Zero-Day paranoia and the reality of modern web browsing

Zero-Day paranoia and the reality of modern web browsing

Summary: Remote code execution is an end-user nightmare that can be stopped tomorrow, if we enact the appropriate technologies to prevent it.

SHARE:

It's not often that my dad emails me with a frantic message about his computer. Apparently, he had read an article written by one of my colleagues, Zack Whittaker, regarding the Department of Homeland Defense Advisory about the recently publicised Java Zero-Day exploit. 

He wanted to tell me that he had disabled Java on all of his PCs and asked me what I thought about it.

At the moment I was sitting at a sushi bar and enjoying a spicy tuna sashimi salad with a bottle of Chang Beer. Well, my second bottle, really. This is what I wrote to him:

"I have not investigated it enough but with any zero day exploit just be careful what sites you go to. If your favorite web sites require Java or you have applications that need them then just be aware not to download pirated software and movies and go to porn sites because that is where the attack vectors often originate."

From my understanding of the exploit in question, it uses a weakness inherent in the Java VM that allows remote code execution of malicious software.

What does that mean, exactly?

Well, it means that if you have Java installed on your machine, and you have the plugin for Java web start apps enabled in your browser, that means that a piece of bytecode (software loaded from a website that uses Java) that is executed from within the Java VM installed on your PC can call outside of its supposedly sandboxed environment to your operating system and execute a "payload".

This payload is presumably software that the hacker has managed to get onto your computer through social engineering or even though the Java plugin itself.

In other words, by visiting these illicit sites, you put the software on your computer that the hacker can now command to steal your information, monitor your keystrokes, et cetera.

How does this social engineering occur, exactly?

Well it can happen in any number of ways. You open up emails and click on links to things that appear to be legitimate websites of major companies you do online business with (Wal-Mart, various banks, PayPal, eBay, Amazon, et cetera) but are actually redirects to malicious sites that will use any number of unpatched exploits to compromise your PC or to steal your information via social engineering, such as via cross-site scripting attacks using legitimate social media sites like Facebook or Twitter.

In many cases these sites will attempt to trick you into entering your username and password for your online accounts, and not even try to put a "payload" on your computer like this Java exploit requires.

So how do you prevent yourself from becoming a victim? Well, a couple of ways.

In the case of the current Java exploit, if you don't have any applications that require the use of Java, then turn off the plugin in all of your browsers and uninstall Java from your computer.

However, this is easier said than done, as any number of legitimate websites use Java for certain components, such as ScottTrade, or Cisco's AnyConnect Secure Mobility Client for Macintosh. And many corporate intranets use Java-based applications that are launched from web pages as well, not to mention all the server-side Java that acts as the primary applcation framework for J2EE-based environments.

So what is a user to do when Zero-Days are becoming more and more commonplace? Well, I suggest you practice safe computing. Keep your regular antimalware and antivirus programs and your operating system patches up to date on your personal computers and run firewalls on your PCs and routers.

Don't visit illicit websites (those that promote or engage in software or content piracy or traffic in illegal forms of pornography) and do not use your regular private correspondence email address for registering with any type of site you use for regular eCommerce or for other recreational purposes.

Be careful not to store public identifying information on free cloud services. If it's the kind of stuff you would be afraid to put outside in a garbage can unshredded, don't dump it onto the public Cloud.

In short, please use some common sense while surfing.

While there are things end-users could do to lower their potential exposure to malware, there are things that software companies which design operating systems and browsers can do as well, as can ISPs that deliver Internet services to their customers that could drastically lower the impact of these kinds of exploits.

Back in April of 2010 I wrote an article called "Browser Protection: The Next Generation."

In it I described a number of different technologies that could be provided to end-users in order to significantly lower their exposure to all forms of compromises, including the type of Zero-Day exploit that occured recently with Java.

In summary, we need a way for web browsers and the "surfing environment" to be completely isolated from the host operating system. 

