Java Flaw Patched; Attackers Pounce

Tuesday, August 7, 2012 @ 05:08 PM gHale

A patch has been out there for nearly two months for Oracle’s Java remote pre-authentication flaw that’s present in the Java Runtime Environment. But a patch is one thing, applying it on the user’s end is another.

That is one reason why attackers are just now starting to use this flaw.

Oracle Holes Hit AV Provider
Others Suffer from Oracle Patch
Microsoft Warns of Oracle Holes
Big Oracle Patch Day
New Java Exploit Debuts

The first malware samples that were exploiting this vulnerability started appearing about a month ago, but it was just in dribs and drabs. But by the second week of July, the number of attacks on the flaw, numbered CVE-2012-1723, began to take off. Microsoft researchers compiled statistics that show the volume of malware targeting the Java flaw really took off around July 10, and, with some peaks and valleys in the interim, is still quite high now.

The vulnerability itself is in a JRE sub-component called Hotspot and attackers who are able to exploit it will have the ability to execute arbitrary code on the target machine.

“The issue is in the optimization performed when a field inside the class is accessed. A static field with a ClassLoader or Object type and bunch of instance-fields with custom data type is a strong indication of exploitation. A bunch of instance-fields are a buffer area where a type-confused object is retrieved,” said Jeong Wook Oh of the Microsoft Malware Protection Center.

An oddity with this vulnerability is that attackers don’t have the ability to disguise what they’re doing with their exploits in this case. Oh said because attackers need to build a Java class with some specific attributes, it’s relatively easy for analysts to see what’s going on.

“Java-based malware could use a Java-reflection feature to obfuscate vulnerable class and methods loading code when the vulnerability is inside specific class and methods — for example, CVE-2012-0507 was related to AtomicReferenceArray class. The loading of AtomicReferenceArray class itself can be obfuscated and you can’t easily tell whether it is loading the specific class at all just by looking into the Java code. This makes the whole malware analysis process more time-consuming,” Oh said.

Leave a Reply

You must be logged in to post a comment.