/ Java Zone
Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Java Zero Day Vulnerability Exploits JMX and MethodHandles

DZone's Guide to

Java Zero Day Vulnerability Exploits JMX and MethodHandles

by
Dustin Marx
·
Jan. 21, 13 · Java Zone
Free Resource

Comment (0)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Learn how our document data model can map directly to how you program your app, and native database features like secondary indexes, geospatial and text search give you full access to your data. Brought to you in partnership with MongoDB.

I recently identified software security issues (#2), especially related to Java, as one of the most significant software development themes of 2012. Not even a month into 2013, a news story receiving a lot of press is the U.S. Department of Homeland Security's issuing of Alert (TA13-010A), which is described with more technical details in Vulnerability Note VU#625617. Oracle has since released a Security Alert for CVE-2013-0422.

Vulnerability Note VU#625617 includes a paragraph that is particularly insightful:

By leveraging the a vulnerability in the Java Management Extensions ( JMX) MBean components, unprivileged Java code can access restricted classes. By using that vulnerability in conjunction with a second vulnerability involving recursive use of the Reflection API via the invokeWithArguments method of the MethodHandle class, an untrusted Java applet can escalate its privileges by calling the the setSecurityManager() function to allow full privileges, without requiring code signing. Oracle Java 7 update 10 and earlier Java 7 versions are affected. OpenJDK 7, and subsequently IcedTea, are also affected. The invokeWithArguments method was introduced with Java 7, so therefore Java 6 is not affected.

The above scenario is described in great detail in Tim Boudreau's excellent The Java Security Exploit in (Mostly) Plain English and he references Java 0day 1.7.0_10 decrypted source code that demonstrates the code that can implement an attack that takes advantage of the described JMX/MethodHandles combination vulnerability. Kafeine's (Malware don't need Coffee) post 0 day 1.7u10 (CVE-2013-0422) spotted in the Wild - Disable Java Plugin NOW ! provides numerous screen snapshots to illustrate this Java Zero-Day Malware in action.

The TA13-010A/CVE-2013-0422 Java Zero Day Vulnerability has made the mainstream news with coverage by Norton/Symantec (What's All the Buzz About Java? Fixing The Vulnerability and Java Zero-Day Dished Up from Cool Exploit Kit), McAfee (Java Zero-Day Vulnerability Pushes Out Crimeware), InformationWeek (Java Zero Day Attack: Second Bug Found), Fox News (Reuters: As Hacking Concerns Build, U.S. Warns on Java Software), CNN (Critical Java vulnerability due to incomplete earlier patch), and many more news outlets.

As stated above, Oracle has issued a patch, but the Department of Homeland Security still recommends disabling Java in the browser.

 

Discover when your data grows or your application performance demands increase, MongoDB Atlas allows you to scale out your deployment with an automated sharding process that ensures zero application downtime. Brought to you in partnership with MongoDB.

Like This Article? Read More From DZone

7 Things Technology Leaders Need to Know About Software Quality
Database Fundamentals #5: Database Properties
Microsoft Cognitive Services: Playground App

Free DZone Refcard

Getting Started With Vaadin Framework 8
DOWNLOAD
Topics:

Comment (0)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Published at DZone with permission of Dustin Marx, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Java Partner Resources

The single app analytics solutions to take your web and mobile apps to the next level. Try today!
Modern Java EE Design Patterns: Building Scalable Architecture for Sustainable Enterprise Development
An Introduction to Progressive Web Applications with Spring Boot and Angular
Advanced Linux Commands [Cheat Sheet]
How to Build (and Scale) with Microservices
The Importance of Monitoring Containers
CA App Experience Analytics, a whole new level of visibility. Learn more.
Easily Build Continuous Delivery Pipelines with Jenkins and Pipeline Plugin
Tutorial: Setting up WordPress as distributed microservices
Making Sense of the Container Ecosystem: Kubernetes Comparison eBook
Discover How Not to be Slowed Down by a Rigid Relational schema or a Complicated ORM Layer
Modernization: The End Of Heavyweight Java EE Applications

Java Partner Resources

The single app analytics solutions to take your web and mobile apps to the next level. Try today!
Modern Java EE Design Patterns: Building Scalable Architecture for Sustainable Enterprise Development
An Introduction to Progressive Web Applications with Spring Boot and Angular
Advanced Linux Commands [Cheat Sheet]
THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.linkDescription }}

{{ parent.urlSource.name }}
by {{ parent.authors[0].realName || parent.author}}
· {{ parent.articleDate | date:'MMM. dd, yyyy' }} {{ parent.linkDate | date:'MMM. dd, yyyy' }}
· {{ parent.portal.name }} Zone