During the past two days there has been a lot of activity and concern around vulnerabilities in two different widely used technologies: Java and Ruby on Rails.
With this post, Trend Micro wants to help people understand the situation, the risks, and how we are protecting our customers. Additionally we want to let customers know what they can do to protect themselves.
As we noted yesterday, there is a new zero day vulnerability affecting Oracle’s Java. The Java vulnerability situation is very serious. Because this is a zero day situation, there is no patch available from Oracle at this time. The United States Department of Homeland Security today recommended disabling Java entirely until a patch is released.
The vulnerability under active attack is being targeted from hacker tools like the Black Hole Exploit Kit (BHEK) and the Cool Exploit Kit (CEK) that distribute malware, most notably ransomware like the Reveton variants.
And while not under active attack, the Ruby on Rails vulnerabilities are also serious. We’ve seen an announcement of two critical vulnerabilities affecting Ruby on Rails in the past couple of days. Unlike the Java situation, patches are available for these vulnerabilities. Also, there are not widespread attacks against these vulnerabilities at this time. However, exploit code has been released in a module for the Metasploit framework. The availability of exploit code does mean there can be an increased risk of attacks against the vulnerability.
It’s also worrisome to have both a serious server-side vulnerability and an actively-attacked client-side zero vulnerability occurring at the same time. While there is no current evidence of this at this time, it remains possible that attackers could utilize both of these and attack webservers using the Ruby on Rails vulnerability and then place attack code on the compromised server that targets the Java vulnerability.
This scenario could lend itself particularly well for “watering hole” style attacks like we outlined in our 2013 Targeted Attacks prediction and have seen recently against the current Internet Explorer vulnerability attacked over the holidays.