One More Java Zero Day

Friday, March 1, 2013 @ 03:03 PM gHale


Oracle was probably thinking February couldn’t get over soon enough, but as March kicks in, so, too, does another Java Zero Day.

This vulnerability comes courtesy of Hermes Bojaxhi and his team at Cyber Engineering Services after researchers from the security firm FireEye found that attackers have successfully exploited this Zero Day, compromising the machines of users running browsers with Java six update 41 and Java seven update 15.

RELATED STORIES
Another Java Zero Day
Microsoft Victim of Attack
Developer Site Zero Day Attack Source
Hiding Code into JavaScript

FireEye researchers Darien Kindlund and Yichong Lin said this vulnerability is different from the countless Java Zero Days that precede it. A security manager could pretty easily disable the other vulnerabilities, Kindlund and Lin said. This one, on the other hand, allows for arbitrary memory reading and writing in the Java Virtual Machine (JVM) process.

The exploit is compromising browsers by targeting JVM’s internal data structure, overwriting the memory there to zero in order to download a McRAT executable.

The exploit is apparently not all that reliable due to the large amount of data it attempts to overwrite. In most cases, Kindlund and Lin are watching JVM crash as it attempts, but ultimately fails to download the McRAT executable. However, when the payload installs successfully, it reaches out to its command and control server with an HTTP request and starts copying itself into the dynamic link library.

McRAT is also performing the following pair of registry modifications: “\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AppMgmt\Parameters\”ServiceDll” = C:\Documents and Settings\admin\AppMgmt.dll” and “\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AppMgmt\Parameters\”ServiceDll” = %SystemRoot%\System32\appmgmts.dll.”

FireEye notified Oracle about the bug and is urging users to disable Java in their browsers or set their Java security settings to “high” and avoid the execution of unknown Java applets until a patch ships. Oracle has since assigned a common vulnerability entry to the flaw: CVE-2013-1493.



Leave a Reply

You must be logged in to post a comment.