Send to Kindle

JavaThere is a newly discovered zero day vulnerability in Java 7 that is being used in some targeted attacks right now. The vulnerability works against Internet Explorer and Firefox and researchers say that attackers are exploiting in the wild and installing a version of the Poison Ivy RAT on compromised systems.

The targeted attacks that are being launched right now are using an exploit from a site hosted in China, which is still up and running.  Once the exploit fires, the attack will install a dropper on the compromised PC called Dropper.MsPMs, which will then call out to another IP address on the same domain as the one serving the exploit.

The dropper executable is located on the same server: http://ok.XXX4.net/meeting/hi.exe. Dropper.MsPMs further talks to its own CnC domain hello.icon.pk which is currently resolving to an IP address 223.25.233.244 located in Singapore,” Atif Mushtaq at FireEye wrote in an analysis of the attack. 

The vulnerability is present in Java 7 and doesn’t affect earlier versions, researchers said. There is proof-of-concept exploit code circulating for the bug, and the folks at Metasploit also have developed a module that exploits the flaw. They said that their exploit works against a fully patched Windows 7 machine with Java 7 update 6 running. Their exploit also works against IE and Firefox on Windows Vista and XP and also against Chrome on Windows XP and Firefox on Ubuntu Linux 10.04.

Researchers at DeepEnd Research who looked at the vulnerability said that there is little indication of a successful exploit of this vulnerability.

It does not crash browsers, the landing page looks like a blank page, sometimes one may see a flash of a rotating Java logo and the word ‘Loading’,” Andre’ M. DiMino and Mila Parkour wrote. 

The massive installed base of Java makes this vulnerability a particularly serious one, as any Java zero day is, but the other factor in the mix is that Oracle uses a scheduled quarterly patch cycle, and the next one isn’t until mid-October. Unless the company issues an emergency patch, which is does rarely, the vulnerability will be fair game for attackers for nearly two months.

There is a third-party patch available for the vulnerability, available by request only from the folks at DeepEnd. In order to get the patch, organizations need to explain their need for it.

This is not an official patch and had limited testing. In general, it is best to disable Java in your browser or use Chrome.
 If you are in the environment where you must have Java with Internet Explorer, Firefox and Opera, email us at admin <at> deependresearch.org  from your company address with a brief explanation of the planned use and we will send you the download link,” DeepEnd said in its post.

Send to Kindle
Categories: Vulnerabilities

Comments (3)

  1. Mila
    1

    If you read the DeepEnd research article, you will see that the whole article is about how dangerous it is and how well it works. Effective exploits do not crash browsers and the fact that we said the browser does not crash, does not mean it does not work! 

    There is a detailed explaination of the patch in the end of the article and screenshots showing effects of the patched environment. The unofficial interim patch is available per request.

    Thank you, 

    Mila

  2. Jay
    3

    As Mac users have to go out of their way to install Java 7 (1.6) these is a very small chance of Mac users being infected. All version sof Mac OS come either with Java 6 (1.6) pre-installed and in the case of 10.7 and 10.8 when java is needed, 1.6 will be downloaded and installed for you. As this is a Java 7 (1.7) issue, for now everyone with Java 6 is safe from this bug.

Comments are closed.