Recently, Oracle released new a version of Java with a difference. Java/1.7.0_13 is the latest version. Its increased the default security from ‘Medium’ to ‘High’, which restricts execution of unsigned applets. It also introduced a new warning to people executing Java code which checks if Java is using the latest version. You might notice the process jusched.exe running on your Windows PC to do this check. The conclusion here is that Oracle is getting serious about keeping its users up to date.
The above notice will give the users three choices: Update, Block or Continue. ‘Update’ will stop the execution and bring the user to the Java website to download the latest and safest version. ‘Block’ will not allow Java from being executed now and in future. By pressing ‘Block’ the user Pressing ‘Later’ button the java code will be executed.
Why this updating matters? It matters because these days the majority of machines exploited are because of Java vulnerabilities. Exploit kits used to deliver a malicious payload to a victims computer are the form of a jar file (Java Archive). This usually happens when the victim visits a compromised website or opens a malicious email. A typical exploit kit has some malicious JavaScript that will test for vulnerable Java versions (amongst other things). Once the script has found the vulnerable version, it will automatically try to execute a malicious jar file to gain control of the machine. Some examples of successful exploitation that we have seen at the SOC recently:
- hxxp://nika16.nazwa.pl/332.jar Java/1.6.0_14
- hxxp://stp.softupcheck.info/28ce4a88eed0ccb186520e43a867c384/1359543705/9ojy9x.app Java/1.6.0_20
- hxxp://kh.jimmywalkermusic.com /WtfWQjU.jar Java/1.6.0_37
- hxxp://www1.v4xm7g02agdn0.undo.it/mkbrifd.jar Java/1.6.0_38
- hxxp://uvyesn.dyndns-at-home.com/funds/1z9a02laoa15yy1591g5.jar Java/1.7.0_06
Above shows part of a web interface for a botnet that has over 17500 successfully exploited systems using this blackhole exploit kit, we can see that over 78% of the systems was compromised by a Java exploit. This percentage is common and similar in other exploit kits, showing that Java continues to be the most commonly attacked application.
It would seem that users, don’t update software regularly and this is why the recent move by Oracle is important. Hopefully, this will stop the bad guys (continuously) taking advantage of that fact.
In the wild, we have seen the all types of old Java virtual machines getting compromised, anyone with these versions are obviously vulnerable. It is highly recommended that you either disable/uninstall Java or if you must use it make sure it is always up to date. Oracle’s increased focus on security stems from the need for better security in the software we use everyday, if this doesn’t happen maybe users and organisations will simply not accept it because it is too risky to have installed anymore.
Barry Weymes et al, Security Analyst at the Fox-IT Security Operations Center.