Java zero-day vulnerability actively exploited by attackers

The exploit for an unpatched Java vulnerability was added in popular attack toolkits, security researchers say

An exploit for a previously unknown and currently unpatched vulnerability in Java is being used by cybercriminals to infect computers with malware, according to security researchers.

An independent malware researcher who uses the online moniker Kafeine reported the existence of the exploit "in the wild" -- being actively used in attacks -- on his blog on Thursday.

Attackers are using such exploits to silently install malware on the computers of users who visit compromised websites, in what are known as drive-by download attacks.

The researcher is sharing samples of the exploit with security companies only. "This could be mayhem," he said. "I think it's better to make some noise about it."

"We can confirm that this is a new vulnerability," said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, via email. "We reproduced the exploitation mechanism on Java 1.7 Update 9 and Update 10. Other versions may be vulnerable as well, we're currently analyzing whether other older updates are vulnerable."

As far as Bitdefender's tests showed, the exploit is specific to Java 7, Botezatu said.

Researchers from security firm AlienVault also confirmed that the exploit works against a fully patched installation of Java 7. The exploit uses similar tricks to bypass Java security restrictions as a different Java exploit that was used by cybercriminals in August 2011, Jaime Blasco, manager of the AlienVault Labs, said Thursday in a blog post.

The exploit has already been added to the popular Blackhole exploit toolkit used by cybercriminals, as well as to Cool Exploit Kit, a more exclusive spin-off of Blackhole, Botezatu said. "Other reports mention that it has also made it in Redkit [a different exploit toolkit], but we can't confirm the information at the moment."

"I've seen samples from Cool EK [exploit kit] and Blackhole EK but it seems it has been also included into Nuclear Pack and Redkit," Jaime Blasco, manager of the AlienVault Labs, said via email. Blasco believes that an exploit will also be added to the popular open source Metasploit penetration testing tool soon, as happens with most zero-day exploits -- exploits for unpatched vulnerabilities.

Using packet captures for the traffic associated with the new Java exploit, Bitdefender researchers were able to trace back some attacks to Jan. 7. However, the company's researchers believe that the attacks probably started on Jan. 2 or 3, Botezatu said.

"The 0-day attack code that was spotted in the wild today is yet another instance of Java security vulnerabilities that stem from insecure implementation of the Java Reflection API," said Adam Gowdiak, the founder of Security Explorations, a Polish security company that specializes in Java vulnerability research.

The new issue is a combination of two vulnerabilities, he said. One of them abuses the new Reflection API in order to bypass Oracle's October patch for a different issue that Security Explorations reported to the company on Aug. 31, Gowdiak said.

The exploit vector used in the new attack is also known to Oracle, as it was reported by Security Explorations in September along with additional proof-of-concept code for the August issue, he said.

Oracle has yet to confirm the vulnerability or comment on its patching plans. The next critical patch update (CPU) for Java is scheduled for Feb. 19. Oracle doesn't have a comment available at the moment, a representative from the company's outside PR agency said Thursday via email.

When faced with a similar situation in August of cybercriminals exploiting an unpatched Java vulnerability, Oracle decided to break out of its quarterly patch release cycle and release an emergency update.

"I think that Oracle will not issue an out-of-band patch again without thoroughly investigating the full extent of the damage and ensuring the quality of the patch," Botezatu said. "The last out-of-band patch for Java that was released in August actually opened the door for a similar exploitation technique on Java versions that were not vulnerable before the exploit. I believe this was an important lesson that might delay the release of a fix."

Users should disable the Java plug-in their browsers as soon as possible and keep it disabled until a patch is released, Botezatu said. Users who need Java support in the browser on certain websites should only allow the plug-in to run on those websites, he said.

The latest version of Java, Java 7 Update 10 (7u10), which was released on Dec. 11, enables users to have better control over Web-based Java content. The version provides an option in the Java control panel to disable all Java content in browsers.

Join the CSO newsletter!

Error: Please check your email address.

Tags online safetysecurityAlienVaultExploits / vulnerabilitiesmalwareOraclebitdefender

More about Oracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place