Vulnerabilities / Threats
3/1/2013
11:18 AM
Connect Directly
RSS
E-Mail
50%
50%

Zero Day Java Vulnerability Allows McRat Trojan Infections

Security experts urge users of latest versions of Java 6 and 7 to disable Java in their browsers until Oracle releases a patch.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
A newly discovered zero-day vulnerability in the most recent versions of Java 6 and Java 7 is being actively exploited by attackers to install malicious software on vulnerable PCs.

"We detected a brand new Java zero-day vulnerability that was used to attack multiple customers," FireEye security researchers Darien Kindlund and Yichong Lin said in a blog posted Thursday. "Specifically, we observed successful exploitation against browsers that have Java v1.6 update 41 and Java v1.7 update 15 installed," they said, referring to the two most recently released versions of Java 6 and Java 7.

The discovery of the new bug (CVE-2013-1493) makes for the third Java zero-day vulnerability to have been reported to Oracle this week.

So far, the FireEye researchers have publicly detailed the new vulnerability only in broad terms: "Not like other popular Java vulnerabilities in which [the] security manager can be disabled easily, this vulnerability leads to [an] arbitrary memory read and write in [the] JVM [Java virtual machine] process," they said.

[ Does your business depend on Java? Here's how to stay secure. 10 Facts: Secure Java For Business Use. ]

In the attack they spotted, a malicious JAR (Java archive) file is used to exploit the vulnerability and then target memory used by the Java security manager. If the exploit finds that the security manager is active, it attempts to overwrite the memory used by the security manager, thus disabling the functionality.

"Upon successful exploitation, it will download a McRAT executable ... from same server hosting the JAR file and then execute it," said Kindlund and Lin. McRAT is a remote access Trojan (RAT) designed to download further malware onto an infected PC.

Independent security researcher Eric Romang noted Friday in a blog post that the new "yet another Oracle Java 0day" was only being detected by 21 out of 46 antivirus scanners tested via VirusTotal, leading him to suggest that the exploit might already be built into an automated crimeware toolkit.

Oracle last released an emergency update for Java just 10 days ago, including what was billed as the final-ever public release of an update for Java 6, which has now been officially retired. That emergency update fixed a vulnerability that was being exploited by attackers to bypass the Java sandbox. It followed another emergency update from Oracle, released at the beginning of February, that patched 50 bugs in Java.

News of the new vulnerability brought fresh calls from security experts to disable the Java browser plug-in -- note that JavaScript is not at risk -- if at all possible. "Take care or uninstall Java (or both)," according to a tweet from French security firm Vupen Security.

The FireEye researchers offered similar advice: "We urge users to disable Java in your browser until a patch has been released; alternatively, set your Java security settings to "High" and do not execute any unknown Java applets outside of your organization," they said.

Meanwhile, veteran Java bug hunter Adam Gowdiak, CEO and founder of Poland-based Security Explorations, Thursday sent an email update to the Bugtraq mailing list, reporting on the status of the two Java vulnerabilities he discovered this week -- mentioned above -- which he's detailed to Oracle, including proof-of-concept exploit code.

Of the two bugs, Oracle confirmed what Gowdiak labeled "issue 55." No details of the vulnerabilities have been publicly released, except that they involve a Java reflection vulnerability. But according to Gowdiak's email, Oracle dismissed "issue 54," saying that merely provides "allowed behavior" in Java.

Gowdiak, however, disagreed with Oracle's assessment, saying that a similar, previously discovered problem "leads to access denied condition and a security exception," which he considers to be a security flaw. "If Oracle sticks to their assessment we'll have no choice than to publish details of issue 54," he said.

Attend Interop Las Vegas, May 6-10, and attend the most thorough training on Apple Deployment at the NEW Mac & iOS IT Conference. Use Priority Code DIPR03 by March 9 to save up to $500 off the price of Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 350+ exhibiting companies, and the latest technology. Register for Interop today!

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
cid0003
50%
50%
cid0003,
User Rank: Apprentice
3/1/2013 | 7:03:27 PM
re: Zero Day Java Vulnerability Allows McRat Trojan Infections
In reality Java is barley used anymore by most people. If you disabled it, your probably wouldn't notice, and your computer would be safer.
samiup
50%
50%
samiup,
User Rank: Apprentice
3/1/2013 | 5:39:33 PM
re: Zero Day Java Vulnerability Allows McRat Trojan Infections
Java is getting very annoying.
too many flaws, too many bugs and security holes and way too may updates to install...

is there an alternative?
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-4988
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

CVE-2014-0207
Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

CVE-2014-0537
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-0539
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-3309
Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.