also infected with the Flash exploit of IE8.
You can imagine the interesting audience that frequents sites such as these. The CFR, for example, attracts high ranking government officials including former presidents and secretaries of state, ambassadors, journalists, and leaders of industry. These sites were chosen on purpose; instead of targeting the general masses, like in a phishing attack, the perpetrators of a so-called “watering hole attack” target specific topics like defense or energy and lie in wait for persons of interest to visit, similar to a predator at a watering hole waiting for its victims to come to it. Read more…
Researchers have determined that an attack which can wipe data from Samsung Android devices when visiting a malicious website can also be used to lock the SIM cards or completely wipe all of the data from many other Android phones. In addition to web pages, the attack can be triggered through SMS, or by a rouge NFC tag or QR code.
Mobile geek Dylan Reeve explains how the attack works. Computerworld summarizes it like this, “The attack can be launched from a Web page by loading a “tel:” URI (uniform resource identifier) with a special factory reset code inside an iframe. If the page is visited from a vulnerable device, the dialer application automatically executes the code and performs a factory reset.”
Check if your smartphone is vulnerable
Here is a way for you to check if your phone is vulnerable to this remote wipe threat: Visit http://dylanreeve.com/phone.php on your Android device, and if your phone is vulnerable, you’ll immediately see your phone’s IMEI number pop up. I checked my HTC Google Nexus One this way, and it came back as being vulnerable. Other phones reported to be affected include the HTC One X, Motorola Defy, Sony Experia Active, Sony Xperia Arc S, and the HTC Desire. Reeve says that Samsung fixed the USSD/MMI code execution issue for Galaxy S III devices, but it appears that all 4.1-based builds are safe, and some 4.0.4 builds as well.
Currently avast! Mobile Security is actively blocking URLs containing malicious code that triggers the exploit. Our Android users can expect an update containing protection against this kind of attack soon. We’ll let you know when that is released.
Edit: We are pleased to confirm that the newest update of avast! Free Mobile Security protects against USSD attacks, without installing additional tools. All you need to do is to accept the program update offered by avast! on your smartphone. Please share this message with your friends who are Android smartphone owners. They might need avast! Mobile Security too. Thank you.
Not only users visiting high-risk sites need avast! protection, but also, for example, visitors of the well-known site samsungimaging.net (the Samsung SMART CAMERA blog) were able to notice that their avast! protected them from a threat.
Yesterday, on this site AVAST began to detect malicious Java content.
Thanks for reading the avast! blog. As Jiri Sejtko described in our blog today, serious security flaws in Java version 7 allow hackers to take control of PCs and Macs. The Avast Virus Lab is releasing generic detections and using behavioral and dynamical detection mechanisms to protect our users, however they also recommend that you disable Java in your browsers. The Virus Lab explains the exploit in details on our blog, and here are instructions on how to unplug Java from different browsers.
For Windows: go to Start > Control Panel, click the Uninstall a program link. Find Java on the list of programs. If you have version 7, uninstall it.
For Mozilla Firefox: From the main menu select Tools > Add-ons. In the Add-on management window, choose Plugins. Find any plugins on the list that say Java and click the Disable button. Restart Firefox.
For Google Chrome: Type “chrome://plugins/” (minus the quotes) into the browser address bar. Find any plugins on the list that say Java and click the Disable button.
For Internet Explorer: I have been told that disabling Java in IE is complicated. The U.S. Computer Emergency Response Team (USCERT) has some steps here. This may be a good time to switch to a different browser.
For Safari: Click Preferences > Security tab > uncheck the Enable Java option.
For Opera: Type “opera:plugins” (minus the quotes) into the browser’s address bar. Find any plugins on the list that say Java and click the Disable button.
For OS X 10.7 and 10.8: go to Macintosh HD/Library/Java/JavaVirtualMachines/ and remove the 1.7.0.jdk file. Older versions of OS X run Java 6.
Also, make sure that you have up-to-date avast! antivirus protection because avast! detects the latest Java zero day exploit in real time as Java:Dong-A [Expl] . We would appreciate your recommendation as well. We make it easy to share with your Facebook friends via our Recommend avast! app. Thank you!
edit: added Opera instructions
New vulnerabilities in the Oracle’s Java Runtime Environment (JRE) have been recently discovered in the wild (first vulnerability originally reported by Fireeye, the second described by Esteban Guillardoy). The vulnerabilities targets newest version of JRE (1.7) and even with the latest update (JRE 1.7 update 6) your machine is in danger and easily exploitable. According to the Oracle’s patching cycle the patch is out of sight. So scary and Java again! But it is even worse!
The most successful exploit kit has quickly adopted these bugs which was predicted by the Brian Krebs earlier. So, all the current Blackhole campaigns use these exploits in order to infect victims. In addition, the exploitation is confirmed to work using Internet Explorer, Firefox, Opera, Google Chrome and also Safari on multiple platforms including Windows, Linux and MacOS.
Do you really think this can’t be worse? Oracle knew about these (and also other) vulnerabilities since April according to the Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations.
Ms. Meyer’s official website(www.stepheniemeyer.com) has fallen victim to a sinister force known as the CRiMEPACK exploit pack. CRiMEPACK is designed to take advantage of a number of vulnerabilities in systems with weaknesses in some of its applications. When it finds an opening, it delivers malicious code that converts the system into a zombie, which becomes part of a network of criminal activity.
So steer clear of her website for now, until some zombie killers arrive on the scene.
Here is an image of the highlighted redirector code injected into the landing page.
The Duqu malware has raised the specter of Stuxnet II, with some in the security community claiming that this new Trojan is a reverse-engineered copy of Stuxnet – the infamous malware that may have sold more newspapers than it damaged nuclear centrifuges. Unlike Stuxnet, Duqu is designed to steal data from the targeted organization, not just destroy equipment. First noticed this summer, Duqu self-destructed after 30 days, than vanished again into cyberspace.