Oracle on Thursday released a new version of Java that included a fix for the CVE-2012-4681 vulnerability that has been used in limited targeted attacks in the last couple of weeks. The release of Java 7 update 7 comes about four days after the Java flaw was publicly disclosed, but several months after researchers say they notified Oracle of the problem.
Oracle didn’t release a security advisory or acknowledge the vulnerability until releasing the new version, along with some release notes today. Security researchers say that the new version of Java prevents existing exploit code from working. Attackers have been using the Java vulnerability, which actually comprises two separate bugs, in attacks since at least early last week and many of the attacks have resulted in the installation of the Poison Ivy RAT, giving the attackers remote access to the machines.
The release notes for the Java 7 update contain a reference to the CVE-2012-4681 vulnerability and says that it’s fixed in the new version.
“These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user’s system,” Oracle’s security advisory said.
“Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2012-4681 ‘in the wild,’ Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.”
Researchers at Polish firm Security Explorations said this week that they disclosed the two Java flaws in CVE-2012-4681 to Oracle about four months ago, but no patch was forthcoming until this week. Researchers at Immunity Inc. said that their analysis of the new Java version shows that there were actually four security flaws fixed in Java 7 update 7.
“The two vulnerabilities used in the exploit were located in com.sun.beans.finder.ClassFinder and com.sun.beans.finder.MethodFinder,” Esteban Guillardoy of Immunity wrote in an analysis.
“The update also patched at least another 2 other vulnerabilities that were basically the same but related to Constructors and Fields and allowed an attacker to get any public constructor or any public field via reflection bypassing security checks. These two ‘new’ vulnerabilities patched combined with the MethodFinder weakness could allow you to bypass the Sandbox and obtain full execution on Linux, Windows and MacOSX. ”
When the vulnerabilities became public knowledge on Sunday, researchers said that there already were targeted attacks exploiting the bugs. The early attacks have been traced to China and researchers found that one of the groups using the bugs was behind the so-called Nitro attacks against chemical companies and defense contractors last year. The group is using the same command-and-control infrastructure in the new wave of attacks.