Oracle Patches Java Zero Day

Thursday, August 30, 2012 @ 05:08 PM gHale

Oracle today released a patch to fix security vulnerabilities in Java 7, Oracle officials said.

“This Security Alert addresses security issues CVE-2012-4681…and two other vulnerabilities affecting Java running in web browsers on desktops,” the advisory said. “These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications. They also do not affect Oracle server-based software.”

Second Hole in Java Zero Day
Unpatched Java Attacks Starting
New Java Zero Day in Play
Java Flaw Patched; Attackers Pounce

Since the news of the Zero Day became public, cyber criminals jumped at the opportunity to take advantage of an anticipated delay in getting a patch out to the public.

Attackers added the exploit to BlackHole, giving a boost to the crimeware kit. Researchers at Symantec said the Nitro crime gang was using the exploit. The gang in the past targeted chemical companies in an effort to steal intellectual property.

The vulnerability works against Internet Explorer and Firefox, researchers said.

The targeted attacks are using an exploit from a site hosted in China, which is still up and running. Once the exploit fires, the attack will install a dropper on the compromised PC called Dropper.MsPMs, which will then call out to another IP address on the same domain as the one serving the exploit.

The vulnerability is present in Java 7 and doesn’t affect earlier versions, researchers said. There is proof-of-concept exploit code circulating for the bug, and there is also a Metasploit module that exploits the flaw.

Researchers said their exploit works against a fully patched Windows 7 machine with Java 7 update 6 running. Their exploit also works against IE and Firefox on Windows Vista and XP and also against Chrome on Windows XP and Firefox on Ubuntu Linux 10.04.

Leave a Reply

You must be logged in to post a comment.