Microsoft hits Java where it hurts

From InfoWorld: Last week Microsoft Malware Protection Center researcher Matt Oh posted an article on TechNet about how to protect yourself from Java-based malware. To emphasize the point, he delivered a talk at Black Hat 2012 on the same day, saying the situation with Java is deteriorating -- and not just on Windows.

"We are seeing more and more Java vulnerabilities exploited in the wild ... one Java vulnerability can sometimes lead to exploitation on multiple platforms," Oh said.

Oh's main point of concern is sandbox breaches. If malware authors can jump out of the Java/JRE sandbox, they can take control of a system, whether it's running Windows, Mac OS X, or Unix. A single Java vulnerability -- like the "type confusion" security hole CVE-2012-1723, discovered just weeks ago, and the oldie CVE-2012-0507, which led to the Flashback botnet and more than 600,000 infected Macs earlier this year -- can result in successful exploits that bypass the operating system's defenses simply because they're running in Java.

"Type-confusion is a vulnerability that occurs when type safety check in Java Runtime Environment fails in verifying wrong types supplied to instructions working with different types. ... Some of the types from the Java system, like ClassLoader, can be the target of this attack. If those classes' type safety is broken, you can access some methods that are not supposed to be opened to processes outside of the class. This class' type safe violation ultimately leads to a Sandbox compromise for Java," Oh said.

Even worse, the fact that the program is written in Java makes it easier to obfuscate, using readily available automatic tools and well-documented scrambling techniques.

Oh's recommendation is that you get JRE updated and that you disable it whenever possible. If you don't use Java, uninstall the JRE.

View: Article @ Source Site