With the disclosure of a new vulnerability present in Java Runtime Environment (JRE) , and Oracle releasing an out-of-turn patch, coupled with the pace at which vulnerabilities are being disclosed, it is impossible to continue using Java.
Although, this vulnerability does not affect any of the earlier versions (v. 1.6), however, previous (v. 1.6) versions of JAVA are vulnerable to numerous flaws and in-order to mitigate these flaws patch updates were made available.
All vulnerabilities, which have been disclosed in the past are capable of allowing the attacker to execute an arbitrary payload of their choice. To execute these types of attacks, a webpage is created by the attacker which will execute a JAVA (.jar) file on the victim’s machine and this .jar is the dropper application, which upon exploitation will download other executable files and execute them on the victim’s machine.
Almost 2 weeks ago, (why it took me 2 weeks time to post this blog is yet another lengthy story), I was contemplating on issuing an advisory about not using Java but then I recollected something about a certain Government Organization.
A bit about this Govt. Organization:
Like every other Government Organization, they have their website and provide extensive information, which can be a great tool for Phishers, Social Engineers etc. Another aspect of this organization is e-filing of certain confidential documents.
In order to achieve e-filing, they has created a Client-Server architecture based application, which assists those who are associated with this organization (lets call them affiliates).
This application is developed – your guess is right – in JAVA. The prerequisites for using this Application for e-filing are:
Internet Explorer v6.0 and above Adobe Reader V 9.4 and lower versions Java Runtime Environment (JRE) 1.6 updated version 30
A Self-Explanatory note from Oracle regarding JRE 1.6 update 30 which advises the users to update to the latest version.
Adobe Reader v9.4, itself is no good when it comes to vulnerabilities, a small search using Google, will yield tons of Adobe vulnerabilities and advisories.
Who exactly are these affiliates?
Some of them are e-Filing centers, and some of them are individuals. What exactly is their nature of work: they process certain financial information, which is provided by the Corporate and the same is forwarded to the Govt. organization. According to these affiliates -A Corporate can be any Pvt. Ltd organization.
What happens when affiliates (Filing Centers / Individuals) of this govt. organization – upgrade to the latest version? The JAVA application just doesn’t work – period.
From an IT security point of view, these affiliates are at high risk. They can’t upgrade nor can they downgrade. From a hacker’s point of view, in case Java exploit doesn’t work then Adobe Acrobat vulnerability will always work. From business point of view, if documents are not submitted then its penalty time.
One might ask a question, what benefit would a hacker gain from attacking these affiliates?
1: Payments to this Govt. Organization are done in numerous ways including Online Banking and payment via card (Credit/Debit).
2: The documents to be uploaded are created using Adobe Acrobat (version 9) and they are digitally signed using e-token.
3: The systems of these affiliates contain vast information pertaining the financial performance, legal documents and many times pertaining to Joint Ventures, Business alliances etc. in form of emails or word documents.
4: Their system is basically a treasure trove of information.
5: The probability of the officials of this govt. organization using Acrobat Reader 9 to verify the uploaded files, cannot be verified nor can it be denied.
One may wonder, in order to carry out an attack, email-ids are required, because logically a Phishing email is the best available option to carry out this attack, as only few will have unrestricted access to these computer systems.
Well, this govt. organization has provided the details of their affiliates on their front page – 748 affiliates in total. Finding the rest of them is not a difficult task either.
Most Corporates, have increased their IT security expenditure to protect their networks, pen-testing and audits are conducted on regular basis however, none so happens at these affiliates. Those who are unaware , some of these affiliates also have access to certain IT resources of a corporate.
Even if affiliates do conduct regular audits and follow the security norms, what exactly is the benefit, as they can neither stop using Adobe Acrobat 9.0 nor can they upgrade to the latest version of Java.
The future is bleak for Indian Organizations because they will have to think out of the box to over-come this threat.
SMBs or SMEs or Enterprises are all equal in the eyes of a hacker or as a matter of fact for a rogue nation to carry out state sponsored attacks on Indian Organizations.
Many Industry experts, prefer to categorize an organization into different sectors (viz. SMB, SME, Enterprise, etc) based on their turnover and the number of systems they use. However in this regard, it just doesn’t matter, as there is a vulnerability which is waiting to be exploited, even after the patch update has been made available, unless and until this govt. organization does come out with e-filing software which doesn’t rely on JAVA.
Some may consider moving on to more safer operating systems, however, even this is not possible as JAVA is not dependent on any Operating System and JAVA exploits work seamlessly on any Operating System platform, OS X, Linux or Windows; it is only the payload which matters.
The latest Metasploit exploit for this vulnerability has been tested on multiple setups including: IE, Firefox, Chrome and Safari on Windows, Linux and OS X, etc.
For the purpose of stats here are some interesting links:
4: For pen-testers who want to test Metasploit Exploits with different versions of Java :
5: When I tested a few exploits on a system with Java 1.6 Update 30, using Java specific exploits (Metasploit Framework), the result was:
[*] Sending stage (752128 bytes) to 192.168.10.5 [*] Meterpreter session 1 opened (192.168.10.2:4444 -> 192.168.10.5:1325) at 2012-08-28 14:13:43 +0530