/ Java Zone
Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Java Zero Day Vulnerability Exploits JMX and MethodHandles

DZone's Guide to

Java Zero Day Vulnerability Exploits JMX and MethodHandles

by
Dustin Marx
·
Jan. 21, 13 · Java Zone
Free Resource

Comment (0)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Build vs Buy a Data Quality Solution: Which is Best for You? Gain insights on a hybrid approach. Download white paper now!

I recently identified software security issues (#2), especially related to Java, as one of the most significant software development themes of 2012. Not even a month into 2013, a news story receiving a lot of press is the U.S. Department of Homeland Security's issuing of Alert (TA13-010A), which is described with more technical details in Vulnerability Note VU#625617. Oracle has since released a Security Alert for CVE-2013-0422.

Vulnerability Note VU#625617 includes a paragraph that is particularly insightful:

By leveraging the a vulnerability in the Java Management Extensions ( JMX) MBean components, unprivileged Java code can access restricted classes. By using that vulnerability in conjunction with a second vulnerability involving recursive use of the Reflection API via the invokeWithArguments method of the MethodHandle class, an untrusted Java applet can escalate its privileges by calling the the setSecurityManager() function to allow full privileges, without requiring code signing. Oracle Java 7 update 10 and earlier Java 7 versions are affected. OpenJDK 7, and subsequently IcedTea, are also affected. The invokeWithArguments method was introduced with Java 7, so therefore Java 6 is not affected.

The above scenario is described in great detail in Tim Boudreau's excellent The Java Security Exploit in (Mostly) Plain English and he references Java 0day 1.7.0_10 decrypted source code that demonstrates the code that can implement an attack that takes advantage of the described JMX/MethodHandles combination vulnerability. Kafeine's (Malware don't need Coffee) post 0 day 1.7u10 (CVE-2013-0422) spotted in the Wild - Disable Java Plugin NOW ! provides numerous screen snapshots to illustrate this Java Zero-Day Malware in action.

The TA13-010A/CVE-2013-0422 Java Zero Day Vulnerability has made the mainstream news with coverage by Norton/Symantec (What's All the Buzz About Java? Fixing The Vulnerability and Java Zero-Day Dished Up from Cool Exploit Kit), McAfee (Java Zero-Day Vulnerability Pushes Out Crimeware), InformationWeek (Java Zero Day Attack: Second Bug Found), Fox News (Reuters: As Hacking Concerns Build, U.S. Warns on Java Software), CNN (Critical Java vulnerability due to incomplete earlier patch), and many more news outlets.

As stated above, Oracle has issued a patch, but the Department of Homeland Security still recommends disabling Java in the browser.

 

Build vs Buy a Data Quality Solution: Which is Best for You? Maintaining high quality data is essential for operational efficiency, meaningful analytics and good long-term customer relationships. But, when dealing with multiple sources of data, data quality becomes complex, so you need to know when you should build a custom data quality tools effort over canned solutions. Download our whitepaper for more insights into a hybrid approach.

Like This Article? Read More From DZone

OAuth Access Tokens or JSON Web Tokens (JWT) for Delivering a Secure API?
Activating Xcode 9 Code Diagnostics Tools on the iOS CI Server
Jersey Client Dependencies for JAX-RS 2.1

Free DZone Refcard

Getting Started With Play Framework
DOWNLOAD
Topics:

Comment (0)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Published at DZone with permission of Dustin Marx, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Java Partner Resources

Build vs Buy a Data Quality Solution: Which is Best for You?
Top 10 Java Performance Problems
Play Framework: The JVM Architect's Path to Super-Fast Web Apps
Headless CMS and Your Business Team | dotCMS eBook
NoSQL Options for Java Developers | Okta Developer
Modern Java EE Design Patterns: Building Scalable Architecture for Sustainable Enterprise Development
Secure a Spring Microservices Architecture with Spring Security and JWTs
jQuery UI and Auto-Complete Address Entry
Reactive Microsystems - The Evolution of Microservices at Scale
Microservices for Java Developers: A Hands-On Introduction to Frameworks & Containers
How To Resolve Network Partitions In Seconds With Lightbend Enterprise Suite
Advanced Linux Commands [Cheat Sheet]

Java Partner Resources

Build vs Buy a Data Quality Solution: Which is Best for You?
Top 10 Java Performance Problems
Play Framework: The JVM Architect's Path to Super-Fast Web Apps
Headless CMS and Your Business Team | dotCMS eBook

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.linkDescription }}

{{ parent.urlSource.name }}
by {{ parent.authors[0].realName || parent.author}}
· {{ parent.articleDate | date:'MMM. dd, yyyy' }} {{ parent.linkDate | date:'MMM. dd, yyyy' }}
· {{ parent.portal.name }} Zone