December 8, 2016

Exploit Kits Having Success with Recent Java Concurrency Vulnerability

(LiveHacking.Com) – Well-known security blogger Brian Krebs has released an overview of how different exploit kits, including the widely use BlackHole pack, have now integrated exploits for a Java concurrency vulnerability (CVE-20120-0507) that was fixed in Java Version 6 Update 31, or Java 7 Update 3 on Feb. 15, 2012. According to Microsoft’s Malware Protection Center new malware samples are coming to light that are proving highly successful at exploiting the flaw. The malware which Microsoft analysed loaded the ZeuS Trojan (PWS:Win32/Zbot.gen!Y) but the exploit kits allow hackers to install the malware of their choosing.

The exploit used in the automated kits uses a vulnerability in AtomicReferenceArray to disable the Java runtime sandbox mechanism. To do this the attacker deliberately creates a special serialized object data which due to a logic error (and not a memory corruption) allows the attacker to run arbitrary code on the victim’s PC. The exploit is very reliable.

Java seems to yield a never-ending supply of new exploits for attackers to use. “On at least two Underweb forums where I regularly lurk, there are discussions among several core members about the sale and availability of an exploit for an as-yet unpatched critical flaw in Java,” wrote Krebs. “I have not seen firsthand evidence that proves this 0 day exploit exists, but it appears that money is changing hands for said code.”

According to Marcus Carey, a security researcher at Rapid7, upwards of 60 to 80 percent of users probably have not yet applied the latest Java patches. And over the long term research has shown that upwards of 60% of Java installations are never up to the current patch level allowing even older exploits can be used to compromise a victim’s PC.

Rapid7 researched the typical patch cycle for Java and identified a telling pattern of behavior, namely that during the first month after a Java patch is released,  adoption is less than 10%. After 2 months, approximately 20% have applied patches and after 3 months, maybe more than 30% are patched.  They determined that the highest patch rate last year was 38% with Java Version 6 Update 26 3 months after its release.