The method that I describe, which could be employed on Windows, Mac and Linux computers would be to create a fully isolated Virtual Machine that contains just the browser and the required plugins (JeOS) it needs to function.

If the browser and plugin environment becomes compromised, no code execution on the main operating system can occur. Detection logic would allow the browser environment to be erased and reset, so that it could be "cleansed" for further use.

There's a number of ways that this could be accomplished today. One, the desktop operating system would use a hypervisor or a container (virtualization platform) to run a JeOS instance strictly to run the browser.

This container could be run locally, or it could even be run remotely on a Cloud-hosted desktop environment.

There's a company that already has a product for doing this today named Invincea which I also wrote about in 2010.  As I understand, they're currently doing excellent business with the US government, and it will stop that Java exploit and most other Zero-Day exploits right in their tracks.

If this company isn't an obvious acquisition target in this paranoia-infused age of personal computing, I don't know what is.

The second thing that can be done (and I am of the opinion we should be using both) is having ISPs provide Unified Threat Management (UTM) with Deep Packet Inspection as a value-added service to its consumer broadband customers which would stop the download and execution of malicious code at the source.

Today, UTM is a technology that is in use by large enterprises to protect their datacenters and desktop users, but given the rise of consumer broadband, it's about time that this gets installed in all ISP head-end equipment. If it brings up the price of consumer broadband a few dollars a month as a result for these companies to make up for the capitalization costs, so be it. 

Does the recent Java exploit finally demand the use of the "Browser Deflector Shield" I described in 2010? Talk Back and Let Me Know.

Topics: Security, Apple, Enterprise Software, Linux, Networking, PCs, Windows

About

Jason Perlow, Sr. Technology Editor at ZDNet, is a technologist with over two decades of experience integrating large heterogeneous multi-vendor computing environments in Fortune 500 companies. Jason is currently a Partner Technology Strategist with Microsoft Corp. His expressed views do not necessarily represent those of his employer.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

56 comments
Log in or register to join the discussion
  • Being careful about which web sites you visit isn't a panacea.

    All too often people become infected from third party ad sites delivering ads to "legitimate" web sites.
    ye
    • Agreed. The article is misleading.

      Statistically, more than half the malicious websites online at any given time are normally-safe sites that have been compromised by one means or another. I'm not sure what Mr. Perlow's field of actual expertise is, but it's evidently not the gritty world of Web security.

      Ironically, his dad *is* the one with the better advice here: disable the Java plug-in (or uninstall it if it's not needed), regardless of OS or browser choice.
      mechBgon
      • Good Point

        ZDNet does have security experts, but this author (Perlow) is not one of them. He does have a good point about virtualization, though. A virtual machine for the Web browser would be a lot more secure than what we have now.

        Then again, if Java VM virtualization could be defeated, then so can Perlow's proposed virtualization. So it is no panacea either. It will probably be better than waiting a couple of years for Oracle to finally really fix it though!
        mejohnsn
      • If those "normally safe" sites are compromised...

        then you don't need Java to "have your stuff stolen".
        Shinc
    • ye, tell me how

      to get infected running GNU/Linux
      eulampius
      • Java on Linux

        Java is cross-platform and is not OS specific

        http://www.theregister.co.uk/2012/08/27/disable_java_to_block_exploit/

        to quote from above link:

        "the hackers behind the Metasploit penetration testing software say they have studied the exploit and found that it could just as easily be used to attack machines running Linux or Mac OS X"

        I have Windows and I'm not worried either, because I have UNINSTALLED the default Java package included in windows. I don't visit a site which uses Java and don't have any apps using Java either. I build apps using C++ not Java. I get the performance in C++ which Java just can't provide.
        Martmarty
        • Possible, but

          It's certainly possible, but almost all Linux distributions use one of the open-source JRE's like Iced Tea, not Oracle's Java, which based on the description, appears to be the vulnerable one.
          daengbo
          • To Be More Precise...

