Forgot your password?
typodupeerror
Crime Java Security

Java Zero-Day Vulnerability Rolled Into Exploit Packs 193

Posted by Unknown Lamer
from the just-can't-win dept.
tsu doh nimh writes "The miscreants who maintain Blackhole and Nuclear Pack — competing crimeware products that are made to be stitched into hacked sites and use browser flaws to foist malware — say they've added a brand new exploit that attacks a previously unknown and currently unpatched security hole in Java. The curator of Blackhole, a miscreant who uses the nickname 'Paunch,' announced yesterday on several Underweb forums that the Java zero-day was a 'New Year's Gift,' to customers who use his exploit kit. The exploit has since been verified to work on all Java 7 versions by AlienVault Labs. The news comes days after it was revealed that Paunch was reserving his best exploits for a more closely-held exploit pack called Cool Exploit Kit, a license for which costs $10,000 per month."
This discussion has been archived. No new comments can be posted.

Java Zero-Day Vulnerability Rolled Into Exploit Packs

Comments Filter:
  • At this point there is no reason for most home user systems to have Java on them at all. Just uninstall it and remove this never ending hole from your life.

    If you do need it for something (like Minecraft), you can remove it from the browser, which tends to also solve the security problems (unless the Java updater adds itself back in, which it's been known to do). Still a better option than just leaving it. There's very few websites left that actually use Java for anything today.

    It sucks more in the corporat

    • by nebulus4 (799015)
      Easy for you to say. Here in Norway we are required to have it to do online banking :(
      • by snemarch (1086057)

        Same in Denmark - and we need it for .gov interaction as well. Remove the plugin from your primary browser, keep it in a secondary browser you launch just for Java stuff - and if you're slightly paranoid, keep that secondary browser in a virtual machine.

      • by mcgrew (92797) * on Thursday January 10, 2013 @03:13PM (#42549297) Homepage Journal

        Here in Norway we are required to have it to do online banking :(

        I refuse to bank online, and I would ESPECIALLY refuse to bank online if the bank demanded java. If I want to check my balance I'll call them; I never heard of anyone getting rooted over a voice-only phone call.

        In fact, I use my credit card as little as possible online. Yes, I'm paranoid... but my computers haven't been infected with anything since my daughter installed the XCP trojan Sony provided on a CD she bought at the store she worked at.

        If I do get rooted, there's no sensitive information whatever on my PCs or phone.

        • by lgw (121541)

          never heard of anyone getting rooted over a voice-only phone call.

          Bank fraud is hardly new to the internet. You can bank on the internet quite safely if you do it from a VM that you only use for thta purpose - and I strongly recommend that approach. I use a credit card freely online, but it's one with a $0 fraud protection guarentee.

        • by darthflo (1095225)

          I never heard of anyone getting rooted over a voice-only phone call.

          Hi. (Online) Security Officer for a large bank here. I deal with Phishing, Malware and the likes on a daily basis. You are partially right: Most of the attacks we observe tend to rely on an online vector. However, mixed-media has seen a great rise throughout 2012, the most popular attack being phishing coupled with voice-only phone calls.
          From our point of view, we can bring a lot of defense mechanisms into our online services, while phone-b

          • by mcgrew (92797) *

            Thank you for that, it was informative. I really don't have any reason to bank online, and know better than to give any sensitive info to anyone who calls me.

    • Re: (Score:2, Flamebait)

      by medv4380 (1604309)
      Copy the JRE folder into the Minecraft folder and write a batch file to launch it. Then Kill Java. Works for some enterprise environments too, but not all. All Browsers should block Java. Applets are nothing but plague rats now, and should be burned with fire.
    • by TubeSteak (669689)

      If you do need it for something (like Minecraft), you can remove it from the browser, which tends to also solve the security problems (unless the Java updater adds itself back in, which it's been known to do). Still a better option than just leaving it. There's very few websites left that actually use Java for anything today.

      This has been my situation for the last few years, )though not for minecraft.)
      Adobe's Flash/Shockwave more or less killed java for the average user.

      /the mass of exploits that is flash makes for another conversation entirely

    • Re: (Score:2, Informative)

      by edxwelch (600979)

      Please, stop the FUD already. All the security holes have been accessed via the java browser plugin, so just disabling the plugin is enough. .. and while you at it, disable the .NET browser plugin. Just as many security holes have been found in that component as java.
      There is no need to uninstall JRE (If you have Java installed on your system, then you probably need it for something)

      • by DigiShaman (671371) on Thursday January 10, 2013 @01:08PM (#42547527) Homepage

        Ya, and when the next JRE update prompts the user to install from the system tray, the browser plugin gets re-enabled (re-installed really).

