I recently identified [1] software security [2] issues (#2), especially related to Java [3], as one of the most significant software development themes of 2012 [1]. Not even a month into 2013, a news story receiving a lot of press is the U.S. Department of Homeland Security [4]'s issuing of Alert (TA13-010A) [5], which is described with more technical details in Vulnerability Note VU#625617 [6]. Oracle has since released a Security Alert for CVE-2013-0422 [7].
Vulnerability Note VU#625617 [6] includes a paragraph that is particularly insightful:
By leveraging the a vulnerability in the Java Management Extensions [8] (JMX [9]) MBean [10] components, unprivileged Java code can access restricted classes. By using that vulnerability in conjunction with a second vulnerability involving recursive use of the Reflection API via the invokeWithArguments [11] method of the MethodHandle [12] class, an untrusted Java applet can escalate its privileges by calling the the setSecurityManager() [13] function to allow full privileges, without requiring code signing. Oracle Java 7 update 10 and earlier Java 7 versions are affected. OpenJDK 7 [14], and subsequently IcedTea [15], are also affected. The
invokeWithArgumentsmethod was introduced with Java 7, so therefore Java 6 is not affected.
The above scenario is described in great detail in Tim Boudreau [16]'s excellent The Java Security Exploit in (Mostly) Plain English [17] and he references Java 0day 1.7.0_10 decrypted source code [18] that demonstrates the code that can implement an attack that takes advantage of the described JMX/MethodHandles combination vulnerability. Kafeine [19]'s (Malware don't need Coffee [20]) post 0 day 1.7u10 (CVE-2013-0422) spotted in the Wild - Disable Java Plugin NOW ! [21] provides numerous screen snapshots to illustrate this Java Zero-Day Malware [22] in action.
The TA13-010A [23]/CVE-2013-0422 [24] Java Zero Day Vulnerability [25] has made the mainstream news with coverage by Norton/Symantec (What's All the Buzz About Java? Fixing The Vulnerability [26] and Java Zero-Day Dished Up from Cool Exploit Kit [27]),
McAfee (Java Zero-Day Vulnerability Pushes Out Crimeware [28]), InformationWeek (Java Zero Day Attack: Second Bug Found [29]), Fox News (Reuters: As Hacking Concerns Build, U.S. Warns on Java Software [30]), CNN (Critical Java vulnerability due to incomplete earlier patch [31]), and many more news outlets.
As stated above, Oracle has issued a patch, but the Department of Homeland Security still recommends disabling Java in the browser.
Links:
[1] http://marxsoftware.blogspot.com/2012/12/big-news-2012.html
[2] https://buildsecurityin.us-cert.gov/bsi/547-BSI.html
[3] http://www.informationweek.com/security/attacks/java-zero-day-malware-attack-6-facts/240006535
[4] http://www.dhs.gov/
[5] http://www.us-cert.gov/cas/techalerts/TA13-010A.html
[6] http://www.kb.cert.org/vuls/id/625617
[7] http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
[8] http://www.oracle.com/technetwork/java/javase/tech/javamanagement-140525.html
[9] http://marxsoftware.blogspot.com/search/label/JMX
[10] http://marxsoftware.blogspot.com/2008/08/extraordinary-standard-mbeans.html
[11] http://docs.oracle.com/javase/7/docs/api/java/lang/invoke/MethodHandle.html#invokeWithArguments(java.lang.Object...)
[12] http://docs.oracle.com/javase/7/docs/api/java/lang/invoke/MethodHandle.html
[13] http://docs.oracle.com/javase/7/docs/api/java/lang/System.html#setSecurityManager(java.lang.SecurityManager)
[14] http://openjdk.java.net/
[15] http://openjdk.java.net/projects/icedtea/
[16] http://timboudreau.com/blog/read/latest
[17] http://timboudreau.com/blog/read/The_Java_Security_Exploit_in_(Mostly)_Plain_English
[18] http://pastebin.com/cUG2ayjh
[19] http://www.blogger.com/profile/07613911627109499033
[20] http://malware.dontneedcoffee.com/
[21] http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html
[22] http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/240062798/how-to-detect-zero-day-malware-and-limit-its-impact.html
[23] http://seclists.org/cert/2013/7
[24] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422
[25] https://krebsonsecurity.com/2013/01/what-you-need-to-know-about-the-java-exploit/
[26] http://community.norton.com/t5/Ask-Marian/What-s-All-the-Buzz-About-Java-Fixing-The-Vulnerability/ba-p/892757
[27] http://www.symantec.com/connect/blogs/java-zero-day-dished-cool-exploit-kit
[28] http://blogs.mcafee.com/mcafee-labs/java-zero-day-vulnerability-pushes-out-crimeware
[29] http://www.informationweek.com/security/vulnerabilities/java-zero-day-attack-second-bug-found/240006431
[30] http://www.foxbusiness.com/technology/2013/01/11/as-hacking-concerns-build-us-warns-on-java-software/
[31] http://www.cnn.com/2013/01/11/tech/web/java-vulnerability/index.html?iref=allsearch
[32] http://marxsoftware.blogspot.com/