Java Zero Day Exploits Ready to Go

Monday, January 14, 2013 @ 01:01 PM gHale

Another Zero Day bug is hitting Java and security experts are saying to be on safe side it is worth disabling it now because attacks taking advantage of the vulnerability are already in the Blackhole, Redkit, Cool and Nuclear Pack exploit kits.

The exploits target the latest version of the Java platform, Java 1.7 Update 10, said a French researcher who uses the handle Kafeine. In addition, Jaime Blasco, manager at AlienVault Labs, said his team was able to reproduce the exploit on a fully patched Java install.

Adobe Fixes Acrobat, Reader, Flash
Malware Targets Java HTTP Servers
Adobe Shockwave Vulnerabilities
Java, Flash Updates Slow

Kafeine refused to share any details on the vulnerability or exploit, while Blasco wrote on the AlienVault blog a short time ago that the exploit probably bypasses security checks in Java, “tricking the permissions of certain Java classes,” he said.

HD Moore, creator of Metasploit and CSO at Rapid7, said the exploits are targeting a privilege escalation vulnerability in the MBeanInstantiator, as it exposes two classes which in turn expose the class loader. He expects a Metasploit module for this exploit to be ready soon.

“Similar to previous bugs, it enables you to run Java code outside the sandbox, so the thing about that is that it’s not dependent on OS or platform. It will run the same exact code on Mac OS X, Windows or Linux,” Moore said. “The exploits going around are targeting Windows, but more than likely, we’ll see attacks for Mac like we did with the Flashback stuff last year.”

Moore said this one is similar to recent Java exploits.

“A lot of the recent Java exploits use a technique similar to this one where they find a class that’s already loaded in memory that accesses an object outside the sandbox, and then they use that object to load arbitrary code,” Moore said. “It’s about as bad as you can get in terms of a reliable Java exploit that affects the latest version of Java 1.7. It’s already being used by all the bad guys and at this point, it’s just catch-up and how fast Oracle can respond.”

AlienVault’s Blasco said similar tactics were in CVE-2012-4681, discovered last August. The vulnerability in Java 7u6 enabled attackers using a malicious Java applet to bypass security restrictions in Java to execute code remotely.

Oracle repaired the vulnerability in Java 7u7, released four days after the initial reports of the Zero Day.

Kafeine, meanwhile, has screenshots from the major exploit kits announcing the availability of the Zero Day.

For now, the only current mitigation is to disable Java. Oracle has yet to reply when it expects a patch; it has traditionally been slow to repair vulnerabilties, experts said.

Leave a Reply

You must be logged in to post a comment.