Security News #0x1D: Javageddon- the Aftermath
- How does last week’s Java exploit work? Thexploit points out that the problem can be exploited with simple Java code.
- DeepEnd Research put out a technical analysis of the underlying problem.
- Immunity Products also put out an analysis of the vulnerability that is probably the best of the bunch.
- After the attack was included in Metasploit, but before Sun issued a patch, there were a number of workarounds suggested. The most common suggestion was to disable Java in the browser (which is what I did!). It is hard to believe, but it turns out that it is quite difficult to disable Java in Internet Explorer; see also KB 2751647. You can use AppArmor in some Linux distributions.
- Some folks suggested that last week’s Java Zero Day was part of a targeted attack. Eric Romang has an interesting analysis of the issue.
- By Tuesday, the exploit had made its way into Blackhole, and on Wednesday Seculert reported that tens of thousands of machines had been infected this way.
- On Wednesday, we learned that Oracle had known about the vulnerabilities used
by this exploit for four months.
- On Thursday, Oracle announced the patch, which I am sure that you have now installed. [If not, then do it now!]
- How long did it take researchers to find exploitable flaws in the patch? Three hours.. Sigh.
- Just to talk about something other than Java, on Tuesday Agarri provided details of how to exploit PostgeSQL 8.4.12 via CVE 2012-3488 and CVE 2012-3489.
- Kaspersky Lab is running a competition for student research papers.
- M3g9tr0n shares how he cracked 122 million passwords in five months.
- If you are looking for research packet captures, you may want to check out this list of publicly available PCAP files.
- Some of my students have commented on my extreme care when opening links, especially shortened links you commonly find on Twitter. Read people, read. And don’t miss the XKCD reference.
- While I am thinking of class, Splunk has a book on their search processing language that may be valuable.
- ShmooCon 2013 has been announced. Whoo-Shmoo!
BTW- I grabbed the phrase “Javageddon” from @ErrataRob. After seeing it, there was no way I could avoid re-using it…