Java Vulnerability Note VU#625617 - Java 7 fails to restrict access to privileged code

This is an unusually Strong Warning about a Java Vulnerability. Read on...

Don

Vulnerability Note VU#625617

Java 7 fails to restrict access to privileged code

Original Release date: 10 Jan 2013 | Last revised: 14 Jan 2013

Print Document

Tweet

Like Me

Share

Overview

Java 7 Update 10 and earlier versions of Java 7 contain a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

The Oracle Java Runtime Environment (JRE) 1.7 allows users to run Java applications in a browser or as standalone programs. Oracle has made the JRE available for multiple operating systems. OpenJDK is an open-source implementation of the Java platform, and the IcedTea project aims to make it easier to deploy OpenJDK, including a web browser plugin. The Java JRE plug-in provides its own Security Manager. Typically, a web applet runs with a security manager provided by the browser or Java Web Start plugin. Oracle's document states, "If there is a security manager already installed, this method first calls the security manager's checkPermission method with a RuntimePermission("setSecurityManager") permission to ensure it's safe to replace the existing security manager. This may result in throwing a SecurityException". By leveraging the a vulnerability in the Java Management Extensions (JMX) MBean components, unprivileged Java code can access restricted classes. By using that vulnerability in conjunction with a second vulnerability involving recursive use of the Reflection API via the invokeWithArguments method of the MethodHandle class, an untrusted Java applet can escalate its privileges by calling the the setSecurityManager() function to allow full privileges, without requiring code signing. Oracle Java 7 update 10 and earlier Java 7 versions are affected. OpenJDK 7, and subsequently IcedTea, are also affected. The invokeWithArguments method was introduced with Java 7, so therefore Java 6 is not affected. This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available. We have confirmed that Windows, OS X, and Linux platforms are affected. Other platforms that use Oracle Java 7 may also be affected.

Impact

By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system. Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for this vulnerability.

Solution

Read More...
http://www.kb.cert.org/vuls/id/625617

References

• https://krebsonsecurity.com/2013/01/what-you-need-to-know-about-the-java-exploit/
• http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html
• http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
• http://seclists.org/bugtraq/2013/Jan/48
• http://seclists.org/fulldisclosure/2013/Jan/77
• http://www.security-explorations.com/materials/SE-2012-01-ORACLE-5.pdf
• http://docs.oracle.com/javase/7/docs/api/java/lang/invoke/MethodHandle.html#invokeWithArguments%28java.util.List%29
• http://www.java.com/en/download/help/disable_browser.xml
• https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf
• https://blogs.oracle.com/security/entry/security_alert_for_cve_2013
• http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
• http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html
• https://bugzilla.redhat.com/show_bug.cgi?id=894172
• https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf
• http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html
• https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224

Credit

Thanks to Kafeine for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

• CVE IDs: CVE-2013-0422
• Date Public: 10 Jan 2013
• Date First Published: 10 Jan 2013
• Date Last Updated: 14 Jan 2013
• Document Revision: 107

Report a Vulnerability

Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.

News 01-14-13

Magic eye spectrum analyzer

A Bluetooth trackpad from a resistive touchscreen

This has not been a good week for the hacker community

Aaron Swartz death: #pdftribute hashtag aggregates copyrighted articles released online in tribute to internet activist.

Oracle releases patch for Java after U.S. government warning - The Washington Post

Security Firm Discovers Cyber-Spy Campaign - NYTimes.com

Aaron Swartz, a Data Crusader and Now, a Cause - NYTimes.com

Linux Today - Has Google Become Institution-Bound?

Things Linux: Has Google Become Institution-Bound?

Linux Today - Gentoo: A Linux Distribution Where You Compile Your Own Optimized Software

Gentoo: A Linux Distribution Where You Compile Your Own Optimized Software

Linux Today - KDE Workspaces and Applications 4.10 on live images courtesy of openSUSE

KDE Workspaces and Applications 4.10 on live images courtesy of openSUSE | dennogumi.org

Krell Introduces Foundation 7.1-Channel AV Processor

Department of Homeland Security: Disable Java 'Unless It Is Absolutely Necessary' - NYTimes.com

Vulnerability Note VU#625617 - Java 7 fails to restrict access to privileged code

Linux Today - Track Photo Locations on Android Device using GPS Map

Track Photo Locations on Android Device using GPS Map « Scribbles and Snaps

Linux Today - The 10 oldest, significant open source programs

The 10 oldest, significant open-source programs | ZDNet

Linux Today - Touchscreen proliferation could open desktop to Android

Touchscreen proliferation could open desktop to Android | PCWorld

Type4me is a hardware clipboard for your digital copy and paste needs

Unwrapping images of cylindrical objects

Papercraft dial is the slide-ruler of current limiting resistors

Insentricity :: Electronics ::