During the past two days there has been a lot of activity and concern around vulnerabilities in two different widely used technologies: Java and Ruby on Rails.
With this post, Trend Micro wants to help people understand the situation, the risks, and how we are protecting our customers. Additionally we want to let customers know what they can do to protect themselves.
As we noted yesterday, there is a new zero day vulnerability affecting Oracle’s Java. The Java vulnerability situation is very serious. Because this is a zero day situation, there is no patch available from Oracle at this time. The United States Department of Homeland Security today recommended disabling Java entirely until a patch is released.
The vulnerability under active attack is being targeted from hacker tools like the Black Hole Exploit Kit (BHEK) and the Cool Exploit Kit (CEK) that distribute malware, most notably ransomware like the Reveton variants.
And while not under active attack, the Ruby on Rails vulnerabilities are also serious. We’ve seen an announcement of two critical vulnerabilities affecting Ruby on Rails in the past couple of days. Unlike the Java situation, patches are available for these vulnerabilities. Also, there are not widespread attacks against these vulnerabilities at this time. However, exploit code has been released in a module for the Metasploit framework. The availability of exploit code does mean there can be an increased risk of attacks against the vulnerability.
It’s also worrisome to have both a serious server-side vulnerability and an actively-attacked client-side zero vulnerability occurring at the same time. While there is no current evidence of this at this time, it remains possible that attackers could utilize both of these and attack webservers using the Ruby on Rails vulnerability and then place attack code on the compromised server that targets the Java vulnerability.
This scenario could lend itself particularly well for “watering hole” style attacks like we outlined in our 2013 Targeted Attacks prediction and have seen recently against the current Internet Explorer vulnerability attacked over the holidays.
Clearly, this is a serious situation and people should take steps to protect themselves as best they can. People running Ruby on Rails should test and deploy the patches as soon as possible. Protecting yourself against the Java vulnerability is harder. While some have suggested disabling Java, that’s often not a realistic option due to it being a critical technology for business. The latest version of Java includes a security control that enables you to keep Java on the system but disable it in the browser: this may be a more viable option for some. Unfortunately, in some cases neither of these options will be viable. But we encourage people to evaluate these options and the risks we’ve outlined and make the best decision for their needs while planning to deploy the patch from Oracle as soon as possible when it is released.
Trend Micro customers do have other options around the Java vulnerability. We reported yesterday that Deep Security and Internet Defense Firewall products provided high-level protections that protected against attacks against the Java vulnerability. Today we’ve released a new update (DSRU13-002) for these products that provides better generic protections specifically for the Java vulnerability.
With today’s signature release (OPR 9.649.00) customers running Titanium Internet Security, Worry Free Business Security, and OfficeScan products have protections against attacks using the Java vulnerability. Specifically, today’s signatures protect against:
- Attempts to exploit the Java vulnerability
- Sites that load the exploit code
- Currently known malware that the attacks attempt to load
Deep Discovery can also detect the network traffic associated with REVETON malware, which is currently known to be loaded by these attacks.
Finally today’s update also includes rules for Deep Security that protect against attempts to exploit the Ruby on Rails vulnerabilities.
We encourage customers to download and deploy all updated signatures to protect against the Java zero-day vulnerability and for Ruby on Rails to provide protections while they test and deploy the patches.
Trend Micro Deep Security shields networks through the following Deep Packet Inspection (DPI) rules.
|DPI Rule number||Name||Vulnerability ID||IDF Compatibility|
|1004711||Identified Malicious Java JAR Files||CVE-2013-0422||Y|
|1005331||Ruby On Rails XML Processor YAML Deserialization DoS||CVE-2013-0156||N|
|1005328||Ruby On Rails XML Processor YAML Deserialization Code Execution Vulnerability||CVE-2013-0156||N|
Titanium Internet Security, Worry Free Business Security and OfficeScan users are also protected from known attacks leveraging this zero-day exploit.
|HTML_EXPLOIT.RG||Sites that load the exploit code|
|TROJ_REVETON.RG||Known Payload in Attempts to Attack Vulnerability|
|TROJ_REVETON.RJ||Known Payload in Attempts to Attack Vulnerability|
In addition, the network traffic of TROJ_REVETON is detected by Deep Discovery via rule ID 616 TCP_REVETON_REQUEST.
We will continue to monitor this situation closely and provide updates as we have them.
Want a less technical explanation about protecting your personal computer from the Java zero-day exploit? Check out our Fearless Web blog.
Update as of 6:15 PM PST, January 13, 2013
Oracle has released an update to Java which patches the vulnerability targeted by this attack. The patch increments the latest version of Java 7 to Update 11, and may be downloaded from the official Java website.
We strongly urge users to download and install this update onto their systems if they still have Java installed.
Update as of 12:27 PM PST, January 14, 2013
We’ve just made a new post that outlines information on how you can disable Java in the browser here.