A new fork of the Black Hole exploit kit is making quick work of a recently patched Java vulnerability and security researchers say that the attackers are registering new sites quickly to exploit users with vulnerable browsers.

The CVE-2012-1723 Java vulnerability that the Black Hole exploit kit is now targeting is a serious flaw. It’s a pre-authentication, remotely exploitable vulnerability that would give an attacker complete control of a compromised machine. It’s the worst sort of bug, especially when the flaw is present in an application such as Java that’s deployed on hundreds of millions of machines around the world. Oracle patched this vulnerability as part of its June critical patch update.

However, the availability of a patch, as we’ve seen over and over again through the years, does not mean that the vulnerability is no longer of use to attackers. Users and organizations can be slow to patch, and that can be a huge mistake with vulnerabilities of this kind. The presence of publicly available exploit code makes it all the more dangerous, and now, with the existence of a Balck Hole exploit targeting the Java flaw, things have become quite serious.

This is a vulnerability in the HotSpot bytecode verifier that has been present since at least Java 1.4. As most exploitable bytecode verifier flaws, it can be used to achieve type confusion,” researcher Michael Schierl wrote in an explanation of proof-of-concept exploit code he developed.

“To exploit this vulnerability, you need to craft a method with at least two different field access instructions referring to the same field, and have to force the method to be JITed while their verification is still deferred (i. e. you have to call the method a lot of times but make sure none of these executions touch those instructions, for example by passing a parameter that makes sure the method will end early in those executions). Then call it again for the effect.”

Researchers at Websense said that they’ve seen the Balck Hole exploit kit targeting this vulnerability and using a series of freshly registered domains to do the dirty work.

“In early July, an update has been issued to the Blackhole exploit kit targeting Java vulnerability CVE-2012-1723. The vulnerability could evade the JRE (Java Runtime Environment) sandbox and load additional Java classes in order to perform malicious actions,” Websense researchers said in a blog post. 

If you haven’t done so yet, now would be an opportune time to patch your Java plug-in, or disable it altogether. 

Categories: Malware, Vulnerabilities