Nasty New Java Zero Day Found; Exploit Kits Already Have It

UPDATE – Security experts are urging users to disable Java immediately after the discovery of another zero-day exploit that has been incorporated into the Blackhole, Redkit, Cool and Nuclear Pack exploit kits.

UPDATE – Security experts are urging users to disable Java immediately after the discovery of another zero-day exploit that has been incorporated into the Blackhole, Redkit, Cool and Nuclear Pack exploit kits.

According to a French researcher who uses the handle Kafeine, the exploits target the latest version of the Java platform, Java 1.7 Update 10. Jaime Blasco, manager at AlienVault Labs, said his team was able to reproduce the exploit on a fully patched Java install.

Kafeine refused to share any details on the vulnerability or exploit, while Blasco wrote on the AlienVault blog a short time ago that the exploit probably bypasses security checks in Java, “tricking the permissions of certain Java classes,” he said.

“This could be mayhem,” Kafeine said.

HD Moore, creator of Metasploit and CSO at Rapid7, told Threatpost the exploits are targeting a privilege escalation vulnerability in the MBeanInstantiator, as it exposes two classes which in turn expose the class loader. He expects a Metasploit module for this exploit to be ready today.

“Similar to previous bugs, it enables you to run Java code outside the sandbox, so the thing about that is that it’s not dependent on OS or platform. It will run the same exact code on Mac OS X, Windows or Linux,” Moore said. “The exploits going around are targeting Windows, but more than likely, we’ll see attacks for Mac like we did with the Flashback stuff last year.”

Moore said this one is similar to recent Java exploits.

“A lot of the recent Java exploits use a technique similar to this one where they find a class that’s already loaded in memory that accesses an object outside the sandbox, and then they use that object to load arbitrary code,” Moore said. “It’s about as bad as you can get in terms of a reliable Java exploit that affects the latest version of Java 1.7. It’s already being used by all the bad guys and at this point, it’s just catch-up and how fast Oracle can respond.”

Moore cautioned that many organizations, for example, are still running Java 1.6 and it’s unclear whether the exploit affects that version yet.

“When they added 1.7 a year ago, there was so much code churn, a lot of these vulnerabilities came out of that,” Moore said. “Not because the code is any worse, but it’s a lot of new code that’s just now getting eyes looking at it.”

AlienVault’s Blasco said similar tactics were used in CVE-2012-4681, which was discovered last August. The vulnerability in Java 7u6 enabled attackers using a malicious Java applet to bypass security restrictions in Java to execute code remotely.

Oracle repaired the vulnerability in Java 7u7, released four days after the initial reports of the zero day.

Kafeine, meanwhile, has screenshots from the major exploit kits announcing the availability of the zero day. Security blogger Brian Krebs reported that Paunch, the hacker who sells the Blackhole kit, announced its availability yesterday on several hacker forums, calling it a “New Year’s Gift.” The people behind the Nuclear Pack soon followed suit. Paunch is believed to also manage the Cool Exploit Kit, home of the Reveton ransomware.

“At this point, it’s a question of taking it apart and figuring out what it’s doing,” Moore said. “The folks who built the exploit obfuscated large portions of it, so we’re still looking at it.”

For now, the only current mitigation is to disable Java. Oracle has yet to reply when it expects a patch; it has traditionally been slow to repair vulnerabilties, experts said.

“We’ve been telling folks to disable Java 10 times a year for the past couple of years now,” Moore said. “It’s really to the point where you should be telling people to keep it disabled all the time.”

Java is a prime target for exploit writers with a number of zero days targeting the platform in recent months. Attackers like Java because, as is the case with Adobe products such as Flash and Reader, the technology is installed everywhere. Unlike those products, Java still remains vulnerable on the desktop and exploits are usually reliable.

“A reliable Java exploit, even if it covers only 65 percent or 70 percent of the Java population, it’s still going to do a lot better than a Flash exploit that may have 100 percent saturation, but only 20 percent reliability,” Moore said. “That reliability and the fact it’s installed everywhere makes it a great target for folks who want to install code on machines.”

“Historically Sun and Oracle have been slow to patch. If you have the exploit, you still have a couple of weeks to keep using it before a fix gets out,” Moore said.

This article was updated to include comments from HD Moore and to clarify throughout.



Suggested articles


  • Anonymous on

    IMO, the problem isn't necessarily Java and it's exploits.  The problem is that IE runs Java anyway unless you use registry hacks.  Chrome blocks java, but doesn't give you a way to whitelist known good sites.

    there's always going to be some exploit, but browsers need to step up and give me the power to control those plugins more effectively.

  • Anonymous on

    What about Java 6 ? Has anybody tried the exploit on Java 6 ?
  • Anonymous on

    exploit doesnt work in java 6 because it relies on classes not available until java 7. but 6 has other vulnerabilities that haven't been patched i think. and they never will be.

  • Anonymous on


    Does this problem apply to Windows PCs? My bank advises that it doesn’t, but I’m skeptical about that!

  • Anonymous on

    what is the potential damage to a home pc if infected with this exploit?  I'm not clear on what it does

  • Anonymous on

    I am running Java 7 update 9 (64-bit) & Java 7 update 10 (32-bit).  I need these to trade with my discount stockbroker.  Or should I switch brokers so I can unable both Java platforms?  Tia, Dave - (a non-techie)

  • Anonymous on

    Another reason to use SandboxIE or other light virtual appliance that restricts what happens to the host computer.

  • Anthony Lai, VXRL on

    Even the current Java 1.7.11 is released, it still allows local exploitation and we could execute and pop up .exe like calc.exe via command line :-)

    The upgrade patch looks like blocking the browser call instead and it is a real intermediate solutions only.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.