Skip Links

Java zero-day vulnerability actively exploited by attackers

The exploit for an unpatched Java vulnerability was added in popular attack toolkits, security researchers say

By Lucian Constantin, IDG News Service
January 10, 2013 03:35 PM ET

IDG News Service - An exploit for a previously unknown and currently unpatched vulnerability in Java is being used by cybercriminals to infect computers with malware, according to security researchers.

An independent malware researcher who uses the online moniker Kafeine reported the existence of the exploit "in the wild" -- being actively used in attacks -- on his blog on Thursday.

Symantec links latest Microsoft zero-day with skilled hacker gang

Attackers are using such exploits to silently install malware on the computers of users who visit compromised websites, in what are known as drive-by download attacks.

The researcher is sharing samples of the exploit with security companies only. "This could be mayhem," he said. "I think it's better to make some noise about it."

"We can confirm that this is a new vulnerability," said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, via email. "We reproduced the exploitation mechanism on Java 1.7 Update 9 and Update 10. Other versions may be vulnerable as well, we're currently analyzing whether other older updates are vulnerable."

As far as Bitdefender's tests showed, the exploit is specific to Java 7, Botezatu said.

Researchers from security firm AlienVault also confirmed that the exploit works against a fully patched installation of Java 7. The exploit uses similar tricks to bypass Java security restrictions as a different Java exploit that was used by cybercriminals in August 2011, Jaime Blasco, manager of the AlienVault Labs, said Thursday in a blog post.

The exploit has already been added to the popular Blackhole exploit toolkit used by cybercriminals, as well as to Cool Exploit Kit, a more exclusive spin-off of Blackhole, Botezatu said. "Other reports mention that it has also made it in Redkit [a different exploit toolkit], but we can't confirm the information at the moment."

"I've seen samples from Cool EK [exploit kit] and Blackhole EK but it seems it has been also included into Nuclear Pack and Redkit," Jaime Blasco, manager of the AlienVault Labs, said via email. Blasco believes that an exploit will also be added to the popular open source Metasploit penetration testing tool soon, as happens with most zero-day exploits -- exploits for unpatched vulnerabilities.

Using packet captures for the traffic associated with the new Java exploit, Bitdefender researchers were able to trace back some attacks to Jan. 7. However, the company's researchers believe that the attacks probably started on Jan. 2 or 3, Botezatu said.

"The 0-day attack code that was spotted in the wild today is yet another instance of Java security vulnerabilities that stem from insecure implementation of the Java Reflection API," said Adam Gowdiak, the founder of Security Explorations, a Polish security company that specializes in Java vulnerability research.

The new issue is a combination of two vulnerabilities, he said. One of them abuses the new Reflection API in order to bypass Oracle's October patch for a different issue that Security Explorations reported to the company on Aug. 31, Gowdiak said.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News