        • by edxwelch (600979)

          Sorry, to correct my previous post.
          Java does indeed overwrite system settings, however both Chrome and Firefox ignore the system setting and the plugin remains disabled.

          • That's good at least. Typically JRE is (was) required a fews years back by major corporate banking sites. Typically, it was used for scanning checks and uploading them to the site. For some god forsaken reason, not only must JRE not be updated (as it will break the web app), but sites required an older version of IE.

            Now if you ask me, I would tell the bank to eff off. But money talks and I'm not the CFO. In fact, typically MIS dept falls directly under accounting. So that's *never* going to happen. The leav

      • by zixxt (1547061)

        Here here, The amount of updates released to keep .Net secure is the same or more than the security updates for JRE/JDK/JVM.

        People just seem to get off on basing Java it seems.

    • by Bill_the_Engineer (772575) on Thursday January 10, 2013 @01:06PM (#42547497)

      While we are at it let's get rid of Python and Ruby which are associated with web exploits in recent news (The Ruby SQL injection being the latest) . It would make more sense to say "Just remove java plugins".

      Don't punish an entire language because of a bad implementation of a function that either uses the language or extends the language into where it really isn't needed anymore.

      • There's a more interesting Ruby exploit (http://www.securityfocus.com/bid/57187 [securityfocus.com]) that can allows remote command execution.
        • Thanks! It would be more accurate to call it a "Ruby on Rails" exploit since just because it uses Ruby doesn't make it Ruby's fault which is the point of my parent post.
      • by SplashMyBandit (1543257) on Thursday January 10, 2013 @01:58PM (#42548183)

        .... and get rid of C and C++ for all their buffer overrun holes. Oh, and let us also get rid of Javascript while we're at it for all its exploits. Then we'd better shut down Silverlight/C# as well (http://www.cvedetails.com/product/19887/Microsoft-Silverlight.html?vendor_id=26). By the same measure we'd better ditch our operating systems to (http://www.cvedetails.com/vendor/26/Microsoft.html).

        So what do we have left after scorching the earth? nothing? they're all vulnerable and all need to maintained and patched. Java is not alone and not really any worse than any other technology.

        Or instead we could get real and demand that browsers fix their plugin model and run plugins with almost no privileges, ya know, as Unix/Linux does for services. That way the inevitable security holes are not catastrophic as they are now, and we don't have to do "denial of service" on ourselves by removing useful tools and technologies.

    • At this point there is no reason for most home user systems to have Java on them at all. Just uninstall it and remove this never ending hole from your life.

      It's used on a lot of websites to launch various games and applets to do things like search a database of parts. The same argument could be used for ActiveX controls and yet, you can't go online for very long without running into someone's website that uses it.

      But for home users? Just remove it and make your life easier.

      It'd be better to use something like NoScript to control access to it. I pair it with other plugins that prevent cross-site scripting, as most of these exploits take advantage of advertising link-ins to popular websites.

    • by antdude (79039)

      How do we play Minecraft then? :P

  • There's a hacker called Paunch? You are Kevin Smith and I claim my five pounds!
  • by Wokan (14062) on Thursday January 10, 2013 @12:50PM (#42547275) Journal

    Seriously? This person is licensing an exploit kit for $10,000 per month and nobody has bothered following the money to shut him down? I have a hard time believing anyone could make $10K/mo doing this anyway. Wouldn't the first order of business by the exploit buyers be to make it work without the payments? What's the author going to do? Sue them for non-payment?

    • by durrr (1316311) on Thursday January 10, 2013 @12:55PM (#42547347)

      Follow the money and you probably find that various three letter agencies are his main customers.

    • Is finding a bug and writing an exploit for it illegal yet?

    • by i kan reed (749298) on Thursday January 10, 2013 @12:59PM (#42547393) Homepage Journal

      The mechanism that keeps his clients from cheating him is presumably the same mechanism that operates in every black market. Threat of retaliation. As for why they don't just follow the money, my guess is that it goes through some completely unregulated bank with a quickly opened then closed account for each transaction, in combination with hush money to appropriate government officials.

    • Seriously? This person is licensing an exploit kit for $10,000 per month and nobody has bothered following the money to shut him down?

      Shut him down? For what? Selling something that someone somewhere might use to break a law? That's not a crime in itself, you know.

      If the government could legally 'shut down' anyone and everyone capable of using a tool for crime, we'd all be in some seriously deep shit.

      • Shut him down? For what? Selling something that someone somewhere might use to break a law? That's not a crime in itself, you know. If the government could legally 'shut down' anyone and everyone capable of using a tool for crime, we'd all be in some seriously deep shit.

        Explain laws against selling drug paraphernalia, subsections of the DMCA, or consumer protection against malware laws in several states like California, Arizona, Indiana and others...

