Cybercriminals Exploiting Java Digital Signature Flaw

If you spent the last few years of your life worrying about various Adobe PDF exploits, it is time for some fresh news. Java is taking over Adobe products in the exploits category, and a recent Java digital signature exploit takes things even further in the threat arena. Cybercriminals have started using flaws in Java digital certificate checks to run their malicious code through web-browsers. The misbehaving application is usually signed with a trusted certificate, making it impossible to spot any malicious behavior at first glance.


A similar signed and infected application was found on the website of Chemnitz University of Technology in Germany. The application was signed with a known Web-exploit toolkit called g01pack , which was probably developed by the Iranian Cyber Army. The first sample of the attack was discovered on Feb 28.

Java 7 brought a new awesome feature called Security Control to the table. With update 11 of Java 7, the security level was set to high, requiring users to approve if they wanted to run an applet irrespective of whether it was signed or not. However, unsigned applications showed a clear security warning, whereas signed application simply showed a confirmation dialog, though with the same call to action. In case of this malicious application too, the warning dialog was that of a signed application. However, on closer manual inspection, it was seen that the application was signed with a certificate that was revoked in December last year. Clearly, Java does not check for revoked certificates by default.

Zero Day Java Vulnerability Compromises Computers of Facebook Employees

Last month, a number of major companies such as the New York Times, Washington Post and most recently, Twitter had revealed that they were targeted by hackers leading to some form of data breach.

In a recent development, Facebook has also now revealed that some of the computers of its employees were hacked by using a Java exploit. In a blog post penned yesterday, Facebook security team says,

[…] In this particular instance, we flagged a suspicious domain in our corporate DNS logs and tracked it back to an employee laptop. Upon conducting a forensic examination of that laptop, we identified a malicious file, and then searched company-wide and flagged several other compromised employee laptops.

After analyzing the compromised website where the attack originated, we found it was using a “zero-day” (previously unseen) exploit to bypass the Java sandbox (built-in protections) to install the malware.

The computers were compromised when the victims visited a mobile developer website that was compromised to host a zero day exploit, which installed malware on the victim’s PCs. Facebook contacted Oracle regarding the exploit and they released a patch for the same on February 1st.

Facebook says that other companies were targeted in a similar manner and they are working with the affected companies and law enforcement officials to track the source of the attack.

And most importantly for us, there is no evidence that any kind of user data was exposed. Well, that’s a relief!

Source: Facebook

Yahoo! Sitebuilder is Still Stuck with Java Version from 2008

Over the last few years, we have seen a number of exploits and vulnerabilities in Java. Oracle released Java 6 update 39 earlier this month fixing several security bugs. This was probably the last security update for Java 6, as Oracle had said earlier that there would be no security updates for Java 6 after February. However, you will be surprised to know that there are some top-notch organizations that still ask you to install age-old versions of Java.


Sitebuilder is one such tool from Yahoo! Sitebuilder can be used to whip up really simple websites within a few minutes. It is not the kind of tool developers would boast of, and I do not know anyone who uses it. However, the tool very much exists, and is distributed by Yahoo!. Most of us would not care about using it, but there are people who would want to skip the technical knowhow and just the website out.

Here comes the interesting part- Yahoo Sitebuilder comes with Java 6 update 7, which came out back in the summer of 2008. That version of java is severely flawed and outdated. The Sitebuilder tool cannot be blamed either, as it talks about support for Windows Vista at best, which makes it look like no one at Yahoo! cares about Sitebuilder either! However, what is of importance is that Sitebuilder is being distributed by Yahoo! and given the number of hacks and malware Java is attracting lately, Yahoo! should take care of this and thus prevent the spreading of Java vulnerabilities.

Another day, Another Java Vulnerability Discovered!

So you have read about the recent vulnerabilities discovered in Java that attackers used to spread malware? Have you installed the latest out-of-band update that Oracle released in order to close those vulnerabilities? Think it’s time to move on to other stories? Well, think again.

Computer World is reporting that another serious vulnerability in the latest update has been discovered that could allow an attacker to escape the Java security sandbox and run arbitrary code on your system. The vulnerability was discovered by a Polish security firm called Security Explorations and has been reported to Oracle, according to their CEO, Adam Gowdiak. He has also stated that they will not be releasing any technical details on the vulnerability until Oracle issues a fix.

In an email to IDG News Service, he states,

“Once we found that our complete Java sandbox bypass codes stopped working after the update was applied, we looked again at POC codes and started to think about the possible ways of how to fully break the latest Java update again,” Gowdiak said. “A new idea came, it was verified and it turned out that this was it.”

Oracle hasn’t hinted whether they will be releasing an out-of-band update like the previous one or just include the patch in the scheduled October update. With vulnerabilities being discovered at such a fast pace, it might be time for Oracle to re-consider their four month update cycle. With the time span for fixing these vulnerabilities increasing, the chances of these vulnerabilities being used to attack users also increase leaving users with greater risk.

