[Videoconferencing] CCIRC CYBER FLASH CF12-012: Java Vulnerability and EVO

Andrew Daviel advax at triumf.ca
Wed Aug 29 12:43:17 PDT 2012


FYI

The following security advisory is in effect for Java, suggesting we take 
various measures to turn off Java or downgrade to Java 6.
Java is essential for EVO, so we can't do that.

I have temporarily blocked the two ip addresses listed in the advisory 
(59.120.154.62, 223.25.233.244) although the second may already be 
offline.

Based on past experience, the Java maintainers will fairly quickly 
produce a fix, at which point we should upgrade as usual. Meanwhile, it 
seems that recent Firefox is automatically disabling vulnerable versions 
of the Java plugin. EVO does not need the plugin, all it needs is Java 
Web Start to run digitally signed Java programs cached on the computer, 
and  to download new copies.
If Firefox has not already disabled the plugin, it is easy to use the 
add-ons manager (tools/add-ons/plugins) to do so
E.g. http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/

Reading the advisory, it seems that an exploit is able to make an 
unsigned Java applet act like a trusted signed one (like Panda, in fact) 
- able to make random network requests and write to the local filesystem, 
which I believe could be done via JWS and not just the plugin. But you 
would have to click a JWS link, while a rogue applet could just be 
embedded in a page to activate automatically.

It is almost certain that any current exploit would try to install 
Windows malware of some kind, rather than continue as a cross-platform 
Java application. I don't, therefore, see any need to take particular 
precautions on Linux.

Windows users of EVO may wish to disable the plugin, and consider 
downgrading Java if they make extensive use of a Java-enabled browser for 
entertainment purposes (i.e. tend to pick up every virus going).


-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager

---------- Forwarded message ----------
Date: Wed, 29 Aug 2012 12:10:19 -0400
From: Peter BROZNITSKY <Peter.BROZNITSKY at rcmp-grc.gc.ca>
To: Peter BROZNITSKY <Peter.BROZNITSKY at rcmp-grc.gc.ca>
Subject: CCIRC CYBER FLASH CF12-012: Java Zero Day Vulnerability Exploited in
     the Wild

>>> National_Operations NOC 2012-08-29 08:17 >>>
Classification: UNCLASSIFIED

CTEC is forwarding this CCIRC Cyber Flash CF12-012: Java Zero Day Vulnerability Exploited in the Wild.
To report incidents affecting GC infrastructures, please contact GC-CTEC at ctec at cse-cst.gc.ca. Any government department suspecting they have incidents related to this activity are requested to provide a written report to GC CTEC.
http://www.tbs-sct.gc.ca/sim-gsi/publications/docs/itimp-pgimti/itimp-pgimti06-eng.asp#Toc324324211.
============================
CCIRC - Cyber Flash CF12-012
Date:   28 August 2012
============================
AUDIENCE
========
This Cyber Flash is intended for IT professionals and managers within federal, provincial/territorial and municipal governments; critical infrastructure; and other related industries.
Title
=====
Oracle Java Zero Day Vulnerability Exploited in the Wild
Detail
======
CCIRC is aware of an Oracle Java 7 vulnerability that is currently being exploited in the wild in targeted attacks. The exploit code was also integrated as part of the metasploit framework. The vulnerability allows an attacker to run arbitrary code. There is currently no patch available from Oracle. It is reported that the exploit code for this vulnerability may be added to exploit kits such as Blackhole, which will significantly increase its distribution.
CVE reference: CVE-2012-4681

Affected Products:
* Java Platform Standard Edition 7 (Java SE 7)
* Java SE Development Kit (JDK 7)
* Java SE Runtime Environment (JRE 7)
* Web browers using the Java 7 plug-in
Reported sample observed in the wild:
File indicators:
Filename: applet.jar
MD5 Hash: 4af58300ee5cd6d61a3eb229afe0da9f
Filename: hi.exe (dropper)
MD5 Hash: 4a55bf1448262bf71707eef7fc168f7d
Network indicators:
ok[.]aa24[.]net:80
Resolved to: to 59[.]120[.]154[.]62
GET /meeting/index[.]html
GET /meeting/applet[.]jar
GET /meeting/hi[.]exe
Post-infection indicators:
File indicators:
Filename: mspmsnsv.dll
MD5 Hash: 2f8ac36b4038b5fd7efad8f1206c01e2
Network indicators:
hello[.]icon[.]pk:80
Resolved to: 223[.]25[.]233[.]244
(This IP was previously associated with domain[.]rm6[.]org, which was used in Poison Ivy targeted attacks, and reported in CCIRC CF11-025)
Mitigation
==========
CCIRC recommends that organizations review the following mitigation steps and consider their implementation in the context of their environment accordingly:
- Remove or disable Java web browser plug-in.
- Block execution of Java applets within the browser.
- Block downloads of Java applets at the perimeter.
- Downgrade from Java 7 to the latest Java 6.  Java 6 is not currently reported as vulnerable.
- Review network logs and monitor for connection attempts to the domains and IP listed above. Devices attempting to connect with these URL addresses should be further monitored and examined for signs of infection.
- Consider blocking malicious IP addresses and domains associated with this threat at the network perimeter.
- Ensure your antivirus and gateway protections are up to date.

References:
-       http://www.kb.cert.org/vuls/id/636312
-       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4681
-       http://krebsonsecurity.com/2012/08/attackers-pounce-on-zero-day-java-exploit/
-       http://www.us-cert.gov/cas/techalerts/TA12-240A.html
-       http://noscript.net/

Critical Note:
Some of the information contained in this message is provided strictly for the purpose of defensive reconfiguration of assets owned by the recipient. The recipient is advised not to engage into any form of information collection activities outside its own network perimeter using the information within this product. Such actions include probing, downloading, browsing or crawling sites contained within this report.


More information about the Videoconferencing mailing list