It’s been nearly two months since Oracle patched the CVE-2012-1723 Java vulnerability, a serious remote pre-authentication flaw that’s present in the Java Runtime Environment. It’s taken a little time, but the attacker community has decided that this bug deserves some serious attention, and as a result, attacks trying to exploit it have ramped up significantly in recent weeks.
The first malware samples that were exploiting this vulnerability started appearing about a month ago, but it was just in dribs and drabs. But by the second week of July, the number of attacks on CVE-2012-1723 began to take off dramatically. Microsoft researchers compiled statistics that show the volume of malware targeting the Java flaw really took off around July 10, and, with some peaks and valleys in the interim, is still quite high now.
The vulnerability itself is in a JRE sub-component called Hotspot and attackers who are able to exploit it will have the ability to execute arbitrary code on the target machine.
“The issue is in the optimization performed when a field inside the class is accessed. A static field with a ClassLoader orObject type and bunch of instance-fields with custom data type is a strong indication of exploitation. A bunch of instance-fields are a buffer area where a type-confused object is retrieved,” Jeong Wook Oh of the Microsoft Malware Protection Center said in an analysis of the attacks.
An oddity with this vulnerability is that attackers don’t have the ability to disguise what they’re doing with their exploits in this case. Oh said that because attackers need to build a Java class with some specific attributes, it’s relatively easy for analysts to see what’s going on.
“Java-based malware could use a Java-reflection feature to obfuscate vulnerable class and methods loading code when the vulnerability is inside specific class and methods — for example, CVE-2012-0507 was related toAtomicReferenceArray class. The loading of AtomicReferenceArray class itself can be obfuscated and you can’t easily tell whether it is loading the specific class at all just by looking into the Java code. This makes the whole malware analysis process more time-consuming,” Oh said.
“For this vulnerability, attackers can’t obfuscate the core exploit part easily. As we explained with Figure 3, the attackers need to create a class with specific features like static field member with ClassLoader type or Objecttype. And bunch of instance fields follows. It has specific code pieces to run which looks like the code shown in Figure 4. Java doesn’t provide ways to obfuscate this class structure itself, so the code pattern stands out. You can easily identify the pattern just by statically investigating the code.”