        • Shut him down? For what? Selling something that someone somewhere might use to break a law? That's not a crime in itself, you know. If the government could legally 'shut down' anyone and everyone capable of using a tool for crime, we'd all be in some seriously deep shit.

          Explain laws against selling drug paraphernalia,

          "Drug paraphernalia" is illegal to sell because it contains traces of illegal drugs, not because of what it is. That's why you can buy a brand new "water tobacco pipe" from a head shop, but not a used bong (water pipe that has been used to smoke marijuana), even though they are the exact same piece of equipment.

          subsections of the DMCA,

          Such as?

          consumer protection against malware laws in several states like California, Arizona, Indiana and others...

          A) Again, such as? If you can't cite specific ordinance, I'm inclined to call bullshit.

          B) State law != federal law. I'm certain some municipalities have laws against selling slim-jims (aut

          • "Drug paraphernalia" is illegal to sell because it contains traces of illegal drugs, not because of what it is.

            Wishful thinking. Let me introduce you to 21 USC 863 [cornell.edu] specifically where it defines the term drug paraphernalia:

            The term “drug paraphernalia” means any equipment, product, or material of any kind which is primarily intended or designed for use in manufacturing, compounding, converting, concealing, producing, processing, preparing, injecting, ingesting, inhaling, or otherwise introduci

            • "Drug paraphernalia" is illegal to sell because it contains traces of illegal drugs, not because of what it is.

              Wishful thinking. Let me introduce you to 21 USC 863 [cornell.edu] specifically where it defines the term drug paraphernalia:

              The term “drug paraphernalia” means any equipment, product, or material of any kind which is primarily intended or designed for use in manufacturing, compounding, converting, concealing, producing, processing, preparing, injecting, ingesting, inhaling, or otherwise introducing into the human body a controlled substance, possession of which is unlawful under this subchapter. It includes items primarily intended or designed for use in ingesting, inhaling, or otherwise introducing marijuana, [1] cocaine, hashish, hashish oil, PCP, methamphetamine, or amphetamines into the human body, such as—

              (1) metal, wooden, acrylic, glass, stone, plastic, or ceramic pipes with or without screens, permanent screens, hashish heads, or punctured metal bowls; (2) water pipes; (3) carburetion tubes and devices; (4) smoking and carburetion masks; (5) roach clips: meaning objects used to hold burning material, such as a marihuana cigarette, that has become too small or too short to be held in the hand; (6) miniature spoons with level capacities of one-tenth cubic centimeter or less; (7) chamber pipes; (8) carburetor pipes; (9) electric pipes; (10) air-driven pipes; (11) chillums; (12) bongs; (13) ice pipes or chillers; (14) wired cigarette papers; or (15) cocaine freebase kits.

              Yet I can still walk into any of the dozen or so head shops in town, and walk out with any of those items, legally. All the proprietors have to do is put a little sticker on the object that states, "FOR TOBACCO USE ONLY," and bip-bang-boom, not drug paraphernalia.

              This statue was used as the basis for Operation Pipe Dreams [wikipedia.org] where 55 people were indicted and charged for trafficking in illegal drug paraphernalia.

              According to the link you provided, the only arrests made were in Pennsylvania and Iowa. not really what I would consider the national dragnet that you're making it out to be.

              subsections of the DMCA,

              Such as?

              17 USC 1201 section (2) [copyright.gov] states:

              (2) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that — (A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title; (B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or (C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title.

              As I said before, if the sole purpose of the kit was crime, you'd have a

              • Let's go back to your post:

                Shut him down? For what? Selling something that someone somewhere might use to break a law? That's not a crime in itself, you know.
                If the government could legally 'shut down' anyone and everyone capable of using a tool for crime, we'd all be in some seriously deep shit.

                You gave a premise that the government could not legally 'shut down' anyone and everyone capable of using a tool for crime.

                I gave three of where "the government" could and have. You didn't say what type of gover

      • by DarkOx (621550)

        One could argue as packaged what he is selling amounts to the digital equivalent of criminals tools. There absolutely are laws that bar you from selling tools specifically designed for criminal use. That is why its hard to get lock pick sets etc in many places.

        There are plenty of ways to publish the info anyone in the security community without assembling a nice script kiddy / petty criminal ready tool to go cause mayhem with. Yes if you give me a white paper that describes the resulting offsets you got

        • One could argue as packaged what he is selling amounts to the digital equivalent of criminals tools.

          One could argue that about hardware stores, too, but that person would get laughed out of the room, and rightly so.

          There absolutely are laws that bar you from selling tools specifically designed for criminal use.

          On a federal level? Cite the statute, or STFU.

