(LiveHacking.Com) – A zero day vulnerability is considered by some as their worst security nightmare. It is a vulnerability (bug) in software that no-one knew about (hence zero day) which allows hackers to execute remote code on a victim’s machine. And that is exactly what has happened over the weekend with the discovery of a new zero day vulnerability in Java 7. According to FireEye, all versions of JRE 1.7x are vulnerable and the exploit has been successfully tested against the latest version of FireFox with JRE version 1.7 update 6 installed. It appears that Java 6 is not vulnerable.
The exploit is hosted on the domain ok.XXX4.net which resolves to an IP address in China. After a successful exploit the dropper MD5: 4a55bf1448262bf71707eef7fc168f7d (which is only detected by 28 out of 42 antivirus scanners as Gen:Trojan.Heur.FU.bqW@a4uT4@bb; Backdoor:Win32/Poison.E) is installed on the infected machine from http://ok.XXX4.net/meeting/hi.exe. Then the dropper talks to a command and control server (hello.icon.pk) in Singapore.
The worrying thing is that Oracle use a 4 month patch cycle (middle of February, June, October) and the next patch is scheduled for October 16. That is nearly two months away. Oracle rarely issues out-of-cycle patches. We can only hope that Oracle makes an exception in this case.
“It will be interesting to see when Oracle plans for a patch, until then most of the Java users are at the mercy of this exploit. Our investigation is not over yet; more details will be shared on a periodic basis,” wrote FireEye researcher Atif Mushtaq on the company blog.
A module has been published for Metasploit and it is my advice that you disable Java on all your systems! Most home users don’t run Java programs and have no need for it. On top of that the majority of security experts agree that the risk of running Java outweighs the potential benefits.