New Java Vulnerability Being “Massively Exploited” in the Wild
Another Java zero-day security flaw is actively being targeted in the wild, and exploits are already in use across some of the most popular crimeware toolkits.
If you haven’t disabled Java yet, there is no better time than now.
The vulnerability exists in all versions of Java 7, and AlienVault Labs researchers were able to reproduce the exploit in a system running the fully-patched and up-to-date Java 7 Update 10, Jamie Blasco, the labs manager at AlienVault wrote on the company blog Jan. 10. The latest bug resembles the earlier Java zero-day (CVE-2012-4681) that was uncovered in August, Blasco said.
While Oracle took the rare step of releasing an out-of-band patch for that zero-day bug a few days after the flaw was identified, at the moment, there is no word of a fix or mitigation controls from the company at this time. Users should immediately disable the Java plugin (version 1.7) in their browser (or if they already have done so, leave it disabled for the time being).
“Java 7 Update 10 and earlier Java 7 versions contain an unspecified remote-code-execution vulnerability,” Department of Homeland Security’s U.S. Computer Emergency Readiness Team (CERT) warned in its Vulnerability Note.
The Java file was “highly obfuscated” and the current exploit in the wild can bypass security checks, Blasco wrote in his analysis. By tricking a user into visiting a specially crafted HTML document, either a website or even a booby-trapped email attachment, a remote attacker may be able to execute arbitrary code, US-CERT warned.
If a user visits a malicious site exploiting this vulnerability, the attacker can “virtually own your computer,” Blasco said.
Java exploits are exceptionally dangerous because they tend to be cross-platform attacks. The exact same code can run on Mac OS X, Windows, and Linux. Kafeine, the French researcher who alerted AlienVault to the vulnerability and the exploit, described the situation as “mayhem.”
It’s not clear how many sites may have already been infected with this exploit and how many users have been compromised, although Kafeine said the site he found the infection on had “hundreds of thousands of hits daily.” The security hole is “massively exploited in the wild,” wrote Kafeine, as several crimeware toolkits, including Blackhole, Cool Exploit, and NuclearKit, are already using the exploit.
Blackhole’s creator bragged on underground forums about the new Java exploit, calling it a “New Year’s Gift” for customers, wrote security writer Brian Krebs on Krebs on Security.
Oracle shipped Java 7 update 10 with a built-in disabling feature last month, which allows users to disable the Java content in the browser through the Java control panel applet. US-CERT and SANS Institute recommended using the feature. Otherwise, users can just disable the entire Java plugin in their browsers outright.
Users are “strongly advised to put Java down and keep it that way until things get sorted out,” Bogdan Botezatu, senior e-threat analyst at BitDefender wrote on the Hot for Security blog. They should also make sure to not click on “any spammy links, regardless of how appealing they might look like in the following days,” Botezatu said.
It seems that only version 1.7 of the Java plugin is being targeted at this time.
Exploit writers are increasingly targeting Java, as the installed base is quite large. In many cases, users may have installed Java once, and then never updated it again because they forgot about it.
This Java zero-day is a reminder for administrators to think about the policy of “least privilege,” Marc Maiffret, CTO of BeyondTrust, told SecurityWeek. Considering the “constant stream” of client application vulnerabilities, “one of the best things an organization can do to limit their impact is to properly manage user account privileges across an organization,” Maiffret said.