Q&A w/ SpiderLabs Research: Java 0day CVE-2013-0422

Q: What's going on? People are talking about some Java 0daywhich threatens the whole world… Bring me up to speed, now!

A: About a week ago, an independent researcher has reported a previously unknown (0day) Java vulnerability being used in order to infectinnocent users with malware. When a 0day vulnerability is discovered it isusually reported to the affected vendor and that vendor will issue a patch thatfixes the software bug, hence closing the security hole. However in this casethe vulnerability was discovered by someone who chose not to do the responsiblething (reporting to the vendor), and instead took advantage of this finding forpersonal profit. A 0day vulnerability gives the attacker an imperativeadvantage over the victim for two main reasons:

  1. The victim has no prior knowledge of the risk.
  2. The victim has no effective means of protecting himself, since no patch isavailable.

In such cases being aware of the attack and its specifics is of highestimportance, thus we have analyzed this vulnerability and posted our findings on the very same dayit was discovered and verified out-of-box protections in Trustwave's Secure Web Gateway product.

Q: Who is at risk?

A: Anyone who has java 1.7u10 (or prior) installed. Users whohave Java 1.7u11 or Java 1.6 installed, are not affected by this issue. Since itis a common practice for enterprise environments to rely internally on Javaapplications, these users should pay extra attention and contact their ITdepartment regarding the software installed on their desktop.

Q: What can I do to protect myself?

A: Uninstall Java from your computer, or disable the Java browser pluginin your browser. However, if you need Java for your daily work environment thenmake sure to update your Java to version 1.7u11. You can get it here.

Q: How can I tell which version of Java I have installed?

A: Simply go to: http://www.java.com/en/download/installed.jsp .Note that this page relies on the Java browser plugin in order to detect theinstalled version. This means that if your Java plugin is already disabled(which is good!), the page will not be able to detect any Java on yourcomputer, even if Java is actually installed.

Q: I'm confused! There is a Java plugin and Java"standalone"?

A: Correct. Installing Java Runtime Environment will enablethe user to execute Java applications locally. Also, along with the JRE youwill get a Java browser plugin installed. This plugin allows you execute Java appletsin a web site context. Disabling this plugin doesn't impact the ability toexecute local Java applications.

Q: What is the attack scenario?

A: A common attack scenario for this issue would be a userwith a vulnerable Java plugin browsing to a malicious site. This can happen ondaily basis, since users will often click on unfamiliar links. This can alsohappen by browsing an absolutely legitimate site which was hacked and as aresult is now serving malicious content along with the normal content. Anotherexample would be a legitimate site serving ads, which sometimes containmalicious content. Both of the latter examples usually occur without theknowledge of the legitimate site owner and operator.
A malicious site would exploit the weakness in your Java plugin using anembedded java applet, without user interaction or consent. Upon successfulexploitation the attacker gains control over the victim PC and will usuallyinfect the computer with malware.

Q: But I use Mac/Linux/Casio calculator, am I stillvulnerable?

A: The vulnerability at hand is platform independent and originates fromthe Java software. Thus, any Java user is at risk, regardless of the underlyingOS. For a more detailed technical explanation you should read here. However, Mac usersare at lower risk since Apple has disabled the outdated versions of Java pluginon OS X.

Q: I use Java and have updated to the latest version (1.7u11). Am I safe?

A: Actually you can never be 100% safe. However, in thiscase you are indeed immune to the latest Java vulnerability (and any otherpreviously reported Java vulnerabilities). But as history shows, newvulnerabilities are bound to be found and exploited, and in order to protectyourself from future threats a complementary security product should be used.One terrific choice would be Trustwave Secure Web Gateway! Our product hassuccessfully detected and stopped all five Java 0days that were discovered in thepast year or so (including this one of course!).

Thanks to Rami Kogan for his contribution on this subject!

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.