Security Experts:

Connect with us

Hi, what are you looking for?



Oracle Patches Java Zero-Day Exploited by Pawn Storm Attackers

Oracle has patched a Java zero-day exploited by the Russia-linked advanced persistent threat (APT) group known as “Pawn Storm” in attacks aimed at NATO member countries and the White House.

Oracle has patched a Java zero-day exploited by the Russia-linked advanced persistent threat (APT) group known as “Pawn Storm” in attacks aimed at NATO member countries and the White House.

The vulnerability, reported to Oracle by Trend Micro, was used earlier this year in conjunction with a different Java zero-day by the Pawn Storm attackers. The threat group leveraged a remote code execution vulnerability in Java (CVE-2015-2590), which Oracle patched with the July 2015 Critical Patch Update (CPU), and a different Java weakness (CVE-2015-4902), which Oracle addressed on Tuesday with the October 2015 CPU.

The attackers used the flaw identified as CVE-2015-4902 to bypass the click-to-play protection in Java.

In recent years, several steps have been taken to prevent the exploitation of Java vulnerabilities: Oracle started releasing updates more often, browser vendors blocked outdated Java versions, rules have been tightened for the execution on self-signed and unsigned applets, and a click-to-play protection was introduced for all applets.

In attacks aimed at NATO members and the White House, the Pawn Storm threat group leveraged both CVE-2015-2590 and CVE-2015-4902. The first issue was detailed by Trend Micro in July, shortly after the attacks were spotted, and now that Oracle has resolved the click-to-play bypass flaw, the security firm disclosed its details as well.

The click-to-play bypass vulnerability allowed attackers to execute malicious Java code without any alerts being shown to the victim.

“If Java was still in widespread use today, the effects of a bypass of click-to-play protection would be far-reaching. Any zero-day vulnerability discovered down the road would allow for drive-by downloads to be carried out,” Trend Micro threats analyst Jack Tang explained in a blog post. “This case also highlights the importance of ensuring that when new security features (such as click-to-play) are introduced to a complex system like Java, it is a must to audit the communications of existing components with the new features. This is to ensure that existing ‘good’ features and security are not lost in the mix.”

The Pawn Storm cyber espionage group (also known as Sednit, APT28, Fancy Bear, Sofacy and Tsar Team) has been around since at least 2007, focusing its operations on government, military, media, and defense organizations from across the world.

Pawn Storm has used at least half a dozen zero-day vulnerabilities in the last year, including flaws affecting Java, Windows and Flash Player. Trend Micro reported last week that the group had leveraged an Adobe Flash Player zero-day (CVE-2015-7645) in attacks aimed at several Foreign Affairs Ministries. Adobe patched the weakness within a few days after its existence came to light.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.