Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Java Zero-Day Attack Could Hit Enterprises Hard

In-the-wild exploit targets unpatched Java 7 vulnerability affecting Windows, OS X, and Linux. Security experts advise disabling Java in browsers.

Calling all enterprises: disable Java in your browsers.

That warning has been sounded by numerous information security experts, following the discovery of an in-the-wild exploit that targets a zero-day vulnerability in Java, and for which no patch yet exists.

"We have seen this unpatched exploit being used in limited targeted attacks. Most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable," said Atif Mushtaq, senior staff scientist at FireEye Malware Intelligence Lab, which discovered the attack and identified the Java vulnerability it exploited. "[The] initial exploit is hosted on a domain named ok.XXX4.net. Currently this domain is resolving to an IP address in China," he said in a blog post.

The in-the-wild attack, hosted by a malicious website, currently only targets Windows PCs, via a malicious JAR (Java Archive) applet named "Dropper.MsPMs." If the browser-targeting exploit is successful, the JAR file gets installed on the targeted system. As of Sunday, the website serving the attack remained fully functional, as did the command-and-control servers, which are currently based in Singapore.

The exploited vulnerability exists in all versions of Java 7, and can be used to exploit not just Windows, but also Apple OS X and Linux systems. "I have tested the following operating systems: Windows7, Ubuntu 12.04, OSX 10.8.1 [and] I have tested the following browsers: Firefox 14.0.1 (Windows, Linux, OSX), IE 9, Safari 6. [The] same exploit worked on all of them," said David Maynor, CTO of Errata Security, in a blog post.

[ Most IT security groups are short-handed and can't find good people to hire. Is there a Security Skills Shortage, Or Training Failure? ]

"This exploit is awesome," he said. "[It's] not a buffer overflow or anything like that, it uses a flaw in the JRE design that allows a Java app to change its own security settings with reflection." As a result, an attacker can use the vulnerability to arbitrarily change Java security settings, allowing malware to read, write, and execute code on an infected system.

Oracle has yet to detail when it will release a related Java patch for the vulnerability. "The next scheduled update for Java is October 16th, 2012. Oracle has a bad track record for releasing timely patches for Java exploits, but with all the attention this flaw is getting I would hope it would release an out of cycle fix if for no other reason than to save face," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post.

Until Oracle does patch the vulnerability, "the best way to prevent this attack at the moment is by removing or disabling [the] Java plug-in from your browser settings," said FireEye's Mushtaq. "Once Oracle comes up with a patch you can re-enable this plug-in." Don't, however, roll back to a previous version of Java, since older versions have numerous known vulnerabilities.

An exploit module based on the new vulnerability has already been added to the Metasploit open source penetration testing toolkit, and can be used to exploit the flaw on affected Windows, OS X, and Linux systems. Metasploit developer "sinn3r" said he'd verified that the exploit works against Internet Explorer, Firefox, and Chrome, running on Windows XP, Vista, and 7, as well as Firefox on Ubuntu Linux 10.04 and Safari on OS X Mountain Lion (10.7.4).

"Paunch," the nickname used by the developer of the BlackHole crimeware toolkit, told security journalist Brian Krebs via IM that he planned to immediately integrate the publicly available exploit code into BlackHole, saying that it was a high-quality vulnerability that could have fetched $100,000 if sold privately.

The BlackHole author--or authors--has recently been a devotee of Java vulnerabilities, which have proven easy to exploit, with some Java bugs offering a success rate of up to 80%. Adding in such exploits makes the crimeware toolkit more attractive to would-be buyers.

"Starting at the end of last year, they focused on adding Java exploits--within a month after a patch is released by Oracle," said Jason Jones, lead for the advanced security intelligence team at HP's DVLabs, speaking last month by phone about the BlackHole exploit toolkit. "They did this at the end of last year, and we saw an extremely high success rate for exploitation, then they added another one at the beginning of this year, had another same high level of exploitation rates, then they did it again recently."

Earlier this year, that increasing use of Java exploits led Apple to automatically disable Java in OS X, if it hasn't been used for 35 days. Apple made that change after a Java exploit--first detailed for Windows--was reverse-engineered by malware developers, who created the Flashback malware that infected an estimated 600,000 OS X systems.

In the wake of the latest Java vulnerability, which is difficult to spot, the prevailing security advice has been to disable Java altogether. "The configuration I used to test [the exploit] would be caught by [an] IPS with good rules [but] if you just enable the Metasploit built-in SSL options, an IPS would be blinded to this," said Maynor at Errata Security. "I have tried two different desktop protection suites from McAfee and Symantec. Neither stopped the threat, but then again, they really aren't designed to. This is a perfect exploit to use for phishing, or [targeting] social media users."

The new exploit may have already been used against your business. "Remember to search your logs for connections to the Domains/IPs related to this attack," said Jaime Blasco, a malware researcher at AlienVault Labs, in a blog post.

For businesses that can't disable Java, for example because they need to support functionality on intranet pages, here's a temporary workaround: "Use your client firewall to disallow access to non-intranet resources for javaw.exe (on Windows)," said Wisniewski at Sophos. "Another solution is to surf the net using your favorite browser with Java disabled, and have an alternate browser available for the occasional site that needs it--Java is not JavaScript, you almost never need it," he said.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Roy Working
Roy Working,
User Rank: Apprentice
1/13/2013 | 4:29:55 PM
re: Java Zero-Day Attack Could Hit Enterprises Hard
Oracle as usual is cranking out security hole ridden software and won't/can't fix problems - just like in their database software. Maybe they should spend money on people to review code before they release it to the world instead of letting Larry buy more islands, support racing boats team, fuel for his MiG jet, etc.
User Rank: Apprentice
8/28/2012 | 5:17:31 PM
re: Java Zero-Day Attack Could Hit Enterprises Hard
Anyone know if UAC and/or "Standard User" will protect against this one?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-26
Arista’s CloudVision eXchange (CVX) server before 4.21.12M, 4.22.x before 4.22.7M, 4.23.x before 4.23.5M, and 4.24.x before 4.24.2F allows remote attackers to cause a denial of service (crash and restart) in the ControllerOob agent via a malformed control-plane packet.
PUBLISHED: 2020-10-26
AntSword contains a cross-site scripting (XSS) vulnerability in the View Site funtion. When viewing an added site, an XSS payload can be injected in cookies view which can lead to remote code execution.
PUBLISHED: 2020-10-26
This affects all versions of package pathval.
PUBLISHED: 2020-10-26
An issue was discovered in illumos before 2020-10-22, as used in OmniOS before r151030by, r151032ay, and r151034y and SmartOS before 20201022. There is a buffer overflow in parse_user_name in lib/libpam/pam_framework.c.
PUBLISHED: 2020-10-23
Multiple Stored Cross Site Scripting (XSS) vulnerabilities exist in the YOURLS Admin Panel, Versions 1.5 - 1.7.10. An authenticated user must modify a PHP plugin with a malicious payload and upload it, resulting in multiple stored XSS issues.