Zero-day exploit hits Java 7 and end-of-life Java 6

Time to disable Java browser plugins until Oracle releases a patch, but Java 6 users should not hold their breath.

Just two weeks after Oracle released its latest critical patch updates, attackers have found a previously unseen flaw in Java 6 and 7 to compromise computers.

Researchers at security firms FireEye and CyberESI last week discovered the new Java attack, which successfully exploits flaws in Java 6 Update 41 and Java 7 Update 15 -- the most recent versions of Java that Oracle released on February 19.

In most cases the exploit will cause a Java virtual machine to crash before the malware can be installed on the target system, according to FireEye. However when it is successful, it will download a remote access tool called McRAT.

The malware entrenches itself on the target system by writing over a legitimate service library with its own malicious DLL.

“We urge users to disable Java in your browser until a patch has been released; alternatively, set your Java security settings to "High" and do not execute any unknown Java applets outside of your organization,” said FireEye researchers Darien Kindlund and Yichong Lin.

Interestingly, the McRAT trojan and the control server it calls to are the same that were used in attacks on security firm Bit9, according to Krebsonsecurity.com, suggesting the same group is behind the new Java exploit.

A bigger question for Java 6 users is whether an update for that edition will become available. Oracle ended support for it in February and has said it will not release any more public updates for Java 6.

In January and February Oracle broke its “Critical Patch Update” cycle and released early updates for Java 6 and 7 in response to attackers exploiting a serious flaw, and given the status of Java 6 it's unlikely to see a repeat. Meanwhile, Oracle's next Critical Patch Update for Java 7 is not scheduled for release until April 16.

Java 7 is the dominant version of the software, but Java 6 is still used. January figures from PaaS provider, Jelastic, show that roughly 18 percent of its users are running Java 6 JVMs.

The exploit follows the discovery of two Java 7 vulnerabilities by Polish security researcher Adam Gowdiak. Oracle confirmed one as a flaw and described the other as “allowed behaviour”.

In addition, an exploit for flaws that were fixed on the February 1 release of Java 7 Update 13 has been bundled with several exploit kits, taking advantage of out of date Java.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags java 7securityOracle

1 Comment

Cid

1

I really can't believe that Java has gotten this bad. It's just unsafe to have Java enabled in the browser any more. Everyone should really disable it to keep their computers safe. Here are some decent instructions on how to disable it http://disablejava.com

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Secure Virtualization of Business Applications

Run your mission-critical applications in a secure and compliant virtual datacenter, or private cloud.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.