          There are plenty of ways to publish the info anyone in the security community without assembling a nice script kiddy / petty criminal ready tool to go cause mayhem with. Yes if you give me a white paper that describes the resulting offsets you got from the fuzzer you wrote, and some memory locations large enough for shell code I can put together a C program in moments to do something nasty, as can tens of thousands of others, but that is the risk of living in a free society. Odds are pretty good you have by not passing out binaries raised the bar enough that the folks who can use the information for evil have other economic opportunities.

          Preface: Cars are often used for criminal acts.

          So, to bring out the oft-over used car analogy - what you're saying here is that you believe would be legally OK for GM to release the instructions on how to make a car, but if they actually build cars and sell them, they're guilty of encouraging crime?

          I shouldn't even have to point out how ridicul

          • by DarkOx (621550)

            Funny thing I do work in IT security. I pretty familiar with many of the exploit kits out there and regularly work with (I won't drop names) one of the developers of a more popular one.

            The thing is while they are fun to play with I don't seem them adding lots of value. I am not suggesting any information be censored here. Publish your whitepaper with details about how an exploit work, publish the source code even! I draw the line a slick little binary with GUI interface. Things like Backtrack just bei

    • by Nerdfest (867930) on Thursday January 10, 2013 @01:00PM (#42547407)

      There's a person finding exploits for $10,000 per month and Oracle, Microsoft and Adobe don't subscribe to it? That's just silly.

    • by DarkOx (621550)

      I have been wondering this ever since this guy surfaced. My assumption now is that he is an FBI honeypot. They don't mind letting a few actual Java/Webstart vuluns into the wild to give them credibility because they (the FBI) are

      1. not really in the business of protecting the ordinary citizen.

      2. secretly at least of the mostly correct opinion any assets put at risk by these vuluns are either controlled by those up on these things, capable of working around the issues and securing them anyway or operating

    • If you have to pay a guy $10K for a exploit pack to JAVA do you really think you're smart enough to break his DRM?
  • Disable Flash and Java. Most websites with video will work fine, even if some require to change your user-agent to "iPad".

    What do you mean, your browser can't display H.264 natively? Get a real browser.

  • The Java exploit is much less surprising to me than how casually we include the fact that this guy (and others) are selling exploit kits online. I remember when stuff like this used to be so underground you had to "know someone who knew someone" to find it. Perhaps what he's selling isn't technically illegal, but it's still surprising to read.
  • by GodfatherofSoul (174979) on Thursday January 10, 2013 @01:17PM (#42547631)

    These are the idiots who make life so difficult for legit network guys. That summary reads like George Washington just raided another British outpost. Whether for curiosity or profit, remember who the bad guys are!

    • by girlintraining (1395911) on Thursday January 10, 2013 @02:48PM (#42548901)

      I suppose because on some level, we identify with the hacker. Our way of life is under constant assault by well-financed interests. The collective geek culture rejects the notion that ideas can be owned. Knowledge is power, and because of that, it should be shared freely and widely. Our culture rejects the limitations of online freedom that everyone wants -- whether it's bloggers in Iran being disappeared for providing updates on what their government is up to, to China's appetite for supressing western influences, to our own government's desire for internet kill switches and pervasive monitoring. All of this gets in the way of free and unfettered access to information, something geeks believe is a cultural heritage and the right to access granted to all human beings. Geeks... are idealists and creatives.

      And when we see our creations turned against us, used to corrupt the ideals that gave birth to them, there is a certain artistic desire to destroy it because its beauty has been tarnished. It's something that you can find historical and literary examples of dating back to pre-greek times. So on some level, we identify with the so-called "bad guys", because they're hurting the people who are hurting us.

      Sure, morally, ethically, we can recognize that its wrong and destructive. We know that it only emboldens the destroyers and usurpers of our lifestyle to pass even more restrictive edicts and arrest more people, but psychologically it doesn't matter. We ourselves are powerless so when we see others in the same boat doing powerful things against powerful people, it's very enticing to support them no matter their motivations.

  • by ThatsNotPudding (1045640) on Thursday January 10, 2013 @02:14PM (#42548425)
    Folks like Paunch need to get got if for no other reason than to remove a justification for governents around the world (China and the US getting closer to the same page everyday) to regulate the Internet and render online anonymity a crime (all in the name of Snowflake Security, of course).
  • This Paunch guy needs to watch his ass. There are larger, darker players who were using this exploit for their own purposes. Some of them invested heavily in developing it. By bringing it out into the open like this, Paunch has directly limited their use of this vulnerability. I would not be surprised if this is the last we hear of mr. Paunch. A cleanup team has likely been engaged and is working on tracking him down in the physical world as I type this...

    Seth
  • Java Zero-Day Vulnerability Rolled Into Exploit Packs?

"Gotcha, you snot-necked weenies!" -- Post Bros. Comics

Working...