Researchers who have dug into the exploit for the new Java CVE-1012-4681 vulnerability found that there are actually two previously unknown security bugs in Java 7 and that the exploit, which has been tied to attackers in China, is using both of them to get full control of vulnerable machines.
The Java vulnerability was first disclosed publicly on Sunday and researchers have spent the last couple of days looking at the bug as well as the exploit code that’s been used in some of the attacks. What they found is that there are in fact two distinct zero day vulnerabilities in the latest version of Java and that the known exploit uses them both.
“The first bug was used to get a reference to sun.awt.SunToolkit class that is restricted to applets while the second bug invokes the getField public static method on SunToolkit using reflection with a trusted immediate caller bypassing a security check,” Esteban Guillardoy of Immunity Inc., wrote in an analysis of the vulnerabilities.
Anonymous on
Dennis,
I've been watching this for a couple of day now and I can't find a definitive answer on the scope of the privilege elevation this exploit is running. Based on the early analysis, it looks as though the exploit is trying to drop and run a dll in the windows/system32 path. On a hardened workstation this should fail under the user profile. What I can't determine is if the privilege escalation is to escape the v.7 "sandbox" granting the users permissions, or does it allow system privilege?