Windows PC and Mac users who have the Oracle Java JRE web plug-in version 7u10 and below should immediately update to the latest release of Java JRE 7u11 [1], or disable Java from their computer browsers [2].

BACKGROUND

On January 10, 2013, security researchers reported an unpatched vulnerability in Oracle Java 1.7u10. This vulnerability has been labeled CVE-2013-0422

Security professionals comment that attack code that exploits the vulnerability is being “massively exploited in the wild.” Miscreants use such exploits to turn compromised websites into platforms for silently installing keyloggers and other types of malicious software on the computers of unsuspecting website visitors.

IMPACT

Browsing the web with a vulnerable version of Java installed and enabled means that simply visiting a website or clicking on a link in an e-mail message is enough for an attacker to compromise your computer. This is known as a “drive-by download” [3]. The malicious software installed through these attacks may collect usernames and passwords used on the compromised computer, including credentials for sensitive websites, bank accounts, email etc.

While “safe browsing” to only trusted websites may limit your exposure to drive-by downloads, it does not address the underlying vulnerability and prevent exploitation. Please see “Recommendations” and “Workarounds” below for further steps that should be taken.

PLATFORMS AFFECTED

All versions of Oracle Java 7 (aka JRE 1.7) from the initial release up through update 10 are vulnerable. This affects both Windows PC and Mac OS if you have installed the JRE web plug-in. Oracle maintains that earlier versions of Java are not affected by this particular exploit[6].

RECOMMENDATIONS

• Update Java Immediately - Regularly check for updates and remove old versions of Java. Java 7 update 11 is available at the website http://www.java.com [1].
• Update Anti-Virus/Anti-Malware software – MU campus users who have the latest version of Symantec Endpoint Protection (SEP) 12.1.2015 [9] installed will receive additional protection thru the ‘Proactive Threat Protection’ and ‘Network Threat Protection’ modules. This includes a browser-protection technology which can detect and prevent malicious Java from being executed on client computers.
• Use an alternative web browser – it has been reported that users of the latest versions of Mozilla Firefox, Google Chrome, and Apple’s Safari browsers are provided additional security protections not currently found in the default Windows IE9 web browser [7].
• Exercise caution - Don’t click on web popups, but close the window instead. If they won’t close, open your process list and force your browser to close.

WORKAROUNDS

Disable Java. [2] NOTE: This workaround may prevent certain websites from working correctly, and must be considered in relation to essential enterprise applications like Banner which currently depends on Java 6 – note both Java 6 and Java 7 can both be installed at the same time, but keeping both versions updated may require the use of manual updates).

FURTHER READING

[1] http://java.com/en/download/installed.jsp?detect=jre&try=1

[2] https://krebsonsecurity.com/how-to-unplug-java-from-the-browser/

[3] http://en.wikipedia.org/wiki/Drive-by_download

[4]  http://blogs.technet.com/b/srd/archive/2012/05/15/introducing-emet-v3.aspx

[5] http://www.oracle.com/technology/deploy/security/alerts.htm

[6] http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html

[7] https://blog.mozilla.org/security/2013/01/11/protecting-users-against-java-vulnerability/

[8] http://krebsonsecurity.com/tag/cve-2013-0422/

[9] http://www.marshall.edu/antivirus

If you have additional questions regarding the content or recommendations in this security bulletin, please contact your departmental IT service provider, the IT Service Desk at itservicedesk@marshall.edu / 304-696-3200, or the IT Office of Security infosec@marshall.edu.

Last Modified: January 14, 2013

Members of the IT team and ITSP community are still creating and testing the supportability of a number of configurations for both Windows 8 and SEP to ensure compatibility with campus services, appropriate level of protection, and (for personal-owned machines) a simplified but usable product.

