Over the weekend, FireEye reported seeing a new Java zero-day vulnerability (CVE-2012-4681) being exploited through targeted attacks. The vulnerability impacts Oracle Java JRE 1.7.x running on Windows, Linux and MacOSX. The vulnerability can also be successfully launched using all major browsers (IE, Firefox and Chrome). Currently the attacks are targeted and not widespread; howeverMetasploit has recently released exploit code for this vulnerability and there are alsoreports that this exploit has been added into the BlackHole exploit tool kit. Given this information, SecureState’s believes we will soon see more widespread and drive-by style attacks.
Oracle follows a quarterly patching cycle for Java and the next Java patch is scheduled to be released on October 16. At this time is it unknown if Oracle will release an off schedule patch, as traditionally Oracle does not release off schedule patches even in response to critical vulnerabilities in their products.
With an official patch likely a month and half away, SecureState recommends taking the following steps to mitigate or minimize the risk posted by this vulnerability:
- If Java is not required it should be uninstalled. Java has a rich history of security vulnerabilities and given Oracle’s stance on patching, we recommend removing it from any system which does not require Java.
- If Java is required to run desktop applications but not Java applets loaded from a website, SecureState recommends disabling the Java web plugin so Java applets cannot be run through a web browser.
- If you or your users must use Java applications loaded through websites, there are a number of steps that can be taken to minimize the exposure caused by this vulnerability:
- Deep End Security has released a 3rd party patch that reportedly fixes this vulnerability. SecureState has not tested this patch so cannot comment on the safety or effectiveness of this patch. When installing any patch, but especially a patch developed by a 3rd party, be sure to fully vet and test the patch before applying it to production systems.
- Make sure your systems are running up-to-date antivirus software. Although a skilled attacker can easily bypass antivirus software, it still can provide some protection. In testing SecureState performed, we found a number of antivirus products detect and try to block the malicious Java applet or the payload it tries to load onto the system.
- Install and configure Host Intrusion Detection software (HIDS) to detect malicious activities resulting from attempted or successful exploitation.
- Leverage network anomaly detection and IDS technology to alert on suspicious activity so the potential intrusion can be investigate and contained.
- Black list known malicious website.
- White list known good websites if you or your users only need to access a limited number of websites.
Again if you or your users need access to web based Java applets, there is currently no good solution to completely mitigate the risks posed from this attack. However the above steps can help minimize your exposure until Oracle releases a patch.