《毕业设计外文翻译java的漏洞现象.doc》由会员分享,可在线阅读,更多相关《毕业设计外文翻译java的漏洞现象.doc(12页珍藏版)》请在三一办公上搜索。
1、Java的漏洞现象Java的安全问题已经成为近几年最热门的话题。然而,最近出现在Java方面的相关漏洞和攻击显著上升。对于广泛安装Java的大多数企业来说,这种问题也是非常脆弱的,Java的安全问题无疑是当今最紧迫的问题。Java仍然是许多企业所需要的技术,但它的普及与其当前的业务用例似乎不成比例。Bit9公司的Harry Sverdlove检查了关于Java无处不在的存在于企业中的原因,Java的更新和补丁,以及为什么Java是让黑客心爱的问题。他提供了一些指导,以减少与平台相关的风险。据卡巴斯基实验室调查,在2012年超过了Java的Adobe Reader的在现实世界中成为攻击最受剥削端
2、点的软件。具体来说,2012年度卡巴斯基安全公告中指出:“在整个一年中,卡巴斯基实验室的专家们登记了大规模的利用软件的漏洞进行有针对性的攻击的事件,他们发现Oracle Java是最常见的攻击目标(攻击占50)。Adobe Reader的排名第二(28),只有2的份额的Adobe Flash播放器占据第四位,这一结果要归功于Adobe Flash高效的自动更新系统以及及时修复安全漏洞。”对于TRIAM-1M的基于Web的综合数据处理系统在2013年8月,据F-Secure公司的反恶意软件分析师蒂姆赫沃宁报道,他们找到一个在最狂野积极开拓面向Java 6中未打补丁的漏洞。根据漏洞信息提供商Sec
3、unia公司的漏洞可以被“利用恶意的本地用户披露某些敏感信息,操纵某些数据,并提升特权和被恶意攻击者进行欺骗攻击泄露某些敏感信息,操纵某些数据,导致DoS(拒绝服务),绕过某些安全限制,并危及脆弱的系统。”毫无疑问,Java已经成为黑客进入当今企业的主要门户。在2013年9月,在F-Secure的威胁报告H12013中发现,在六个月前上报的一半左右利用Java的系统中,有三分之一的系统检测出威胁。F-Secure公司指出,“这并不奇怪,因为Java是有吸引力的目标,旁边的Windows操作系统也有普遍的攻击目标,Java可能是一个IT组织设置的最普遍的计划。”更糟的是,这些攻击也日益呈现零日攻
4、击,这意味着黑客们正在利用安全漏洞的每一天。这个漏洞一般被称为优势,没有给开发商任何时间以解决和修补漏洞。Java的漏洞和流行结合起来,使其成为当今最令人关注的安全问题。因此,密切探讨其在企业部署的广度和状态是非常重要的。从故障Bit9的研究中发现了一些令人惊讶的现象。这些现象可能导致整个组织崩溃,甚至包括更大的安全风险。Websense的研究发现,大多数企业有多个版本的Java,其中最普遍的版本是非常脆弱的。截至到2013年8月,Windows机器中81没有运行最新的Java版本,这让他们的用户暴露漏洞。攻击者往往会针对安装在端点上的弱势的Java版本。据Websense的研究,利用CVE-
5、2013年至2473年CVE-2013年至2463年已成功运行的目标过时版本的Java的PC。组织只有不到1安装了最新的Java版本。显然,许多网络罪犯组织知道有一个Java更新的问题,他们都渴望利用这个问题。因此,让我们来看看Java在企业中的状态,并检查背后攻击者在Java的新的受宠地位和Java相关攻击的历史原因。我们还为减少在今天的组织与Java相关的风险提出建议。人们希望,通过在分析Java被作为如此广泛的目标的原因基础上,企业将对涉及的问题有更深的了解,并能更好地做出决定和采取行动补救这一重要威胁。Java的当前状态2013年7月的Bit9的研究小组分析了全球数百家企业大约一百万端
6、点的Java部署统计数字。调查结果要点包括:平均每个组织有超过50个不同的Java版本。每个组织约5已经安装了超过100个版本的Java。通常情况下,有Java的较少总版本在其环境中的组织是那些有更多固定功能器件,通常没有安装任何版本的Java。大多数Java端点的无数反复安装,部分原因是因为Java安装和更新过程中往往不会删除旧版本。攻击者可以决定一个企业运行的是何种Java的版本甚至是最古老,最脆弱的版本。对受故障Bit9分析端点运行Java最流行的版本是6更新20,这是目前在所有系统上的9和96具有众所周知的最高severity.Less以上的企业,1的漏洞正运行在Java的最新版本上。
7、归咎于没有删除旧版本的Java不能完全由用户组织的脚本奠定,这个问题的很大一部分是Java安装和更新软件未能删除以前的版本。换句话说,安装Java的新版本将不会删除旧版本的软件,并在安装过程中允许Java在一个给定的端点存在多余的实例。Java在更新时,在另一方面,将尝试删除最近的以前版本从而支持新的版本,而不是软件的其他以前的版本。例如,在运行时版本6更新13时,安装将导致更新过程中Java的更新过程中尝试删除版本6更新13和安装最新版本(Java 7的更新45,为2013年10月)。但它不会删除第5版,如果该版本也已经被以前安装更新至22。只有Java 7的版本,安装商和某些版本的Java
8、 6的安装程序删除内的主要版本和次要版本(第6版安装程序不卸载版本5的安装为例)Oldest Java实例按年龄和部署。黑客在Java的受宠地位Java的最初发布的口号是“一次编写,到处运行”,这是为了强调其跨平台的能力。随着时间的推移,Java已经成为无处不在端点上,所以“随处运行”可以被解释为是指它的无处不在。甚至更少的网站和Web应用程序需要Java才能正常运行,该技术是普遍的,几乎每一个终端用户系统都存在。出于这个原因,Java也已经成为了一个极易受到攻击的平台。一个表明攻击者在Java的受宠地位证据是,它如何频繁地集成到各种攻击,如黑洞,酷派Redkit套件。这些套件代表公众提供脚本
9、攻击,演变成经常在地下市场上销售比较成熟的支持的产品。漏洞利用工具包通常用于通过破坏或攻击者上演的Web服务器上来部署它们,来实现基于浏览器的攻击,包括各种漏洞进行对客户端系统使用。由于Java的易受攻击版本是如此普遍和严重,在这些工具包中包含Java的漏洞利用提供了成功的妥协率很高。另外,它也许不是很好的安全研究社区的恶意Java代码,甚至可以在最新版本的Java已经安装在端点后,目标Java过时的情况下。有时在Java6系列的更新过程中,Java的更新开始删除一些旧版本的Java。但是,安装程序Java的的主要版本不会删除Java旧的主要版本。主要的年长的Java版本在安装新版本的过程中不
10、会被删除的事实,导致了Java的剩余高比例的在非常古老的端点上和脆弱的版本持续的高发病率。从本质上讲,Java代表非常大的表面积的为在许多组织中提供潜在的攻击。尽管如此,企业仍是在修补Java的落后曲线。通常情况下,需要三至九个月之间的组织Java的补丁适用,因为他们需要在应用每个补丁前,进行广泛的质量保证测试。如果不是黑客一直在密切关注Java漏洞这一事实,这将不再是一个问题。今年早些时候,Java的漏洞提示US-CERT,鼓励市民禁用Java,除非它是必要的。但是,禁用Java是不是为某些组织提倡,因为它的呼吁度。它类似于一个事实,即这种行为很容易为家庭用户在一夜之间提升自己的Window
11、s操作系统,但它往往需要企业多年的规划和实施这样的举动。这一事实导致了产品,如开源的Java工具,其唯一目的是帮助用户应对识别并删除旧版本的Java的问题。虽然这些产品将减轻一些攻击的百分比,以及很多用户不会明白的警告,并可以选择允许代码在旧的易受攻击的版本上执行。此外,所谓的“点击旁通”经常被发现在Java中的漏洞,允许攻击防止以往被视为由用户缓解交互式信息。 2013年7月,一个漏洞被发现影响Java的主要版本7更新为21,最新的版本作为故障Bit9的数据收集,以及更早的版本。该漏洞允许攻击者绕过Java的点击-2播放安全警告对话框,而无需用户交互。根据数据包风暴,这意味着攻击者仍然可以针
12、对端点上的一个老版本进行攻击,无需用户通知。最新版本故障Bit9的研究的时候,Java7的更新为25,更进一步,将不允许用户选择老版本进行运行。结论在过去的15年左右的时间,IT管理员一直误解了Java的更新将解决其安全问题。他们被告知,为了提高安全性,就应该持续,积极的更新所有端点安装的Java。不幸的是,安装是不一样的更新。直到最近,这些装置都未能兑现承诺实现安全升级,因为他们并没有删除旧的,高度脆弱的Java的版本,他们打算更换。其结果是,大多数组织有Java在其端点的多个版本,包括一些被在同一时间作为视窗95释放。不仅是广泛安装Java的大多数企业中,大多数情况下,这样做是非常脆弱的。
