UPDATE – Security experts are urging users to disable Java immediately after the discovery of another zero-day exploit that has been incorporated into the Blackhole, Redkit, Cool and Nuclear Pack exploit kits.
According to a French researcher who uses the handle Kafeine, the exploits target the latest version of the Java platform, Java 1.7 Update 10. Jaime Blasco, manager at AlienVault Labs, said his team was able to reproduce the exploit on a fully patched Java install.
Kafeine refused to share any details on the vulnerability or exploit, while Blasco wrote on the AlienVault blog a short time ago that the exploit probably bypasses security checks in Java, “tricking the permissions of certain Java classes,” he said.
“This could be mayhem,” Kafeine said.
HD Moore, creator of Metasploit and CSO at Rapid7, told Threatpost the exploits are targeting a privilege escalation vulnerability in the MBeanInstantiator, as it exposes two classes which in turn expose the class loader. He expects a Metasploit module for this exploit to be ready today.
“Similar to previous bugs, it enables you to run Java code outside the sandbox, so the thing about that is that it’s not dependent on OS or platform. It will run the same exact code on Mac OS X, Windows or Linux,” Moore said. “The exploits going around are targeting Windows, but more than likely, we’ll see attacks for Mac like we did with the Flashback stuff last year.”
Moore said this one is similar to recent Java exploits.
“A lot of the recent Java exploits use a technique similar to this one where they find a class that’s already loaded in memory that accesses an object outside the sandbox, and then they use that object to load arbitrary code,” Moore said. “It’s about as bad as you can get in terms of a reliable Java exploit that affects the latest version of Java 1.7. It’s already being used by all the bad guys and at this point, it’s just catch-up and how fast Oracle can respond.”
Moore cautioned that many organizations, for example, are still running Java 1.6 and it’s unclear whether the exploit affects that version yet.
“When they added 1.7 a year ago, there was so much code churn, a lot of these vulnerabilities came out of that,” Moore said. “Not because the code is any worse, but it’s a lot of new code that’s just now getting eyes looking at it.”
AlienVault’s Blasco said similar tactics were used in CVE-2012-4681, which was discovered last August. The vulnerability in Java 7u6 enabled attackers using a malicious Java applet to bypass security restrictions in Java to execute code remotely.
Oracle repaired the vulnerability in Java 7u7, released four days after the initial reports of the zero day.
Kafeine, meanwhile, has screenshots from the major exploit kits announcing the availability of the zero day. Security blogger Brian Krebs reported that Paunch, the hacker who sells the Blackhole kit, announced its availability yesterday on several hacker forums, calling it a “New Year’s Gift.” The people behind the Nuclear Pack soon followed suit. Paunch is believed to also manage the Cool Exploit Kit, home of the Reveton ransomware.
“At this point, it’s a question of taking it apart and figuring out what it’s doing,” Moore said. “The folks who built the exploit obfuscated large portions of it, so we’re still looking at it.”
For now, the only current mitigation is to disable Java. Oracle has yet to reply when it expects a patch; it has traditionally been slow to repair vulnerabilties, experts said.
“We’ve been telling folks to disable Java 10 times a year for the past couple of years now,” Moore said. “It’s really to the point where you should be telling people to keep it disabled all the time.”
Java is a prime target for exploit writers with a number of zero days targeting the platform in recent months. Attackers like Java because, as is the case with Adobe products such as Flash and Reader, the technology is installed everywhere. Unlike those products, Java still remains vulnerable on the desktop and exploits are usually reliable.
“A reliable Java exploit, even if it covers only 65 percent or 70 percent of the Java population, it’s still going to do a lot better than a Flash exploit that may have 100 percent saturation, but only 20 percent reliability,” Moore said. “That reliability and the fact it’s installed everywhere makes it a great target for folks who want to install code on machines.”
“Historically Sun and Oracle have been slow to patch. If you have the exploit, you still have a couple of weeks to keep using it before a fix gets out,” Moore said.
This article was updated to include comments from HD Moore and to clarify throughout.