Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

QA w/ SpiderLabs Research: Java 0day CVE-2013-0422

Q: What's going on? People are talking about some Java 0daywhich threatens the whole world… Bring me up to speed, now!

A: About a week ago, an independent researcher has reported a previously unknown (0day) Java vulnerability being used in order to infect innocent users with malware. When a 0day vulnerability is discovered it is usually reported to the affected vendor and that vendor will issue a patch that fixes the software bug, hence closing the security hole. However in this case the vulnerability was discovered by someone who chose not to do the responsible thing (reporting to the vendor), and instead took advantage of this finding for personal profit. A 0day vulnerability gives the attacker an imperative advantage over the victim for two main reasons:

  1. The victim has no prior knowledge of the risk.
  2. The victim has no effective means of protecting himself, since no patch is available.

In such cases being aware of the attack and its specifics is of highest importance, thus we have analyzed this vulnerability and posted our findings on the very same day it was discovered and verified out-of-box protections in Trustwave's Secure Web Gateway product.

Q: Who is at risk?

A: Anyone who has java 1.7u10 (or prior) installed. Users who have Java 1.7u11 or Java 1.6 installed, are not affected by this issue. Since it is a common practice for enterprise environments to rely internally on Java applications, these users should pay extra attention and contact their IT department regarding the software installed on their desktop.

Q: What can I do to protect myself?

A: Uninstall Java from your computer, or disable the Java browser plugin in your browser. However, if you need Java for your daily work environment then make sure to update your Java to version 1.7u11. You can get it here.

Q: How can I tell which version of Java I have installed?

A: Simply go to: http://www.java.com/en/download/installed.jsp .Note that this page relies on the Java browser plugin in order to detect the installed version. This means that if your Java plugin is already disabled(which is good!), the page will not be able to detect any Java on your computer, even if Java is actually installed.

Q: I'm confused! There is a Java plugin and Java "standalone"?

A: Correct. Installing Java Runtime Environment will enable the user to execute Java applications locally. Also, along with the JRE you will get a Java browser plugin installed. This plugin allows you execute Java applets in a web site context. Disabling this plugin doesn't impact the ability to execute local Java applications.

Q: What is the attack scenario?

A: A common attack scenario for this issue would be a user with a vulnerable Java plugin browsing to a malicious site. This can happen on daily basis, since users will often click on unfamiliar links. This can also happen by browsing an absolutely legitimate site which was hacked and as a result is now serving malicious content along with the normal content. Another example would be a legitimate site serving ads, which sometimes contain malicious content. Both of the latter examples usually occur without the knowledge of the legitimate site owner and operator.
A malicious site would exploit the weakness in your Java plugin using an embedded java applet, without user interaction or consent. Upon successful exploitation the attacker gains control over the victim PC and will usually infect the computer with malware.

Q: But I use Mac/Linux/Casio calculator, am I still vulnerable?

A: The vulnerability at hand is platform independent and originates from the Java software. Thus, any Java user is at risk, regardless of the underlying OS. For a more detailed technical explanation you should read here. However, Mac users are at lower risk since Apple has disabled the outdated versions of Java plugin on OS X.

Q: I use Java and have updated to the latest version (1.7u11). Am I safe?

A: Actually you can never be 100% safe. However, in this case you are indeed immune to the latest Java vulnerability (and any other previously reported Java vulnerabilities). But as history shows, new vulnerabilities are bound to be found and exploited, and in order to protect yourself from future threats a complementary security product should be used. One terrific choice would be Trustwave Secure Web Gateway! Our product has successfully detected and stopped all five Java 0days that were discovered in the past year or so (including this one of course!).

Thanks to Rami Kogan for his contribution on this subject!

Latest SpiderLabs Blogs

Search & Spoof: Abuse of Windows Search to Redirect to Malware

Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a...

Read More

The Sentinel’s Watch: Building a Security Reporting Framework

Imagine being on shift as the guard of a fortress. Your job is to identify threats as they approach the perimeter. The more methods you have for detecting those threats, the better your chances of...

Read More

Fake Advanced IP Scanner Installer Delivers Dangerous CobaltStrike Backdoor

During a recent client investigation, Trustwave SpiderLabs found a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. Our client had been searching for...

Read More