Hard Lessons Learned: The Java Zero Day Vulnerability Response

7 11 2012

by Jay Miller

This past summer brought about a slew of Zero Day Vulnerability attacks, due to attackers finding previously unknown vulnerabilities and having from that moment (or “zero days”) to exploit it for their gain.  The Java Zero-Day Exploit in late August was probably the most talked-about vulnerability in computing because of the reliable nature of the exploit, the havoc that it continues to cause, and the lasting potential for infection within a widespread user base of a reported 1.1 Billion desktop machines (Mimoso, “New Zero Day Vulnerability”).  The initial exploit worked by using two vulnerabilities to circumvent proper authentication and escalate privilege inside the Java Sandbox, the area where Java programs run inside a browser or as a standalone application (Dormann et al.).  In short, it allows the attacker to take remote control of the affected PC and execute code to run a drive-by attack by clicking a fraudulent URL in a website or email, or to incorporate PC’s into a command-and-control infrastructure.  While the technical details of the exploit are highly interesting, an examination of the response from Oracle demonstrates how an effective incident response program is crucial to an organization.

The Attack Timeline

On April 2, the IT firm Security Explorations notified Oracle about a total of 19 unpatched vulnerabilities in the Java 7 Sandbox (Constantin).  Oracle responded by including the fixes to some of these in their round of October security patches.  Flash forward to August, where security experts began to see 2 of these vulnerabilities used in limited targeted attacks.  Dubbed the Gondvv exploit (Java CBE-2012-4681), it was disclosed publicly by FireEye on Sunday, August 26 (Mushtaq).  On August 27, experts discovered that sites in China and Singapore were hosting pages with the exploit, and the payload mostly installed variants of the Poison Ivy RAT onto machines (Fisher).  Almost immediately thereafter, the exploit was added to the Blackhole attack toolkit, a popular and publicly-available group of numerous exploits.  (Constantin).  On August 29, Patrick Runald, director of security research for Websense, revealed his team found that over 100 infected domains were serving malware, and several security experts recommended disabling Java altogether in the browser to prevent infection, including US-CERT (Saita).

Response

Although the details of Oracle’s internal response remain secret, Oracle released Java 7 Update 7 on August 30, which addressed the initial vulnerabilities.  The patch was available for the public to download, and a short blog entry and security alert were posted.  On August 31, the Security Explorations team found that the Java 7 patch itself contained an exploit that allows to same attacks through a browser (Greenberg, “Oracle’s Java Security Woes”).  Researchers then found more of flaws in the Java SE program throughout September that enabled a complete Java sandbox escape, including ones that were capable of compromising a fully patched Windows 7 computer (Mimoso, “New Zero-Day Vulnerability Found”).  In the meantime, variants of the original attack continued to wreak havoc on unsuspecting users while organizations waited for the comprehensive October update.

Lessons Learned

Many IT entities have published extensive documentation of proper Incident Response procedures, such as the National Institute for Standards and Technology and the SANS Institute, and include a post-incident step is to analyze for areas of improvement.  In particular, the SANS institute offers the Incident Handlers Handbook, and cites “the most critical phase after all of the others is Lessons Learned” (Kral, 9).  After reviewing Oracle’s handling of the problems, clues to their internal Incident Response procedures can be inferred.  The most obvious flaw in Oracle’s response is patch management.  Oracle patches their products every 4 months, and rarely issues out-of-band patches.  In contrast, Microsoft has a monthly “Patch Tuesday”, in which new updates are rolled out to administrators, which itself has been criticized as inefficient.  To the credit of their CIRT team, Oracle released the emergency patch only 4 days after it went public and vowed 109 patches to all products in the October update, but by then it was already part of the Blackhole toolkit (Mimoso, “Oracle Patch Update”).

Another potential area of improvement is Oracle’s preparation and vulnerability management processes.  Although there was plenty of preparation and testing time available, Oracle apparently didn’t prioritize the production of a reliable fix by late August.  Further proof of the patch being rushed is that it contained exploits of its own.  The vulnerabilities were spotted and reported to the public by an outside organization, showing a lack of effective internal review procedures.  In addition, other sandbox vulnerabilities in Java have appeared since the initial attack (Mimoso, “New Zero-Day Vulnerability Found”).  This demonstrates Oracle hadn’t done their due diligence when they had the chance, and a reliable solution was simply not available when needed.

Worse, the widespread install base of Java has led to compromises in the applications of other companies.  Metasploit researcher Eric Romang discovered new vulnerabilities in Microsoft’s Internet Explorer, after working with an exploited Java server (Romang).  Apple took protective measures, providing a Java update that uninstalls older versions of the Java plugin and blocking Java executables from running automatically in web browsers (Greenberg, “Apple Kills Java”).   At this juncture, many security experts have published detailed instructions about how to disable or uninstall Java from the desktop, and it was arguably wiser to take this course of action rather than wait for Oracle to effectively address the problem.

