0-day everywhere

Client and Server-Side VulnerabilitiesStephen Reese1Pen Testing vs. Vuln AssessmentsVulnerability AssessmentsPenetration TestingMaturity LevelsGoalsExpectations

2Plug-ins are useful evilDynamic ContentBrowser plug-inMobile codeSandbox evasion

1.1 billion desktops run Java500 million devices run FlashDid not run across a definitive number for Reader

Attacker sets up the environment, i.e. exploit, payload and other settings.Attacker convinces victim to click a link via SPAM, Spear Phish, Drive-by-Download (e.g. NBC attack of recent via iframe)Exploit is sent and session is established with victim OR system acts as a bot, waiting for commands.

3Java SecurityJava SecurityThe byte code verifierThe applet class loaderThe security managerSandboxLimited network accessResource restrictionsSigned verse Unsigned JAR files

Programs intended to run on a JVM must be compiled into Java bytecode, in the form of binary .class files which allows for cross-platform support.

By default, applets run in a restricted environment, known as a sandbox:Protects users against malicious code that could affect local filesProtects enterprises against code that could attempt to access or destroy data on networksAllows access to host in which the applet came from

Applets can be signed using a security certificate to indicate that they come from a trusted source. Signed applets operate outside the security sandbox and have extensive capabilities to access the client. A signed applet will run outside the security sandbox only if the user accepts the applet's security certificate. If the user refuses to accept the certificate, the applet will run within the security sandbox similar to an unsigned applet.4Java DemoVirtualized EnvironmentAttacker (Linux Host)Victim (Windows XP SP3)MetaSploit Framework

CVE-2013-2465