When I first started working in the antivirus industry, I found that learning how Java exploits work, even at a very high level, was difficult. Even now with a few seasons under my belt, understanding the process and consequences of the exploitation of a Java vulnerability still proves challenging.
Based on the feedback we see from some of you, I’m not alone. There are a lot of technical papers and blogs to be found that tell you how a Java vulnerability is exploited. In this blog, I’d like to share with you how you might encounter one of these threats, what you can do about it, and steps you can take to help avoid being exploited again.
How you might encounter Exploit:Java/CVE…
You’ll most likely encounter these threats when visiting a website. The website may not be malicious itself, rather it could just be an innocent and unwilling host. You might be catching up on current affairs when BANG! you see a pop-up from your antivirus saying that Exploit:Java/CVE… has been detected. And here’s where it gets a little worrying. This legitimate pop-up is telling you that you have been the target of an attack (but not necessarily the victim of this attack). The pop-up may look something like this:
Or, as in the Microsoft Security Essentials “History” tab, you might see more details about the threat that’s detected:
If you’re using a version of Java that is not vulnerable to that issue, you’ll still see this notification, though you will be safe from exploitation. To find out if the version of Java you are using is indeed vulnerable, you can go to the Common Vulnerabilities and Exposures website and search using the CVE ID (for example, the “CVE-2013-0422” component of Exploit:Java/CVE-2013-0422).
How do you know if you have a vulnerable version of Java? To check, simply:
- Go to the control panel (Select Start|Control Panel)
- Select Programs. If Java is installed you will see it in the list of installed programs. Click it to open the Java Control Panel
- On the General tab, click About to see which version of Java you have installed, then check this against the vulnerable versions listed on the Common Vulnerabilities and Exposures website
If, however, you’re using a vulnerable version of Java (and the bad guys often check your computer for vulnerabilities first before using their exploits), it’s likely that you’ve been exploited. Not only are you likely to have been compromised by this threat; it’s likely you’ve been compromised by other threats.
You see, once you’ve been exploited by one of these threats, it will probably try to download any number of other threats, thus starting a malware-invite-only party on your computer.
How you can remediate Exploit:Java/CVE…
If you’ve been exposed to one (or several) of these threats, you can run a full scan with an up-to-date antimalware solution like Microsoft Security Essentials to detect and remove this and other malware from your computer.
One thing to note: because of the nature of this threat, you may need to clear both your Internet Explorer and Java caches to stop this threat being re-detected on your machine. You can read more about how to do that in the following articles:
How you can prevent re-infection
Now that you’ve run a scan and cleared the Internet Explorer and Java caches, you can take some steps to help prevent re-infection.
The first thing you should do is update Java; you can get the latest download here. You may consider enabling automatic Java updates, so that you’re always running the latest version.
Lastly, you really ought to uninstall old versions of Java after you’ve updated. Old versions may still be vulnerable to some threats, so by leaving them on your computer you risk re-infection. You can read about how to do this here.
I hope this helps you understand how Exploit:Java/CVE… ends up on your machine, how you can remediate it, and how you can reduce your chances of being a victim to these exploits in the future. Stay safe online, and remember: one key way to prevent malware infection is to make sure you always have the latest updates for all software you use!
-Jasmine Sesso
MMPC Melbourne
Leave a reply
