topic Re: The hunt is on - 0day for java 1.7u10 in General Topics

The hunt is on - 0day for java 1.7u10

mikand — Thu, 10 Jan 2013 21:21:46 GMT

How many hours/days will it take for:

1) Wildfire customers

2) Regular customers

to get protected by a threat-db update regarding the latest 0day exploit for java 1.7u10 (and possible java 1.6u38) as descibed in:

Malware don't need Coffee: 0 day 1.7u10 spotted in the Wild - Disable Java Plugin NOW !

http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/

http://www.cert.se/sarbarheter/sr/sr13-006-oracle-0-day-i-java

Re: The hunt is on - 0day for java 1.7u10

mscox42 — Fri, 11 Jan 2013 14:47:51 GMT

As I understand it, Wildfire won't help with the Java vuln per se, but it might help with the payloads delivered by the exploit. Wildfire only works on Windows executable files, correct?

I think it may be pretty hard to sig to the generic vulnerability for this. Most sigs are geared towards formatting idiosyncrasies found within a given exploit kit or even something as simple as the class file names for a specific version of the exploit.

Re: The hunt is on - 0day for java 1.7u10

licenselu — Fri, 11 Jan 2013 15:36:59 GMT

Hello,

Wildfire can not help you because it can only analyze EXE or DDL file...

In my point of view, only APT vendors (like FireEye, Damballa, etc) can help you...

Regards,

Re: The hunt is on - 0day for java 1.7u10

gwesson — Fri, 11 Jan 2013 19:11:30 GMT

Hello,

Content version 349 was just released with the following CVEs:

CVE-2013-0422

CVE-2012-1530

CVE-2013-0603

CVE-2013-0604

CVE-2013-0621

CVE-2013-0622

CVE-2013-0623

CVE-2013-0626

CVE-2013-0624

The content release is referring to Java JRE and Adobe Reader vulnerabilities, and may reference the 0-day vulnerability you mentioned, but only the first of the three sites has any of the current CVEs (and it only has one) so I can't be sure.

Best,

Greg Wesson

Re: The hunt is on - 0day for java 1.7u10

_slv_ — Fri, 11 Jan 2013 20:24:37 GMT

Hello

Could you confirm that you are able to download 349 at this moment?

I got email:

Announcement:
Now Available - Emergency Content Release 349

created by panagent in Palo
Alto Networks Live - View the announcement

Palo Alto Networks has issued emergency release 349 in response to"

But my PA-200 still reporting that 348 is latest release, also when I logged to PA support page in dynamic updates I cant find 349 relrase.

With regards

Slawek

Re: The hunt is on - 0day for java 1.7u10

_slv_ — Fri, 11 Jan 2013 20:46:31 GMT

now I got upgrade (but I have to check many times for new updates).

Re: The hunt is on - 0day for java 1.7u10

mikand — Fri, 11 Jan 2013 22:01:57 GMT

gwesson: Thanks! 🙂

Bonusquestion, did PaloAlto see this coming through Wildfire?

I manually uploaded some of the .exe files found and they all got verdict malware so at least that part works.

slv: I guess we are all like vultures so all servers didnt have the file when the email was sent out? 🙂

I can see it in dynamic updates here at support.paloaltonetworks.com so in worst case you can always load it manually.

Re: The hunt is on - 0day for java 1.7u10

mharding — Sun, 13 Jan 2013 06:43:28 GMT

WildFire won't test the JAR file, but it should test the dropper EXE that the JAR file attempts to download.

Re: The hunt is on - 0day for java 1.7u10

essnet — Mon, 14 Jan 2013 09:59:17 GMT

I could be wrong but JAR,Android and Mobile apps execution could be in the roadmap for future Wildfire enhancements.

Re: The hunt is on - 0day for java 1.7u10

mikand — Mon, 14 Jan 2013 10:27:02 GMT

Or at least they should be 🙂

Anyone from PA who can confirm current status regarding Wildfire?

Re: The hunt is on - 0day for java 1.7u10

rlee — Tue, 15 Jan 2013 13:00:41 GMT

In PA-5.0 admin guide, it say "Supported file types include Win32 Portable Executable (PE) files (e.g. exe, dll, and scr)."

So wildfire scan is still limited to PE files..

Additionally,

File types can be analyzed even if they are compressed (zip, gzip) or over SSL if decryption is enabled in the policy.

And supported file types that are zipped will automatically be sent to WildFire. Don't need to put zip file type in file type box.

Re: The hunt is on - 0day for java 1.7u10

jhickey — Tue, 19 Feb 2013 20:47:06 GMT

What is the PA Content update doing for me ? I am a little confused about this set of vulnerabilities. Are there active exploits ? If so, how is PA Stopping/Blocking them ? How could I look in the logs to see specifically which machines are infected / vulnerable.

Thanks,

Justin

Re: The hunt is on - 0day for java 1.7u10

mikand — Wed, 20 Feb 2013 10:40:03 GMT

I think this document should be a good start for you:

Threat Prevention Deployment Tech Note

https://live.paloaltonetworks.com/docs/DOC-3094

And as a bonus:

Designing Networks with Palo Alto Networks Firewalls

https://live.paloaltonetworks.com/docs/DOC-2561

Diagrams and Tested Configurations

https://live.paloaltonetworks.com/docs/DOC-2560

The PA content update is available in two flavours, one with only the appid db and one with appid and threats merged together (which one you use depends on if you have the threat license active or not).

The threat part is then used in the IPS and AV configurations. What you usually do is that you create a threat-profile which you then assign to the security rules you wish to get investigated. An easy example is to create a threat profile with the following configuration:

critical: block

high: block

medium: block

low: default

information: default

This means that threats classified as critical, high and medium will be blocked while threats classified as low and information will use the paloalto recommended default action for each identified threat.

To log the events your security rule must have logging enabled (if im not mistaken) - usually you log on session end.

Re: The hunt is on - 0day for java 1.7u10

jhickey — Wed, 20 Feb 2013 12:54:24 GMT

Thanks for that reply. I appreciate it. We're already blocking high and critical threats. Management here has latched onto this specific Java 0 day threat. They want to know which machines are vulnerable. The issue for me is I really dont know what to look for in the logs. Whats the name or number asscociated with this particular set of threats. It seems that every security company has a different name or pattern.

Re: The hunt is on - 0day for java 1.7u10

mbutt — Wed, 20 Feb 2013 18:55:56 GMT

Hi Jhickey,

You can go to the following link. Here you can search the threats ( spyware, vulnerabilities, virues ) by names and there id's.

https://threatvault.paloaltonetworks.com/

This should make it easy for you to search for them.

Thank you

Numan

topic Re: The hunt is on - 0day for java 1.7u10 in General Topics

The hunt is on - 0day for java 1.7u10

Re: The hunt is on - 0day for java 1.7u10

Re: The hunt is on - 0day for java 1.7u10

Re: The hunt is on - 0day for java 1.7u10

Re: The hunt is on - 0day for java 1.7u10

Announcement: Now Available - Emergency Content Release 349

Re: The hunt is on - 0day for java 1.7u10

Re: The hunt is on - 0day for java 1.7u10

Re: The hunt is on - 0day for java 1.7u10

Re: The hunt is on - 0day for java 1.7u10

Re: The hunt is on - 0day for java 1.7u10

Re: The hunt is on - 0day for java 1.7u10

Re: The hunt is on - 0day for java 1.7u10

Re: The hunt is on - 0day for java 1.7u10

Re: The hunt is on - 0day for java 1.7u10

Re: The hunt is on - 0day for java 1.7u10

Announcement:
Now Available - Emergency Content Release 349