Researchers who have dug into the exploit for the new Java CVE-1012-4681 vulnerability found that there are actually two previously unknown security bugs in Java 7 and that the exploit, which has been tied to attackers in China, is using both of them to get full control of vulnerable machines.
The Java vulnerability was first disclosed publicly on Sunday and researchers have spent the last couple of days looking at the bug as well as the exploit code that’s been used in some of the attacks. What they found is that there are in fact two distinct zero day vulnerabilities in the latest version of Java and that the known exploit uses them both.
“The first bug was used to get a reference to sun.awt.SunToolkit class that is restricted to applets while the second bug invokes the getField public static method on SunToolkit using reflection with a trusted immediate caller bypassing a security check,” Esteban Guillardoy of Immunity Inc., wrote in an analysis of the vulnerabilities.