Thursday, 29 August 2013

Hackers targeting Java native layer vulnerabilities to insert malicious code


Java logo
Criminal groups are using Java native layer vulnerabilities to infiltrate businesses and government systems, according to security firm Trend Micro.
Trend Micro threats analyst Jack Tang reported the shift in a blog post, confirming the new attacks on Oracle's Java platform are getting increasingly complex.
He wrote: "Java exploits can be divided into two types: Java layer exploits and Java native layer exploits. In the past, Java layer vulnerabilities were more common, but that is no longer the case. Before 2013, there was a three-to-one ratio of Java layer vulnerabilities to Java native layer vulnerabilities. Starting this year, however, we are now seeing more native layer flaws."
Tang said the move to target Java Native Layer exploits is troubling as they show an advance in sophistication within the cyber criminal community.
"Java native layer exploits target the Java native layer runtime. These exploits are harder to create, as they need to bypass OS-level protections like ASLR [address space layout randomisation] and DEP [Data Execution Prevention]. In addition, the skills needed to create native layer exploits are more difficult to acquire," he wrote.
"This year, however, attackers clearly have the capability to take advantage of native layer vulnerabilities. Two methods of exploitation are becoming more common, one is to make use of a Java array length overflow to tamper with the JavaBeans. Statement object's AccessControlContext member."
Tang added that the exploits detected are doubly dangerous as they grant the attack a number of powers over successfully infected systems.
"An attacker can then use the array object to get or set the following buffer precisely. They can tamper with the following JavaBeans. Statement object's acc field, which points to a AccessControlContext object. In general, the acc field will be tampered to point to a full permission AccessControlContext object. This will let arbitrary code be run on the affected system."
Oracle's Java platform has been a growing target for cyber criminals. Over the last year the attacks have forced Oracle to release a number of out of cycle security updates.
Director of enterprise security at Trusteer Dana Tamir said despite having fixes available many firms are yet to release the updates, meaning criminals can and are still creating attacks to target them.
"Vulnerable versions of Java can still be found in many organisations. This is either because users haven't upgraded to the latest Java version available, or because some tools or applications bundle vulnerable versions of Java. This leaves an open window to attackers who exploit such vulnerabilities in order to compromise employee endpoints and gain a foothold in the network," sad Tamir.
Tang mirrored Tamir's sentiment calling for businesses to update their systems as soon as possible. "We urge users to carefully evaluate their usage of Java is necessary and ensure that copies of Java that are used are updated, to reduce exposure to present and future Java flaws," he wrote.
Java security issues have been a recurring theme throughout 2013 with numerous patches issued by the likes of Oracle and Apple.

No comments:

Post a Comment