Widespread attacks are under way using a weaponized reliable Java exploit that relies on not one, but two zero-day exploits.

The Java exploit was originally used for targeted attacks to push remote access Trojans onto a victim's machine when it first went public, but this week was hurriedly added to the popular BlackHole crimeware kit, making it easily available to all types of cybercriminals. "When it got merged into BlackHole, it started to push malware of a more traditional type, like banking Trojans [and] Zeus variants," says Patrik Runald, director of security research for Websense.

At least 100 domains are now serving up the exploit, according to estimates by Websense and other researchers, 83 percent of which are located in the U.S., according to Websense. And so far, the number of infected hosts is in the tens of thousands range, according to Seculert's latest data.

"Usually, a good exploit kit like BlackHole has a success rate of around 10% for infecting machines visiting the servers. In the new version of BlackHole infection servers, we have seen up to a 25% success rate," Seculert said in a blog post today. "Furthermore, statistics show that Java exploits in BlackHole servers are 75 to 99% successful."

Initial reports were that the exploit was based on a single zero-day vulnerability in Java, but Immunity researcher Esteban Guillardoy dug deeper and discovered that it's actually using two previously unknown flaws in Java JDK/JRE 7 through Java JDK/JRE 7 update 6 versions.

"When working our way through each step this exploit performed, we realized there were two different bugs chained together, cleverly used in order to exploit a target. These two bugs [used] alone are not enough to exploit a target, and this is where the sun.awt.SunToolkit class comes in place together with the Statement class," Guillardoy says of the attack. "The attackers chained the two bugs to be able to work with the sun.awt.SunToolkit class that is restricted to applets in order to be able to access and set private fields on any class, and figured out that they could use this to change the Statement AccessControlContext and get full privileges."

[ After making their code harder to reverse-engineer, exploit kits are now focusing on improving attacks. See Crimeware Developers Shift To More Obfuscation, Java Exploits. ]

"Reliable" has been one of the main adjectives used to describe this exploit thus far. "It's the way the vulns work that make this particular [attack] very reliable," Runald says. "Sometimes you see 0days and vulns that are less easy to exploit and use for live attacks ... This particular [one] is very solid from the attacker point of view: It works every time if the right verison of Java is there."

Immunity's Guillardoy says both "the beauty and the danger" of this attack is that it's multiplatform and 100 percent reliable. "In [Immunity] CANVAS, we wrote an exploit that works with a 100% accuracy on Windows, Linux, and OS X without adding an extra line of code. Based on the Java website, 930 million Java Runtimes are downloaded each year, and 3 billion mobiles phones run Java. Moving the exploit to mobiles, smart TVs, etc., is very simple," he says.

No word yet from Oracle on mitigations or patches for the flaws, but some security experts say the bugs are fairly straightforward and basically abuse the way Java operates. "They are straightforward because it is not like your typical memory corruption having to jump through a bunch of OS security prevention measures. Rather, this is really almost as simple as taking advantage of functionality in Java just as any normal programmer would," says Marc Maiffret, CTO at BeyondTrust.

The attack is basically a combination of two vulnerabilities, but mainly it's an implementation flaw. "It is a bit of both, but essentially it is more of an implementation flaw that [Oracle] should have caught," Maiffret says. "Rather than a design flaw, such as older SQL injection, [this] is an overall architecture type of issue."

What's unusual is that two bugs were used to exploit Java, which is known for its bugs. "There have been a few vulnerabilities in software lately that seem to require multiple different bugs when combined together that can lead to overall code execution. Typically, when multiple bugs are combined for one exploit, it is in more secure software, such as Chrome, that has a lot of security layers that need to be bypassed," Maiffret says. "You typically do not have to work that hard with something like Java to exploit it, as Oracle seems to love continuing to be terrible at securing their products."

Security experts say attackers are likely to be spamming out email lures or malicious URLs for the initial stage of infection.

There are ways to defend against the attack: "Now that it went from use in a targeted fashion to mass exploitation, we encourage everyone, if you can't uninstall Java, at least disable it," Websense's Runald says. "Because Blackhole has an updatable framework and already has a foothold on thousands of sites, we anticipate that the number of sites compromised with this new zero-day will escalate rapidly in the coming days."

The attack works across the latest versions of Windows, Linux, and OS X platforms, as well as Firefox, Internet Explorer, and Safari.

Maiffret says because there has been a steady stream of Java bugs, there are some best practices organizations can adopt, such as ensuring that only systems that need Java have it installed. "Once you have determined systems that actually need Java, determine which of those systems are using Java for Internet facing-applications versus desktop/internal applications. You can then configure Java on systems that do not need it for Internet applications to only function for local sites/apps versus Internet applications," he says.

That can reduce the Java attack surface. "The real problem is Java is a massive ugly attack surface that most people are exposing on their systems when, in reality, they do not need to be," Maiffret says. "There are, of course, some systems that do need Java, so I do not think a general 'disable Java' is always going to work."

Says Immunity's Guillardoy: "We took this Java bug class very seriously because, without effort, you are able to compromise thousands of computers and devices around the world."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.