We are making the following recommendations:

• Use Microsoft Security Essentials for Personally-owned Machines – Since incorporating future configuration changes into an already deployed (personally-owned) client is difficult, we suggest using the widely available and Microsoft-supported solution of Microsoft Security Essentials (MSE) as a low-risk/no-cost solution for students and personally-owned machines. MSE integrates with the Windows Security Center provides an adequate level of protection until we are ready to support the new release of SEP 12.1R2.
• Use Symantec Endpoint Protection for University-owned Machines – We are still recommending SEP 12.1.2RU2 for University-owned computers as the managed client allows for on-the-fly changes to be made thru the Symantec Management Console. The latest version of SEP 12.1RU2 is available here:  \marshall.edumunetDistributionsSymantecCurrent-Install-Packages_Windows_8_Support . The BASIC package includes the base anti-virus/malware module; the FULL package includes anti-virus/malware, proactive threat protection including browser plug-in support, and network threat protection (NTP) and intrusion detection (IDS) modules.  NOTE: be aware that the NTP module disables the default Windows Firewall and establishes its own firewall access control list. It is this feature which is giving us the most concern as it has the potential to do a lot of good, but also will have a learning curve.

An update: The Marshall University Office of Information Technology now supports the use of Symantec Endpoint Protection 12.1RU2 / ver 12.1.2xxx and newer for Windows 8 OS. Read more.

Last Modified: April 26, 2013

While there are some legitimate coupon printers, some are bundled with spyware that is designed to harvest personal information for use by advertisers. Cyber-criminals also disguise software as a ‘coupon printer’ application as a  to deliver viruses and other malware to computers. If you chose to use coupon-printing software from home, we strongly recommend that you consider the following precautions to ensure the software is as trustworthy as possible: 1) make sure your anti-virus software is up to date before downloading coupon printers; 2) make sure your anti-virus software is set to block malware and spyware “on access”; 3) only download and install software from reputable websites; and 4) when in doubt, remove coupon printers from computers.

Last Modified: October 5, 2012

A common question we hear from people with infected computers is “I visit only good sites. How in the world did I get a virus?”  The answer can surprise some of them – FEW websites are truly safe and can guarantee malware-free web surfing. According to the Websense State of Internet Security, Q1-Q2 2009, 77% of web sites with malicious code are legitimate sites that have been compromised.

Malware creators take full advantage of the trusted sites with good reputation and millions of visitors. How do they do it? They do it in such creative ways that these “good” sites unknowingly host malicious content.

One of the methods often used is when exploiting a well-known website is to insert a small, simple piece of malicious code within the legitimate code.  This may take the form of a hidden HTML iframe or JavaScript which will cause your web browser to download malicious content from a completely different and not-so-trusted web server.  In most cases site visitors have no idea that malware is being installed on their computer and sometimes they are invited to download a file that appears to be legitimate.
The following picture provided in a Sophos White Paper entitled “No all malware detection is created equal” shows an example of a compromised with (A) iframe and (B) script web page that cases the browser to load content from the malicious site.

Another more common way that hackers can compromise a trusted web site is by exploiting vulnerable versions of web applications such as blogging, content management systems, shopping cart apps and etc. The technical term for these exploits include SQL Injection, Cross-site Scripting and PHP File Include attacks and these continue to be the three most popular techniques used for compromising web sites, according to the SANS Top Cyber Security Risks.

In the SQL injection attack, malware creators fill out the user input form fields such as “log in” or “comments” with a database commands that get them access to website’s database and let them plant malicious code inside of it. A successful SQL injection can be very powerful and can result in hacker being able to to read and modify sensitive data from the database, execute admin functions, issue commands to operating system and ultimately redirect site’s visitors to a malicious web server where they get infected with malware. This video demonstrates how SQL injection works:

The Cross-Site Scripting Attack, is described here in a recent example of an attack on a very popular legitimate web site reported by SC magazine: “YouTube, iTunes hit in holiday attacks.”

In the next techniques the websites willingly publish or allow to publish rich content that contains malicious code and comes from third party advertisements and widgets.

Malvertising is a common venue for malware attacks. The legitimate site is a part of the third-party ad network that rotates  image or flash ads across multiple web sites.  A hacker plants a banner with hidden malicious code in the ads inventory and this banner gets posted across multiple websites without any proper input validation. Visitors of these sites get infected with malware automatically and silently. Some 1.3 million malicious ads viewed daily according to the report provided by the web security firm Dasient.

Many websites utilize third party widgets like traffic counters, e-commerce buttons and etc. All a hacker needs to do is compromise the third party host and place  a piece of code into a widget. With a click of hacker’s mouse, all websites using an infected widget can start serving malware to its visitors without knowing it.

These are just several examples of how you can get end up with a serious malware infection even while you thought you were surfing trusted websites.

Last Modified: April 17, 2013