New security problem for Oracle Java software

Pierluigi Paganini January 12, 2013

The year is start way for Oracle Java platform, a new Java 0-day vulnerability has been discovered and worldwide security community is very concerned on the potential effect of the bug. We have discovered how much dangerous could be the exploit of a zero-day vulnerability especially against institutional targets and governments (e.g. Elderwood project), state-sponsored hackers could use it for dangerous cyber incursions.

The vulnerability allows an hacker to take control of victim’s machines, Java 7 Update 10 and earlier version contain a vulnerability that can allow a remote attacker to execute arbitrary code on user’s pc, The “Malware Don’t Need Coffee” blog posted an interesting article titled “0 day 1.7u10 (CVE-2013-0422) spotted in the Wild – Disable Java Plugin NOW !”. The title gives an idea of the high impact of the news and of course the risky consequences for millions of users unaware of the problem.

The news has been also confirmed by security expert at AllienVault Labs that posted on their web site the following declaration:

“The Java file is highly obfuscated but based on the quick analysis we did the exploit is probably bypassing certain security checks  tricking the permissions of certain Java classes as we saw in CVE-2012-4681 . Right now the only way to protect your machine against this exploit is disabling the Java browser plugin.”

Unfortunately in the underground are already available exploits that exploit the vulnerability, the popular exploits packs the BlackHole Exploit Kit and the Nuclear Pack Kit already include the needed code. Easy to predict that soon it will be available a specific module for  Metasploit framework to exploit the vulnerability. ‘Paunch,’, the creator of Blackhole, announced that the Java zero-day was a ‘New Year’s Gift,’ to its client that acquire exploit kit.

Nuclear Pack exploit

The hackers news magazine reports:

“This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits.” This exploit is already available in two Exploit Packs, that is available for $700 a quarter or $1,500 for a year. Similar tactics were used in CVE-2012-4681, which was discovered last August. Source of this new Exploit available to download Here.”

How the exploit works?

Blackhole kit is installed on a compromised websites and exploits vulnerabilities of user’s browsers to inject malicious code into victim’s machine when he visits the site.

Just yesterday The U.S. Department of Homeland Security invited to users to disable Oracle Java software due the possible effects of the exploit of the vulnerability still unfixed.

“We are currently unaware of a practical solution to this problem,” the Department of Homeland Security’s Computer Emergency Readiness Team announced in a post on its website published this week.

“This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered,” “To defend against this and future Java vulnerabilities, disable Java in Web browsers.”

Let’s see how long does it take for Oracle to release a patch!

Pierluigi Paganiniù

UPDATE

 

Oracle says it has repaired a security flaw in its Java software that inspired a rare call from the Department of Homeland Security, advising consumers to disable the software entirely.  On Sunday afternoon, Oracle released a patch for the critical vulnerability, which could be exploited to install and execute malicious code on unguarded systems. And not a moment too soon. By the end of last week, security researchers had already spotted malware designed to exploit it in the wild. Some theorized the flaw potentially put more than 850 million PCs at risk.



you might also like

leave a comment