Tuesday, February 12, 2013

Vulnerable Browser Plug-ins: I'm looking at you, Java


It's been about a month now, and the talk of the Java exploit has largely subsided.  Thank you, five-minute attention span.  (Don't worry, I'm accusing myself too).  When the Java exploit received such a critical warning from the Department of Homeland Security's, U.S. Computer Emergency Readiness Team (DHS US-CERT, for short), on January 10, 2013 the news spread like wildfire.  The reason more attention was paid to this than the other 20 alerts for significant risk published in 2012 is that it's very rare for the CERT to advise the general public, consumers and businesses alike, to completely disable a software component - in this case, a browser plug-in.

A complete breakdown of the exploit is available at Mitre's Database of Common Vulnerabilities and Exposures, but in essence the exploit payload, once executed, escalates privileges to allow an attacker control of the system.  A key factor in this exploit receiving so much attention is that all versions of Java are vulnerable across all operating systems, and a package to deliver this exploit was built for metasploit - the free, open-source penetration testing software suite.  Here's a video demonstrating how easy it is to exploit a Windows 8 virtual machine running Internet Explorer 10:


The exploit delivery is all hinged upon whether or not the user accesses a page and auto-loads Java, which will make a request for the .jar file.  What does this mean?  Key dangers come from compromised websites hosting this malware and phishing attempts.

It took Oracle about four days to patch the vulnerability.  If you haven't already done so, it's highly recommended that you update your version of Java.  Most of those concerned will just patch Java and get on with browsing the web, but I think this exploit brings to attention interesting browser behavior.

Running the Browser Gauntlet

When I was first alerted to the exploit, I wanted to test the three big ones to see how they'd inform me of a website wanting to load the Java plug-in.

  1. First up, Internet Explorer.  As in the video above, when I visited a website hosting Java, IE didn't prompt me for action and immediately loaded the Java plug-in.  FAIL
  2. Next in line, Firefox.  FAIL
  3. Okay, Chrome...here we...wait, what?  Chrome alerts me that individual websites want to run Java?  I can still see the rest of the page and just choose not to let Java run?  And this is a default browser behavior?  Well done, sir.  Well done.
I know, I know.  Both IE and Firefox both have browser add-ons that will perform the Java block, but those features aren't baked into the browser by default, whereas Chrome's is!  Here's a screen capture of what you can expect:


So, it would appear the easiest way to protect yourself in regard to this exploit is to use Chrome.  Aside from that, disable Java, or update it to the latest patched version.  Be safe out there!