13、一些企业似乎选择从他们的环境删除Java,并在故障Bit9的研究揭示了事实,强调了这样做的理由。这并不奇怪,大多数企业都没有意识到的Java在他们的系统的版本。大多数企业不知道什么在对他们的终端和服务器上运行,这些系统缺乏可视性。与传统的安全解决方案一样,包括防病毒,无法保护他们免受现代威胁。虽然业界似乎在努力减轻一些已经给我们带来的今天的问题,这些努力将对补救目前的情况影响不大。这就是说,传统的安全解决方案不一定能保护组织免受所有的现代威胁。最近的高调攻击继续证明,企业应该把Java作为一个重大安全隐患来看待。企业可以受益于更好的特征并了解在其环境中的端点运行的应用程序,这样他们就可以评估这
14、些端点的风险,并有效地开展优先整治力度。展望未来,实时可见性和保护终端的服务器将是至关重要的。From:Harry Sverdlove Network Security 2014-4The Java vulnerability landscapeJava has been a trending security concern for several years. Recently, however, there has been a significant rise in Java-related vulnerabilities and attacks.Not only is Java wi
15、dely installed in most enterprises, it is also highly vulnerable and it is arguably the most pressing security concern today.Java continues to be a required technology for many companies, but its ubiquity seems to be out of proportion with its current business use cases. Harry Sverdlove of Bit9 exam
16、ines the reasons for Javas ubiquitous presence in the enterprise, the issues it has with updating and patching and why it is so beloved by hackers. And he offers some guidance for reducing the risks associated with the platform.According to Kaspersky Lab, in 2012 Java surpassed Adobe Reader as the m
17、ost exploited endpoint software in real-world attacks. Specifically, the 2012 annual Kaspersky Security Bulletin noted that: “Throughout the year Kaspersky Labs experts registered both large-scale and targeted attacks utilising vulnerable software, with Oracle Java being the most frequently targeted
18、 (50% of attacks). Adobe Reader ranked second (28%) and Adobe Flash player occupies the fourth place with only 2% share, thanks to efficient automatic updating system that promptly closes security holes.”A WEB-based integrated data processing system for the TRIAM-1 MIn August 2013, F-Secure anti-mal
19、ware analyst Timo Hirvonen reported finding an in-the-wild exploit actively targeting an unpatched vulnerability in Java 6. According to vulnerability information provider Secunia, the bug could be “exploited by malicious local users to disclose certain sensitive information, manipulate certain data
20、, and gain escalated privileges and by malicious people to conduct spoofing attacks, disclose certain sensitive information, manipulate certain data, cause a DoS (denial of service), bypass certain security restrictions, and compromise a vulnerable system.” No doubt, Java has become a primary gatewa
21、y for hackers to enter todays businesses.In September 2013, F-Secures Threat Report H1 2013 found that Java exploits for about half of the detections reported to its systems, up from one-third in the prior six months. F-Secure notes that its not surprising Java is an appealing target since “next to
22、the Windows operating system (also a popular target for exploits), Java is probably the second-most ubiquitous program in an organisations IT setup.”Whats worse, these attacks are increasingly zero-day exploits, meaning hackers are taking advantage of a security vulnerability on the same day that th
23、e vulnerability becomes generally known, giving developers zero days to address and patch the vulnerability.Most concerning problemJavas vulnerabilities and prevalence combine to make it perhaps the single most concerning security problem today. So it is important to closely explore the breadth and
24、state of its deployment across enterprises. Research from Bit9 uncovered some surprising findings that can result in greater security risks across organisations, including: Most enterprises have multiple versions of Java, the most prevalent versions of which are highly vulnerable. This finding was s
25、upported by Websense research which found that, as of August 2013, 81% of Windows machines were not running the latest version of Java, leaving their users wide open to known exploits.Attackers can often target old, vulnerable Java versions installed on the endpoint. According to Websense, exploits
