This week Brian Krebs posted some important news – according to his sources, the BlackHole exploit kit has been equipped with an exploit for the Java vulnerability CVE-2012-0570, released a mere month ago on Feb. 14 by Oracle. BlackHole is a widely disseminated, exploit kit, commercially available in the underground. It allows interested groups with basic computer knowledge to implement an operation to attack target machines through their web browsers by setting up malicious web sites. Used in conjunction with a malware kit such as Zeus or SpyEye, these groups can build botnets that can then be used to harvest personal information for sale, rented out for SPAM or DDoS operations or handed over to pay-per-install operators.
The quality of exploit kits play an important role in such a setup, as it concentrates the rather sophisticated attack knowledge. The kit has to select the correct exploit based on the user’s configuration and the detected vulnerabilities. Most included exploits focus on older and well-known vulnerabilities (such as CVE-2010-1885 in Internet Explorer or CVE-2011-2110 in Adobe Flash), because they are the most stable and well-researched. A well-maintained target machine can usually not be penetrated with one of these off-the-shelf toolkits, as all software components are at the latest level. However, Java is difficult to update and the addition of an exploit for such new vulnerability in Java sharply increases the risk of an attack for the Internet population at large.
Our recommendation: update your Java installation to the latest version available. There are a number of tools available to help you to find out the version of Java you are running, including Oracle’s own version checker. I recommend our own tool, BrowserCheck. Just point your browser to https://browsercheck.qualys.com and get a precise diagnostic on the state of your browser and its plugins, including Java and other attacker favorites such as Adobe Flash and Adobe Reader.
If you cannot update Java (or you want to make your machine or the ones that you are responsible for more resilient to future attacks) there is a configuration setting in Windows that can be used to limit Java to a few selected and trusted sites. This requires a simple modification of the Windows Registry: changing Registry Value 1C00 to Setting 0 in Zone 3 (Subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3) which prohibits the Java from running in the Internet Zone.
Sites that need Java can be whitelisted under Internet Options/Security/Trusted Sites. This works across all versions of IE and is non-overridable. Google Chrome has a similar mechanism, but I like the Internet Explorer better than Google’s implementation, which prompts the user for a decision on whether to run the plugin. Unfortunately most users will opt-in just to get rid of the prompt and continue to load the site, which has the potential to increase their security exposure.