Businesses are growing worried about drive-by infections by malware that exploits two zero-day Java vulnerabilities.
Attackers, apparently operating from China, chained the two vulnerabilities together to defeat Java 7 security settings, allowing them to execute arbitrary code on targeted PCs. But the exploit code has since been added to attack toolkits and used in new, targeted attacks.
Here are six facts that businesses need to know about the vulnerabilities being exploited, as well as how to protect their users:
1. Warning: Uninstall Java, Or Maybe Disable
Security experts have recommended that users disable all Java browser plug-ins, pending a patch from Oracle.
US-CERT has offered detailed instructions about how to disable Java in Chrome, Firefox, and Internet Explorer browsers. But it warned that where IE is concerned, nuking the Java plug-in isn't a straightforward manner, as "there are multiple ways for a Web page to invoke a Java applet, and multiple ways to configure Java plug-in support."
[ Windows 7 and 8 password clues are vulnerable to attack. See Windows Password Clues Easy To Crack. ]
In fact, at least for IE users, US-CERT suggested that the difficulties involved in disabling Java might require stronger measures. "Due to the complexity and impracticality of disabling Java in Internet Explorer, you may wish to uninstall Java to protect against this vulnerability."
2. Oracle Learned Of Vulnerabilities Four Months Ago
Is Oracle patching critical vulnerabilities in Java quickly enough? Sunday, FireEye went public with details of a never-before-seen attack. In response, some security researchers this week criticized the company for behaving irresponsibly by not having worked with Oracle to patch the flaws before disclosing them publicly.
But IDG News reported Wednesday that Polish vulnerability research company Security Explorations disclosed the two exploited vulnerabilities to Oracle--including detailed proof-of-exploit attack code--more than four months ago, on April 2. "Among a total of 19 weaknesses discovered, there are issues that allow to either create a specific Java security bypass condition or that facilitate the exploitation process of a certain type of vulnerabilities," according to a press release issued by Security Explorations. The firm said it had developed reliable proof-of-concept exploits for all of the vulnerabilities, including 12 mock attacks "that demonstrate a complete JVM security sandbox bypass."
"Why critical remote code execution vulnerabilities were not fixed in Oracle's June patch is unknown," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post. "Oracle has yet to acknowledge these publicly, but had set expectations with Security Explorations that they were to be fixed in October."
3. Vulnerability Added To BlackHole Within Hours
The seriousness of the new Java exploits can be measured by the speed with which exploit toolkit authors updated their software to make use of the exploit. According to Wisniewski at Sophos, "it took less than 12 hours from the time the proof of concept for the latest Java zero-day vulnerabilities went public for exploits of those vulnerabilities to be included in a commercial crimeware kit"--namely, the BlackHole toolkit.
Of course, BlackHole isn't the only exploit kit on the market. "Exploit competition heats up. Latest Java exploit added to Redkit exploit kit too," tweeted Mikko Hypponen, chief research officer at F-Secure, about the Russian-language RedKit, a relatively new exploit kit that competes with the BlackHole and Phoenix crimeware packs, and which gained notoriety earlier this year for targeting a new Java exploit.
4. Attackers Like Java For Its Simplicity
"In the past year or so the bad guys started paying much more attention to Java exploits," said Trustwave SpiderLabs security researcher Arseny Levin earlier this year in a blog post. "Java is a very appealing target, since it can be found on your home desktop, on your mobile, and even on many embedded devices." Furthermore, he noted that some vulnerabilities can be exploited via Java Virtual Machine shell bytecode, "meaning exploitation will be successful regardless of the operating system." The Apple OS X Flashback malware was one example of such an attack.
According to a BlackHole control panel screenshot published by Seculert, the Java array vulnerability found earlier this year--and targeted by Flashback--was successfully exploited by the exploit kit between 76% and 97% of the time.
5. Java Exploits Wildly Successful
Now, the BlackHole developer's rapid response has paid off for his crimeware customers. "We were able to count tens of thousands of new infected machines due to the Java 0-day, since the exploit was added to the BlackHole exploit kit," according to a blog post from the company. "Usually, a good exploit kit like BlackHole has a success rate of around 10% for infecting machines visiting the servers. In the new version of BlackHole infection servers, we have seen up to a 25% percent success rate," it noted, and said 99% of those successful exploits were thanks to using Java vulnerabilities.
Small wonder that Sean Sullivan, security advisor at F-Secure Labs, has dubbed the Java runtime environment (JRE) as a "perpetual vulnerability machine."
6. Malware May Be Targeting Mac Users
A variant of the Tsunami malware that can target both OS X and Linux systems may already be using the new Java vulnerabilities to infect systems. "This method of infection has not yet been confirmed, but as this OS X malware connects out to the same IP address as the Windows backdoors known to be dropped by [the Java vulnerability], it seems they are at least related incidents," said Lysa Myers, a "virus hunter" at Mac security software firm Intego, in a Wednesday blog post.
"At the time of writing, the JAR file that was purported to be dropping this Trojan has been replaced with a bit of threatening text. It seems like maybe someone knows they've been discovered?" she said.
One piece of good news for Mac users, however, is that only Java 6 is included by Apple in OS X. While Mac users can upgrade to Java 7, they would have had to have done so manually.