26、CVE-2013-2473 and CVE-2013-2463 are successfully targeting PCs running outdated versions of Java.Fewer than 1% of organisations have installed the latest version of Java. Clearly, cyber-criminals know there is a Java update problem for many organisations, and they are eager to exploit it.So lets tak
27、e a look at the state of Java in the enterprise and examine the reasons behind Javas new favoured status among attackers and a history of Java-related attacks. Well also offer recommendations for reducing Java-related risks in todays organisations. The hope is that by shedding light on the reasons J
28、ava is so widely targeted, enterprises will have a deeper understanding of the issues involved and be better equipped to make decisions and take actions to remediate this important threat.The current state of JavaIn July 2013, Bit9s research team analysed Java deployment statistics on approximately
29、one million endpoints at hundreds of enterprises worldwide. Highlights of the findings include: The average organisation had more than 50 distinct versions of Java. Some 5% of organisations have more than 100 versions of Java installed. Typically, organisations that have fewer total versions of Java
30、 within their environment are those with more fixed-function devices, which usually do not have any version of Java installed.Most endpoints have numerous iterations of Java installed, in part because the Java installation and update process often does not remove old versions.Attackers can determine
31、 what versions of Java an enterprise is running and target the oldest, most vulnerable versions.The most popular version of Java running on endpoints analysed by Bit9 is version 6 update 20, which is present on 9% of all systems and has 96 known vulnerabilities of the highest severity.Less than 1% o
32、f enterprises are running the latest version of Java.The blame for not removing old versions of Java cannot be laid entirely at the feet of user organisations. A big part of the problem is the failure of Java installation and update software to remove previous versions. In other words, installing a
33、new version of Java will not remove older versions of the software and the installation process allows for redundant instances of Java on a given endpoint.The Java updater, on the other hand, will attempt to remove the most recent previous version in favour of the newer version, but not other prior
34、versions of the software. For example, running the Java update process when version 6 Update 13 is installed will cause the update process to attempt to remove version 6 Update 13 and install the latest version (Java 7 Update 45, as of October 2013), but it will not remove version 5 update 22 if tha
35、t version also had been installed previously. Only Java 7 version installers and some versions of Java 6 installers remove minor versions within that major version (version 6 installers do not uninstall version 5 installations, for example).Oldest Java instances by age and deployment.Javas favoured
36、status among hackersJava was originally released with the slogan “write once, run anywhere,” which was intended to underscore its cross-platform capabilities. Over time, Java has become ubiquitous on endpoints, so run anywhere can be interpreted as referring to its ubiquity. Even as fewer websites a
37、nd web applications require Java in order to operate properly, the technology is pervasive on virtually every end-user system. For this reason, Java also has become a platform that is highly vulnerable to attack.Most enterprises have multiple versions of Java, the most prevalent versions of which ar
