July 28, 2014

New zero-day Java 7 vulnerability being exploited in the wild

Java(LiveHacking.Com) – US-CERT has issued a security advisory about an unspecified vulnerability in the most up to date version of Java ( Java 7 Update 10) that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. According to TrendLabs the zero-day exploit is being used by toolkits like the Blackhole Exploit Kit (BHEK) and the Cool Exploit Kit (CEK). Brain Krebs has noted that the author of the Blackhole exploit kit is calling the new exploit a ‘New Year’s Gift,’ to customers who use Blackhole.

Initial analysis of the exploit shows that it is probably bypassing certain security checks  tricking the permissions of certain Java classes like  in CVE-2012-4681 . According to US-CERT, the exploit works by leveraging unspecified vulnerabilities involving Java Management Extensions (JMX) MBean components and sun.org.mozilla.javascript.internal objects, an untrusted Java applet can escalate its privileges by calling the the setSecurityManager() function to allow full privileges, without requiring code signing.

The only good bits of news are that Java 6 doesn’t seem to affected and that since update 10 of  Java 7, it is possible to disable Java content in web browsers through the Java control panel applet. To do this de-select the “Enable Java content in the browser” check-box in the Java Control Panel (under the Security tab).

US-CERT (and others) where alerted to the existance of the zero-day vulnerability by a blogger named Kafeine at the site Malware don’t need Coffee.

“We can confirm that this is a new vulnerability,” said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, in an email to Computerworld. “We reproduced the exploitation mechanism on Java 1.7 Update 9 and Update 10. Other versions may be vulnerable as well, we’re currently analyzing whether other older updates are vulnerable.”

Oracle releases out-of-band update for Java to fix vulnerabilities which are being exploited in the wild

(LiveHacking.Com) – In a surprise move, which security researchers hoped for – but dared believe it would happen, Oracle has released an out-of-band update to Java to fix several security vulnerabilities which are being exploited in the wild. The update addresses security issues CVE-2012-4681 (US-CERT Alert TA12-240A and Vulnerability Note VU#636312) and two other vulnerabilities (CVE-2012-3136, and CVE-2012-0547) affecting Java running in web browsers on desktops.

These vulnerabilities, which are not applicable to Java running on servers or standalone Java desktop applications, can be exploited remotely without authentication. The exploit happens when an unsuspecting user visits a malicious web page designed to leverages the vulnerabilities. Upon successful exploitation the attackers can run arbitrary code on the victim’s computer.

“If successfully exploited, these vulnerabilities can provide a malicious attacker the ability to plant discretionary binaries onto the compromised system, e.g. the vulnerabilities can be exploited to install malware, including Trojans, onto the targeted system,” wrote Oracle’s Eric P. Maurice in a blog post.

Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2012-4681 “in the wild,” Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

Users can download Java 7 Update 7 for Windows, Linux, Mac OS X, Solaris x86 and Solaris SPARC. The update is available in 32-bit and 64-bit versions for all platforms except OS X which is 64-bit only. New versions of the Java SE Development Kit are with the updated Java runtimes are also available.