At this moment, the best option for you is to disable Java if you don’t really use it. Alternately, you can disable Java in your primary browser and use a secondary browser only to use web apps that require Java (if you absolutely need to use those web apps and are sure that those are not rogue) so that you don’t wander into compromised websites that make use of Java vulnerabilities.

Critical Zero Day Java Vulnerability Wreaking Havoc

Critical zero-day vulnerability in Java has caused worldwide panic and unrest. The flaw is being exploited wildly, and there is an array of available code for this exploit. Metasploit was the first one to provide a proof-of-concept that works on a variety of browsers. The vulnerability is still unpatched, and although there are no reported criminal cases yet, there is no guarantee that it is not happening already. The safest way to go is to disable the Java plugin in your browser until Oracle releases a fix for the vulnerability.

JavaThis security hole affects all Java versions under the 7.X branch. It works across all browsers, including the touted as unbreakable and secure Google Chrome. Apparently, Google Chrome’s sandbox runs only Adobe Flash as sandboxed by default. The Java plugin is not part of the Chrome sandbox. Java is platform independent, and this exploit rides on this factor spreading to all popular platforms (Windows, Linux and Mac) with little effort. Though the most dangerous fact is that the vulnerability lets malicious code disable the Java Security Manager altogether.

The exploit has been successful in installing a variant of the Poison Ivy trojan. It is originating from servers in China and Oracle has not yet released any statement on fixing this exploit. The NakedSecurity blog at Sophos writes,

In his conversation with the Blackhole author Krebs was told that exploits like this could go for $100,000 on the black market. That shows how effective attacks using this type of vulnerability can be.

Security experts are working on an unofficial patch for this vulnerability, as Oracle has the next scheduled Java update on 16 October.


Google Offers Oracle A Small Cut of Android Revenues; Oracle Refuses

Oracle’s patent infringement lawsuit against Google has gone from being outrageous in terms of the money demanded, to being boring in just a few months.

It had initially demanded more than $6 billion from Google, claiming that Google infringed on its Java IP in Android. Following a scolding from the presiding judge, Oracle lowered its damages claims to $2 billion, and finally brought it down to under $100 million last week.

This week, Google apparently offered Oracle a flat fee for past damages for the two patents in contention – $2.8 million. It also offered a cut of future Android revenues, until the patents expire. For one patent which expires in 2012, it offered a 0.5% cut of Android related revenues. For another which expires in 2018, it offered a 0.015% cut of Android revenues.

It also stated that if Oracle were to accept these conditions, it wouldn’t fight Oracle on damages, once it proved infringement of those patents, presumably to speed up the trial process.

However, Oracle, understandably, has rejected the offer. Its cost of litigation alone would be a multiple of the settlement Google is offering. It’s almost insulting for it to accept a few million considering its original demand of more than $6 billion.

Oracle Takes Another Blow in the Android Patent Infringement Case

Oracle sued Google back in August 2010, expecting to walk away with big spoils of war. Instead, Google wrote to the patent and trademark office asking them to re-examine all patents in connection with the case, and this has caused Oracle to lose many patents it acquired from Sun Microsystems. Clearly, this case costed Oracle considerably in monetary and reputation damages. However, it continues pursuing the case hoping to have a positive turnout.


In December last year, the Patent and Trademark Office (PTO), on request for a re-examination by Google, invalidated a major Oracle patent. A few days back, Oracle received another blow in this case, when the PTO voided one more of its patents. Finally, Oracle regained some sense and decided to withdraw the claim 14 on the patent ‘467, but we can see that the damage has been done! This makes the entire ‘467 patent out of the scope of this lawsuit.

Moreover, for the third time in a row, Oracle has come up with inflated damage reports claiming more than the applicable reasonable amount. The initial claim from Oracle was a ridiculous 6 billion USD, which has come down to 52.4 – 169 million USD. Google is still not satisfied with these estimates, and has filed a motion to cut this damage list and hence the claim amount, shorter.

Groklaw mocks this whole case with this interesting argument.

Oracle bought Sun, everything Sun had, for what Oracle said was a transaction valued at “approximately $7.4 billion, or $5.6 billion net of Sun’s cash and debt”. That’s hardware, MySQL, Solaris, many things beyond just Java. So how could just six, now five, Java patents out of Sun’s more than 500 Java patents alone, add up to $6 billion? Why did anyone ever think this was a realistic figure instead of just hype?

At present, the PTO has confirmed only four of twenty-six Oracle claims. Oracle walked into the case without proper preparation, and is facing the consequences now. I just have one advice for Oracle. Stop already, and leave with the patents you can still call yours.

Oracle: Google Makes $10 Million from Android Everyday

Oracle is one of the few tech giants which isn’t directly competing in the smartphone market but is still involved in patent wars with Google over Android. Oracle had sued Google over the use of Java IP in Android back in 2010, and was demanding billions of dollars in damages and licensing fees. Over the last couple of months, it seemed like it was fighting a losing battle, as some of its patent claims were rejected by the USPTO.

