Second Hole in Java Zero Day

Thursday, August 30, 2012 @ 04:08 PM gHale

It is relatively old news about researchers finding a Java 7 security settings bug, but apparently it also links to a second vulnerability.

“Most of the online analysis talks about one vulnerability, where we saw two vulnerabilities being exploited to achieve full execution on a target,” said Esteban Guillardoy, a Python developer and security researcher working for information security firm Immunity.

Unpatched Java Attacks Starting
New Java Zero Day in Play
Java Flaw Patched; Attackers Pounce
Oracle Holes Hit AV Provider

“The first bug was used to get a reference to sun.awt.SunToolkit class that is restricted to applets, while the second bug invokes the getField public static method on SunToolkit using reflection, with a trusted immediate caller bypassing a security check.” He said the two bugs had to be chained together to create a working exploit.

Guillardoy said the “getField” Java bug is in Java 7.0 — which debuted on July 28, 2011 — and suggested that a foreign nation state, or states, may have been “enjoying it non-stop for quite some time now.”

“The beauty of this bug class is that it provides 100% reliability and is multiplatform,” he said. “Hence this will shortly become the penetration test Swiss knife for the next couple of years.”

Researchers said the Zero Day attack where researchers found the bugs appears to have come from servers in China, and delivering the Poison Ivy remote-access toolkit (RAT) onto infected systems. According to a heatmap of related Poison Ivy infections released by Kaspersky Lab, the greatest number of related infections have been in China, followed by Russia.

The discovery of the Java 7 vulnerabilities has led numerous security experts to recommend that enterprises disable Java in browsers. US-CERT Tuesday released a security alert noting “disabling the Java browser plug-in may prevent a malicious webpage from exploiting this vulnerability.” In addition, for Firefox users, it said “using the … NoScript extension to whitelist websites that can run scripts and access installed plug-ins will mitigate this vulnerability.”

Users of systems targeted by the exploit likely wouldn’t notice the attack. “It does not crash browsers, the landing page looks like a blank page, sometimes one may see a flash of a rotating Java logo and the word ‘Loading,'” according to an analysis published by Andre’ M. DiMino and Mila Parkour at DeepEnd Research.

To help identify vulnerable systems, Rapid7 and Zscaler are offering free online tools which will review a user’s system for the presence of vulnerable Java code. Zscaler also offers a guide to disabling Java in Chrome, Firefox, and Internet Explorer. While the vulnerability affects Windows, Apple OS X, and Linux systems, most Mac users have protection from this vulnerability since Java 6 — not Java 7 – resides on OS X by default, although Java 7 can add in manually.

Oracle releases patches on a quarterly cycle, and its next bug fix isn’t due until October.

Leave a Reply

You must be logged in to post a comment.