Zero-Day paranoia and the reality of modern web browsing
It's not often that my dad emails me with a frantic message about his computer. Apparently, he had read an article written by one of my colleagues, Zack Whittaker, regarding the Department of Homeland Defense Advisory about the recently publicised Java Zero-Day exploit.
He wanted to tell me that he had disabled Java on all of his PCs and asked me what I thought about it.
At the moment I was sitting at a sushi bar and enjoying a spicy tuna sashimi salad with a bottle of Chang Beer. Well, my second bottle, really. This is what I wrote to him:
"I have not investigated it enough but with any zero day exploit just be careful what sites you go to. If your favorite web sites require Java or you have applications that need them then just be aware not to download pirated software and movies and go to porn sites because that is where the attack vectors often originate."
From my understanding of the exploit in question, it uses a weakness inherent in the Java VM that allows remote code execution of malicious software.
What does that mean, exactly?
Well, it means that if you have Java installed on your machine, and you have the plugin for Java web start apps enabled in your browser, that means that a piece of bytecode (software loaded from a website that uses Java) that is executed from within the Java VM installed on your PC can call outside of its supposedly sandboxed environment to your operating system and execute a "payload".
This payload is presumably software that the hacker has managed to get onto your computer through social engineering or even though the Java plugin itself.
In other words, by visiting these illicit sites, you put the software on your computer that the hacker can now command to steal your information, monitor your keystrokes, et cetera.
How does this social engineering occur, exactly?
Well it can happen in any number of ways. You open up emails and click on links to things that appear to be legitimate websites of major companies you do online business with (Wal-Mart, various banks, PayPal, eBay, Amazon, et cetera) but are actually redirects to malicious sites that will use any number of unpatched exploits to compromise your PC or to steal your information ">via social engineering, such as via cross-site scripting attacks using legitimate social media sites like Facebook or Twitter.
In many cases these sites will attempt to trick you into entering your username and password for your online accounts, and not even try to put a "payload" on your computer like this Java exploit requires.
So how do you prevent yourself from becoming a victim? Well, a couple of ways.
In the case of the current Java exploit, if you don't have any applications that require the use of Java, then turn off the plugin in all of your browsers and uninstall Java from your computer.
However, this is easier said than done, as any number of legitimate websites use Java for certain components, such as ScottTrade, or Cisco's AnyConnect Secure Mobility Client for Macintosh. And many corporate intranets use Java-based applications that are launched from web pages as well, not to mention all the server-side Java that acts as the primary applcation framework for J2EE-based environments.
So what is a user to do when Zero-Days are becoming more and more commonplace? Well, I suggest you practice safe computing. Keep your regular antimalware and antivirus programs and your operating system patches up to date on your personal computers and run firewalls on your PCs and routers.
Don't visit illicit websites (those that promote or engage in software or content piracy or traffic in illegal forms of pornography) and do not use your regular private correspondence email address for registering with any type of site you use for regular eCommerce or for other recreational purposes.
Be careful not to store public identifying information on free cloud services. If it's the kind of stuff you would be afraid to put outside in a garbage can unshredded, don't dump it onto the public Cloud.
In short, please use some common sense while surfing.
While there are things end-users could do to lower their potential exposure to malware, there are things that software companies which design operating systems and browsers can do as well, as can ISPs that deliver Internet services to their customers that could drastically lower the impact of these kinds of exploits.
Back in April of 2010 I wrote an article called "Browser Protection: The Next Generation."
In it I described a number of different technologies that could be provided to end-users in order to significantly lower their exposure to all forms of compromises, including the type of Zero-Day exploit that occured recently with Java.
In summary, we need a way for web browsers and the "surfing environment" to be completely isolated from the host operating system.
The method that I describe, which could be employed on Windows, Mac and Linux computers would be to create a fully isolated Virtual Machine that contains just the browser and the required plugins (JeOS) it needs to function.
If the browser and plugin environment becomes compromised, no code execution on the main operating system can occur. Detection logic would allow the browser environment to be erased and reset, so that it could be "cleansed" for further use.
There's a number of ways that this could be accomplished today. One, the desktop operating system would use a hypervisor or a container (virtualization platform) to run a JeOS instance strictly to run the browser.
This container could be run locally, or it could even be run remotely on a Cloud-hosted desktop environment.
There's a company that already has a product for doing this today named Invincea which I also wrote about in 2010. As I understand, they're currently doing excellent business with the US government, and it will stop that Java exploit and most other Zero-Day exploits right in their tracks.
If this company isn't an obvious acquisition target in this paranoia-infused age of personal computing, I don't know what is.
The second thing that can be done (and I am of the opinion we should be using both) is having ISPs provide Unified Threat Management (UTM) with Deep Packet Inspection as a value-added service to its consumer broadband customers which would stop the download and execution of malicious code at the source.
Today, UTM is a technology that is in use by large enterprises to protect their datacenters and desktop users, but given the rise of consumer broadband, it's about time that this gets installed in all ISP head-end equipment. If it brings up the price of consumer broadband a few dollars a month as a result for these companies to make up for the capitalization costs, so be it.
Does the recent Java exploit finally demand the use of the "Browser Deflector Shield" I described in 2010? Talk Back and Let Me Know.