However, Oracle isn’t giving up just yet. According to FOSSPatents, Oracle is pressing the court to set an early hearing for its copyright claim against Google, to get an injunction as soon as it can.

Some new information has surfaced which reveals how Oracle valued Google’s Android business in its lawsuit.

Currently, close to 700,000 Android devices are activated every day. According to Oracle, each day’s worth of Android activations generate nearly $10 million in mobile advertising revenue for Google.

This translates into approximately $3.65 billion dollars in mobile advertising revenue for Google through Android alone, according to Oracle. Oracle’s figures are based on an estimated annual advertising revenue of $14 per Android user, and this is just the directly generated revenue. The tech giant further states that:

“This revenue does not even include all the other value Android generates for Google, ranging from Android Market revenue, to other Android-related services, to ensuring that Google will not be locked out of the mobile business, to lucrative relationships with manufacturers of myriad devices on which Android can and does run, to the inordinately valuable access Android provides to customers for its new social network service, Google+. Indeed, Android has enabled Google to wield such power with regard to search and other services that its Android distribution and licensing practices — far from the ‘open’ practices Google has proclaimed it lives by — are under investigation by competition law agencies in the United States, Europe and elsewhere.”

These numbers seem to be inflated and based on flawed estimates. We should see more details on how much money Google actually makes from Android once the trial starts. The more Google makes from Android, the more Oracle will claim in damages and license fees.

US Patent and Trademark Office Rejects Oracle’s Patent Related to Android’s Java Infringement

In August last year, Oracle sued Google over its use of Java in Android. Oracle claimed that Google infringed upon Oracle’s Java patents, being fully aware of the infringement. A tough battle ensued, and Oracle and Google are battling it out in the court for one year now, without any results.
While this battle was ongoing, Java founder James Gosling joined and left Google. The Lindholdm email revealed some important facts and Groklaw has presented  an analysis  of the entire matter. In addition to those events, Google appealed to the Patent and Trademark office (PTO) to re-check Oracle Java patents. The re-examination was favorable for Google, as now, the PTO has rejected some of Oracle’s Java patents.

Google claims  that,

The reexaminations of five of the six patents-in-suit remain ongoing, with roughly two-thirds of the currently asserted claims having been rejected. Eighty percent of the asserted claims as to which the PTO has issued an office action currently stand rejected.

Although Oracle is allowed to claim infringement on the invalidated patents, this rejection complicates the case even further. Google has created an empire and a new business line over Android, and it is not willing to give up so easily. At the same time, Oracle is not ready to let go of the jackpot it can earn from this infringement case.

Most of the patents mentioned in the Google vs. Oracle case are related to codes that improve Java performance in Android’s Dalvik virtual machine. However, the PTO has invalidated a patent that was supposed to expire in 2025, making it the youngest of the lot, and the most profitable one for Oracle. This case is costing Oracle more in monetary (or patent) and reputation damages, and more than it can profit from the infringement claims.

NoScript Now Available For Firefox Mobile On Android

If you’re looking for added security when browsing on your Android device, look no further than NoScript. The popular Firefox extension has now been made available for Firefox Mobile. It’s called NoScript Anywhere.

Browsers have become extremely complex. With more and more platform-agnostic webapps appearing, users have been living and working inside a browser instead of a desktop. Google has been pushing Chromebooks that provide a full web experience using nothing more than their Chrome browser. Safari has gone mobile. Firefox has gone mobile. Opera has gone mobile. All these mobile browsers are gaining popularity, yet nobody has been addressing the issue with modern browsers: security.

NoScript allows users to selectively block Java, Javascript, Flash from executing without permission.  It provides XSS (Cross Site Scripting) and ClickJacking protection using integrated plugins. The add-on has been completely re-written to support a mobile interface. Once installed, NoScript immediately starts blocking harmful web applets using the default recommended options. More advanced settings such as whitelisting, blacklisting, and granular permissions will be editable on a desktop and can be synchronized via Firefox Sync — keeping all your devices up-to-date, whether a mobile device or full blown desktop/laptop.

NoScript Anywhere allows the plugin to be installed without restarting Firefox Mobile. It provides an option for disabling automatic playback of Flash and Java applets, instead, a placeholder can be clicked to initiate execution of the plugin.

Naturally, NoScript Anywhere is based on the extremely popular open source NoScript extension written by  Giorgio Maone,  who also created the  FlashGot Download Manager.  The work started at the beginning of 2011, it took short 9 months of incubation before being completed and available for public use.  

The majority of mobile browsers are based on WebKit, but are proprietary and different across the board by manufacturer. Android’s browser is based on Chromium, iOS’s based on Safari and BlackBerry’s based on a moldy flaming banana peel.

Firefox Mobile will hopefully become extremely popular among all smartphone users, and we will see NoScript Anywhere usage increase, making the web just a little bit safer for everybody.