            Most Java distributions include Iced Tea as their default Java. But since some users really do require Oracle Java, most distributions also have a way to install that. Fedora even has a package for switching between version of Java.
            mejohnsn
      • What does this have to do with my comment?

        My comment had nothing to do with the OS.
        ye
        • you said

          [q]Being careful about which web sites you visit isn't a panacea.
          All too often people become infected from third party ad sites delivering ads to "legitimate" web sites.[/q]
          Infection on GNU/Linux or *BSD no infection has ever happened, especially as a result Innocent visit to a web site.
          My suggestion is to use firefox +noscript. To fight those non-script driven ads, install flash-killer and adblock
          eulampius
          • Again: What does this have to do with my comment?

            My comment had nothing to do with the OS. If you want to recommend an alternative OS / browser knock yourself out. Just don't pretend it has any relevance to what I wrote.
            ye
          • you comment has to do

            with "people become infected from third party ad sites delivering ads ... web sites" and that has to do with the OS those unfortunate people use, since it can only be either MS Windows, or Apple's Mac OS X (thanks to the arrogance and idiocy of Apple).
            Please, don't be afraid to use logic.
            eulampius
          • You've gotta give me something to work with.

            "Please, don't be afraid to use logic."

            I can't apply logic to your post as your post is illogical. You're arguing a point which is completely unrelated to my comment.
            ye
          • Infections are OS specific

            @ye,

            Each infection needs to use the OS resources. Those are different for different systems. That's why windows virus don't run on Linux.

            Linux has some Trojans, but no real viruses. It has some system level protections built into the Kernel.

            The java viruses described earlier need Java to run.

            Disabling the 'Autorun' features will disable many viruses. Linux has no Autrun features. Windows does, and has back to Windows 3.1 days.

            Flash, Java, Visual Basic, C#, almost any language can be the basis for a malware attack, but, only if the program is run. That's the reason for the social aspect. The user on Linux or Unix systems has to be tricked into running the program.

            Windows on the other hand will happily run the program for the user without the pain of asking first. From the little I understand, OSX is as 'user friendly' as Windows, even though it is a shell on a BSD based Unix.
            YetAnotherBob
        • My comment had nothing to do with the OS.

          Of course it does, because the OS people use determines whether or not they will get infected, you already know this, you just don't want to admit it.

          Of course if you want to try and prove me wrong you could give me the links to these third party ad sites delivering ads to "legitimate" web sites that these people all to often become infected from, and see if they can infect my Linux PC.
          guzz46
          • It's Java, not the OS

            These crooks are exploiting a vulnerablilty in the Java VM platform, which has nothing to do with the OS. Any OS running Java VM is vulnerable, Linux included.
            harry_dyke
          • It's Java, not the OS

            I'm talking about more than just this java exploit, the OS does determine whether or not people will get infected, and it's all too easy to get infected on windows.
            guzz46
          • See if they can infect my Linux PC

            According to what I have read on various Linux forums, from Ubuntu to PCLinux, IcedTea IS vulnerable. So you can go ahead and pretend that Linux is protected from everything, or you can do as I did and play it safe by getting rid of Java and IcedTea.
            Iman Oldgeek
          • play it safe by getting rid of Java and IcedTea

            Java is one of the first things I uninstall, it's slow and I have no need for it, but ye's original comment did not mention this java exploit, all he said was "All too often people become infected from third party ad sites delivering ads to "legitimate" web sites."
            So I asked him for the links to his third party ad sites to prove that the OS does determine whether or not people will get infected, but as usual I got nothing.

            Just browse malware blacklist dot com or malware domain list dot com on a Linux PC, it won't get infected, I wouldn't recommend you do the same on a windows PC.
            guzz46
      • Not hard at all

        Did you read the article? It is Java code that is getting executed. And a bug allows it to get outside the sandbox. What OS Java is implemented in is completely irrelevant.

        I guess that means that the virus makers have finally learned how to take advantage of the "write once, run anywhere" promise of Java;)
        mejohnsn