38、e highly vulnerable. This finding was supported by Websense research which found that, as of August 2013, 81% of Windows machines were not running the latest version of Java, leaving their users wide open to known exploits. Attackers can often target old, vulnerable Java versions installed on the en
39、dpoint. According to Websense, exploits CVE-2013-2473 n CVE-2013-2463 are successfully targeting PCs running outdated versions of Java. Fewer than 1% of organisations have installed the latest version of Java. Clearly, cyber-criminals know there is a Java update problem for many organisations, and t
40、hey are eager to exploit it.A piece of evidence demonstrating Javas favoured status among attackers is how frequently it is integrated into various exploit kits such as Blackhole, Cool and Redkit. These kits represent the evolution of publicly available scripted attacks into relatively mature, suppo
41、rted products that often are sold on the underground market. Exploit kits are typically used to implement browser-based attacks by deploying them on compromised or attacker-staged web servers, and include a variety of exploits for use against client systems. Because vulnerable versions of Java are s
42、o pervasive and severe, the inclusion of Java exploits in these kits provides a high probability of successful compromise.It is perhaps not well known outside the security research community that malicious Java code can target outdated instances of Java even after the most recent version of Java has
43、 been installed on an endpoint. Sometime during the Java 6 family of updates, the Java updaters began removing some older versions of Java. However, an installer for a major version of Java does not remove versions of Java from older major versions. The fact that older major versions of Java are not
44、 removed during installation of newer versions has led to continued high prevalence of very old and vulnerable versions of Java remaining on a high percentage of endpoints. Essentially, Java represents an extremely large surface area for potential attacks in many organisations.In spite of this, orga
45、nisations continue to be behind the curve on patching Java. Typically, it takes an organisation between three and nine months to apply Java patches due to the extensive quality assurance testing they need to conduct before applying each patch. Were it not for the fact that hackers have been paying c
46、lose attention to Java vulnerabilities, this would be less of an issue. Earlier this year, Java vulnerabilities prompted US-CERT to encourage the public to disable Java unless it is necessary. However, disabling Java is not as easy for some organisations as it sounds. Its similar to the fact that it
47、s easy for home users to upgrade their Windows OS overnight, but it often takes corporations years to plan for and implement such a move.This fact has led to products, such as the open-source JavaRa tool, whose sole purpose is to help users deal with the problem of identifying and removing old versi
48、ons of Java. While these products will mitigate some percentage of attacks, many users will not understand the warning and may choose to allow the code to execute under the old vulnerable version. In addition, so-called click bypass vulnerabilities often are discovered in Java, allowing attackers to
49、 prevent the mitigating interactive messages from ever being seen by the user.In July 2013, a vulnerability was found that affects Java major version 7 update 21, the newest version as of Bit9s data collection, as well as earlier versions. This vulnerability allows for attackers to bypass the Java click-2-play security warning dialogue box without user interaction. According to Packet Storm, this means that
