09:14 AM

Java Zero-Day Attack Could Hit Enterprises Hard

In-the-wild exploit targets unpatched Java 7 vulnerability affecting Windows, OS X, and Linux. Security experts advise disabling Java in browsers.

Calling all enterprises: disable Java in your browsers.

That warning has been sounded by numerous information security experts, following the discovery of an in-the-wild exploit that targets a zero-day vulnerability in Java, and for which no patch yet exists.

"We have seen this unpatched exploit being used in limited targeted attacks. Most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable," said Atif Mushtaq, senior staff scientist at FireEye Malware Intelligence Lab, which discovered the attack and identified the Java vulnerability it exploited. "[The] initial exploit is hosted on a domain named Currently this domain is resolving to an IP address in China," he said in a blog post.

The in-the-wild attack, hosted by a malicious website, currently only targets Windows PCs, via a malicious JAR (Java Archive) applet named "Dropper.MsPMs." If the browser-targeting exploit is successful, the JAR file gets installed on the targeted system. As of Sunday, the website serving the attack remained fully functional, as did the command-and-control servers, which are currently based in Singapore.

The exploited vulnerability exists in all versions of Java 7, and can be used to exploit not just Windows, but also Apple OS X and Linux systems. "I have tested the following operating systems: Windows7, Ubuntu 12.04, OSX 10.8.1 [and] I have tested the following browsers: Firefox 14.0.1 (Windows, Linux, OSX), IE 9, Safari 6. [The] same exploit worked on all of them," said David Maynor, CTO of Errata Security, in a blog post.

[ Most IT security groups are short-handed and can't find good people to hire. Is there a Security Skills Shortage, Or Training Failure? ]

"This exploit is awesome," he said. "[It's] not a buffer overflow or anything like that, it uses a flaw in the JRE design that allows a Java app to change its own security settings with reflection." As a result, an attacker can use the vulnerability to arbitrarily change Java security settings, allowing malware to read, write, and execute code on an infected system.

Oracle has yet to detail when it will release a related Java patch for the vulnerability. "The next scheduled update for Java is October 16th, 2012. Oracle has a bad track record for releasing timely patches for Java exploits, but with all the attention this flaw is getting I would hope it would release an out of cycle fix if for no other reason than to save face," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post.

Until Oracle does patch the vulnerability, "the best way to prevent this attack at the moment is by removing or disabling [the] Java plug-in from your browser settings," said FireEye's Mushtaq. "Once Oracle comes up with a patch you can re-enable this plug-in." Don't, however, roll back to a previous version of Java, since older versions have numerous known vulnerabilities.

An exploit module based on the new vulnerability has already been added to the Metasploit open source penetration testing toolkit, and can be used to exploit the flaw on affected Windows, OS X, and Linux systems. Metasploit developer "sinn3r" said he'd verified that the exploit works against Internet Explorer, Firefox, and Chrome, running on Windows XP, Vista, and 7, as well as Firefox on Ubuntu Linux 10.04 and Safari on OS X Mountain Lion (10.7.4).

"Paunch," the nickname used by the developer of the BlackHole crimeware toolkit, told security journalist Brian Krebs via IM that he planned to immediately integrate the publicly available exploit code into BlackHole, saying that it was a high-quality vulnerability that could have fetched $100,000 if sold privately.

The BlackHole author--or authors--has recently been a devotee of Java vulnerabilities, which have proven easy to exploit, with some Java bugs offering a success rate of up to 80%. Adding in such exploits makes the crimeware toolkit more attractive to would-be buyers.

"Starting at the end of last year, they focused on adding Java exploits--within a month after a patch is released by Oracle," said Jason Jones, lead for the advanced security intelligence team at HP's DVLabs, speaking last month by phone about the BlackHole exploit toolkit. "They did this at the end of last year, and we saw an extremely high success rate for exploitation, then they added another one at the beginning of this year, had another same high level of exploitation rates, then they did it again recently."

Earlier this year, that increasing use of Java exploits led Apple to automatically disable Java in OS X, if it hasn't been used for 35 days. Apple made that change after a Java exploit--first detailed for Windows--was reverse-engineered by malware developers, who created the Flashback malware that infected an estimated 600,000 OS X systems.

In the wake of the latest Java vulnerability, which is difficult to spot, the prevailing security advice has been to disable Java altogether. "The configuration I used to test [the exploit] would be caught by [an] IPS with good rules [but] if you just enable the Metasploit built-in SSL options, an IPS would be blinded to this," said Maynor at Errata Security. "I have tried two different desktop protection suites from McAfee and Symantec. Neither stopped the threat, but then again, they really aren't designed to. This is a perfect exploit to use for phishing, or [targeting] social media users."

The new exploit may have already been used against your business. "Remember to search your logs for connections to the Domains/IPs related to this attack," said Jaime Blasco, a malware researcher at AlienVault Labs, in a blog post.

For businesses that can't disable Java, for example because they need to support functionality on intranet pages, here's a temporary workaround: "Use your client firewall to disallow access to non-intranet resources for javaw.exe (on Windows)," said Wisniewski at Sophos. "Another solution is to surf the net using your favorite browser with Java disabled, and have an alternate browser available for the occasional site that needs it--Java is not JavaScript, you almost never need it," he said.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Roy Working
Roy Working,
User Rank: Apprentice
1/13/2013 | 4:29:55 PM
re: Java Zero-Day Attack Could Hit Enterprises Hard
Oracle as usual is cranking out security hole ridden software and won't/can't fix problems - just like in their database software. Maybe they should spend money on people to review code before they release it to the world instead of letting Larry buy more islands, support racing boats team, fuel for his MiG jet, etc.
User Rank: Apprentice
8/28/2012 | 5:17:31 PM
re: Java Zero-Day Attack Could Hit Enterprises Hard
Anyone know if UAC and/or "Standard User" will protect against this one?
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
7 Non-Financial Data Types to Secure
Curtis Franklin Jr., Senior Editor at Dark Reading,  4/14/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.