Java zero-day vulnerability actively exploited by attackers

The exploit for an unpatched Java vulnerability was added in popular attack toolkits, security researchers say

An exploit for a previously unknown and currently unpatched vulnerability in Java is being used by cybercriminals to infect computers with malware, according to security researchers.

An independent malware researcher who uses the online moniker Kafeine reported the existence of the exploit "in the wild" -- being actively used in attacks -- on his blog on Thursday.

Attackers are using such exploits to silently install malware on the computers of users who visit compromised websites, in what are known as drive-by download attacks.

The researcher is sharing samples of the exploit with security companies only. "This could be mayhem," he said. "I think it's better to make some noise about it."

"We can confirm that this is a new vulnerability," said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, via email. "We reproduced the exploitation mechanism on Java 1.7 Update 9 and Update 10. Other versions may be vulnerable as well, we're currently analyzing whether other older updates are vulnerable."

As far as Bitdefender's tests showed, the exploit is specific to Java 7, Botezatu said.

Researchers from security firm AlienVault also confirmed that the exploit works against a fully patched installation of Java 7. The exploit uses similar tricks to bypass Java security restrictions as a different Java exploit that was used by cybercriminals in August 2011, Jaime Blasco, manager of the AlienVault Labs, said Thursday in a blog post.

The exploit has already been added to the popular Blackhole exploit toolkit used by cybercriminals, as well as to Cool Exploit Kit, a more exclusive spin-off of Blackhole, Botezatu said. "Other reports mention that it has also made it in Redkit [a different exploit toolkit], but we can't confirm the information at the moment."

"I've seen samples from Cool EK [exploit kit] and Blackhole EK but it seems it has been also included into Nuclear Pack and Redkit," Jaime Blasco, manager of the AlienVault Labs, said via email. Blasco believes that an exploit will also be added to the popular open source Metasploit penetration testing tool soon, as happens with most zero-day exploits -- exploits for unpatched vulnerabilities.

Using packet captures for the traffic associated with the new Java exploit, Bitdefender researchers were able to trace back some attacks to Jan. 7. However, the company's researchers believe that the attacks probably started on Jan. 2 or 3, Botezatu said.

"The 0-day attack code that was spotted in the wild today is yet another instance of Java security vulnerabilities that stem from insecure implementation of the Java Reflection API," said Adam Gowdiak, the founder of Security Explorations, a Polish security company that specializes in Java vulnerability research.

The new issue is a combination of two vulnerabilities, he said. One of them abuses the new Reflection API in order to bypass Oracle's October patch for a different issue that Security Explorations reported to the company on Aug. 31, Gowdiak said.

The exploit vector used in the new attack is also known to Oracle, as it was reported by Security Explorations in September along with additional proof-of-concept code for the August issue, he said.

Oracle has yet to confirm the vulnerability or comment on its patching plans. The next critical patch update (CPU) for Java is scheduled for Feb. 19. Oracle doesn't have a comment available at the moment, a representative from the company's outside PR agency said Thursday via email.

When faced with a similar situation in August of cybercriminals exploiting an unpatched Java vulnerability, Oracle decided to break out of its quarterly patch release cycle and release an emergency update.

"I think that Oracle will not issue an out-of-band patch again without thoroughly investigating the full extent of the damage and ensuring the quality of the patch," Botezatu said. "The last out-of-band patch for Java that was released in August actually opened the door for a similar exploitation technique on Java versions that were not vulnerable before the exploit. I believe this was an important lesson that might delay the release of a fix."

Users should disable the Java plug-in their browsers as soon as possible and keep it disabled until a patch is released, Botezatu said. Users who need Java support in the browser on certain websites should only allow the plug-in to run on those websites, he said.

The latest version of Java, Java 7 Update 10 (7u10), which was released on Dec. 11, enables users to have better control over Web-based Java content. The version provides an option in the Java control panel to disable all Java content in browsers.

Join the Good Gear Guide newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags online safetysecurityAlienVaultExploits / vulnerabilitiesmalwareOraclebitdefender

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?