Potentially the most damaging aspect of their response is the glaring weaknesses in Oracle’s initial communications with the general public, especially home users.  Granted, Oracle did rapidly release an emergency patch to correct the first wave of attacks, and made their first public acknowledgment along with it.  However, the patch was initially made available to the public from their website as a manual download, with the full automated update coming down the pipe later in October.  They also seemed to have tried to downplay the wide scope of the incident and the urgency of the issue, targeting mostly IT Administrators by mentioning the patch in a blog post, a security alert, and their somewhat-obscure update release notes.  Their response shows that Oracle’s PR team chose to take the self-protection route and bungled a chance to show sympathy to the public at large.  These factors coupled with the complexities and lack of proper update procedures on the typical corporate infrastructure suggest that the Gondvv exploit, for all intents and purposes, is here to stay.

__________

Constantin, Lucian.  “Oracle Knew about Zero-Day Java Vulnerabilities for Months, Researcher Says.”     Computerworld.  Computerworld, Inc.  29 Aug. 2012. Web.  17 Oct. 2012.                      <http://www.computerworld.com/s/article/9230747/Oracle_knew_about_zero_day_Java_vulnerabilities_for_months_researcher_says&gt;

Dormann, Will, Fred Long, Michael Orlando and David Svoboda.  “Vulnerability Note VU#636312: Oracle Java JRE 1.7 Expression.execute() and SunToolKitgetField() fail to restrict access to privileged code.”  US-CERT.  Department of Homeland Security.  12 Sept 2012.  Web.  15 Oct. 2012. <http://www.kb.cert.org/vuls/id/636312>

Fisher, Dennis.  “New Java Zero Day Being Users in Targeted Attacks.” Threatpost.  Threatpost.com. 27 Aug. 2012. Web.  17 Oct. 2012.   <http://threatpost.com/en_us/blogs/new-java-zero-day-being-used-targeted-attacks-082712>

Greenberg, Andy.  “Apple Kills Java In Macs Browsers After a Slew Of Security Vulnerabilities”.  Forbes.com.  Forbes.com LLC.  18 Oct. 2012. Web. 19 Oct. 2012.  <http://www.forbes.com/sites/andygreenberg/2012/10/18/apple-kills-java-in-macs-browsers-after-a-slew-of-security-vulnerabilities/#>

Greenberg, Andy.  “Oracle’s Java Security Woes Mount as Researchers Spot a Bug In its Critical Bug Fix”.  Forbes.com.  Forbes.com LLC. 31 Aug. 2012. Web.  15 Oct. 2012.  <http://www.forbes.com/sites/andygreenberg/2012/08/31/oracles-java-security-woes-mount-as-researchers-spot-a-bug-in-its-critical-bug-fix/ >

Kral, Patrick.  The Incident Handlers Handbook.  The SANS Institute, p.9.  5 Dec. 2011. Web. 15 Oct 2012.     <http://www.sans.org/reading_room/whitepapers/incident/incident-handlers-handbook_33901&gt;

Mimoso, Michael.  “New Zero-Day Vulnerability Found in Java 5,6, and 7; 1.1 Billion Desktops Affected”.               Threatpost.  Threatpost.com. 26 Sept. 2012. Web.  14 Oct. 2012.  <https://threatpost.com/en_us/blogs/new-zero-day-vulnerability-found-java-5-6-and-7-11-billion-desktops-affected-092612>

Mimoso, Michael.  “Oracle Patch Update to Include 109 Patches”.  Threatpost.  Threatpost.com.  15 Oct. 2012. Web. 22 Oct. 2012. <http://threatpost.com/en_us/blogs/oracle-patch-update-include-109-patches-101512&gt;

Mushtaq, Atif.  “Zero Day Season is Not Over Yet”.  Fireeye Malware Intelligence Lab.  Fireeye, Inc.  26 Aug. 2012. Web. 15 Oct. 2012. <http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html&gt;

Romang, Eric.  “Zero-Day Season Is Really Not Over Yet”.  Eric Romang Blog aka wow on ZATAZ.com.  WordPress. 16 Sept. 2012. Web. 17 Oct. 2012. <http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/&gt;

Saita, Anne.  “Chorus Grows Louder to Disable Java 7 After Exploit Hits Mainstream”.  Threatpost.  Threatpost.com.  29 Aug 2012.  Web.  17 Oct. 2012.   <https://threatpost.com/en_us/blogs/chorus-grows-louder-disable-java-7-after-exploit-hits-mainstream-082912&gt;

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: