Don’t expect any relief from the current assault on Java. A new sandbox-escape exploit targeting a vulnerability in the Java Runtime Environment has been integrated into both the Black Hole and Gong Da exploit kits, setting the stage for additional attacks, researchers said.
The exploit was initially discovered in the Cool Exploit Kit earlier this month and a researcher who goes by the handle Kafeiene told Threatpost that Paunch, the author of Black Hole, is likely behind the exploit.
Meanwhile, researcher Eric Romang wrote on his blog this week that Gong Da has been actively adding Java exploits for months, this one being the latest.
Romang found a website hosting the exploit; he said the site is still online. He said a JavaScript obfuscator, recognized by eight of 44 antimalware detectors on VirusTotal, was masking the malicious files hosted on the site and the presence of Gong Da.
In addition to the new exploit, which targets Java SE 7 Update 7 and earlier and was patched by Oracle in Java SE 7 Update 9, it also supports the Oracle Java Rhino exploit, a Java zero-day discovered in August and two other Java exploits detailed in CVE-2012-1723 and CVE-2012-0507. Previous versions of Gong Da also included exploits for an Adobe Flash Player and Windows Media Player vulnerabilities, but new versions of the kit don’t include those exploits.
Microsoft, meanwhile, published a detailed analysis of the new Java vulnerability and said the malware it has observed abuses a package access problem in the JRE configuration.
“This package access is important because, if some trusted code is exposed to the user, it can be abused to break the Java security model. Those packages usually contain critical operations that should not be performed from untrusted code like unsigned Java applets,” said Jeong Wook Oh, a security researcher with Microsoft’s Malware Protection Center. “These operations are usually about arbitrary class loading and method invoking inside the trusted code area.”
Oh said packages such as com.sun.org.glassfish.gmbal were exposed to untrusted Java applets. Applets that are not signed run in the sandbox, which prevents questionable code from running in a trusted environment. “However, when some dangerous packages are exposed to untrusted code, the malicious code can access packages that can be abused to create the user’s own class on the fly with escalated privileges,” Oh wrote.
In addition to privilege escalation and the ability to hop out of the sandbox, the malicious payload also disables the Java security managers, which allows the malware to create files and processes on the user’s system.
Oh confirmed that only Java 7 Update 7 is vulnerable. He said the malware did not exploit Java 6, regardless of patch status, and that could be a reason that malware samples exploiting this vulnerability are usually bundled with a series of other Java exploits.