Day after patch, Java zero-day sold to highest bidders
With exploit sold for $5,000 via cybercrime forum, experts double down on calls for consumers to uninstall the software
January 16, 2013 — CSO — Less than a day after Oracle issued a patch for a vulnerability in its Java browser plug-in software that was allowing attackers to get control of Windows PCs, yet another zero-day exploit for an unpatched Java security hole was being marketed on the Underweb.
Brian Krebs, author of the KrebsonSecurity blog, reported on Wednesday that on Monday "an administrator of an exclusive cybercrime forum posted a message saying he was selling a new Java 0day to a lucky two buyers. The cost: starting at $5,000 each."
Krebs posted a portion of the message, which said the buyers would get, "unencrypted source files to the exploit (so you can have recrypted as necessary, I would warn you to be cautious who you allow to encrypt... they might try to steal a copy) Encrypted, weaponized version, simply modify the url in the php page that calls up the jar to your own executable url and you are set. You may pm me."
That message had been deleted by Wednesday, which likely meant the seller had found another buyer, Krebs said. "[That] should dispel any illusions that people may harbor about the safety and security of having Java installed on an end-user PC without taking careful steps to isolate the program," he wrote.
"Java is fundamentally broken because it is built upon a broken promise: That it runs in a protected sandbox which somehow protects the user," Krebs told CSO Online on Wednesday.
Sunday's patch was an effort to quiet a firestorm of criticism and calls not only from a majority of security experts but even the Department of Homeland Security (DHS) for consumers to disable Java on their PCs.
This latest report intensified some of those calls, but also a bit of pushback, although not in the form of any major defense of Oracle. Simon Crosby, cofounder and CTO of Bromium, argued in a blog post on Tuesday that banning or disabling Java would not solve the problem. "Humans develop buggy code -- in all languages -- and though the more modern ones are harder to exploit, they can all be subverted," he wrote. "Moreover, many users (and businesses) depend on Java ... banning it would severely impact my ability to work."
Crosby wrote that "micro-virtualization" can solve the problem with Java and other insecure applications with "hardware isolation to enforce 'need to know' on a per-task basis on the endpoint."
That would be a longer term solution, he said. "It guarantees that when the next zero-day comes along, the attacker cannot steal any information or gain access to the corporate network."
Isolation was, of course, a recommendation Krebs also made. And while acknowledging that Java could be necessary on some sites, he notes: "Most users can -- and should -- get by without it."
Krebs and others have been saying for some time that Oracle doesn't really want millions of consumer users anyway. "Oracle is an enterprise software company that -- through its acquisition of Sun Microsystems in 2010 -- suddenly found itself on hundreds of millions of consumer systems," he wrote.
In a later tweet, he added, "In the end, Oracle doesn't want all these home/end users. The sooner these users stop being that, the better for all."
Oracle did not respond to a request for comment.
It may not be that simple, however. Rich Mogull, analyst and CEO of Securosis, noted that Java has a massive enterprise base. "Oracle isn't a consumer company, but Java is the sort of thing that bridges consumer and enterprise," he said.
But he agrees with Krebs that the Java sandbox has too many holes in it, "allowing code to escape and execute unsafely."
Bogdan "Bob" Botezatu, a senior e-threat analyst at Bitdefender, said Oracle has the same responsibilities towards all its customers. "After all, Java has a huge market share on end-user devices, such as Android, for instance and Oracle should cater to all its customers equally," he said.
But experts were unanimous on one key point: Don't trust Java to be secure. "For companies that regularly interact with Java via browsers, we recommend that they use one browser for surfing the web, with the Java plugin disabled, and another for intranets or secure resources running Java, with the Java plugin enabled," Botezatu said.
Krebs recommends a two-browser approach (one dedicated for use only with needed Java applications) for those who really need Java. But, he stresses most consumers do not need it. "A big part of the danger is that many users who have Java on their computers don't even know they have it installed, nor can they recall why it was installed in the first place," he said.
"What I'd like to see is an app or method -- perhaps from Oracle? -- that would help users determine when was the last time their computer used Java and for what purpose," he said. "That, I think, might help a lot of people get off the fence and finally uninstall Java."
Jeremiah Grossman, founder and CTO of WhiteHat Security, backs that idea. "It is better to uninstall Java entirely if one does not need it, as most don't," he said. "This will end the constant stream of patches."
Read more about application security in CSOonline's Application Security section.
Other stories by Taylor Armerding