The reported zero-day exploit in Java impacts two unpatched vulnerabilities in Java 7 and has been added to the Blackhole exploit kit.
Research by penetration testing company Immunity said that the exploits are taking advantage of two unpatched vulnerabilities in Java 7. Developer Esteban Guillardoy said that one is used to obtain a reference to the ‘sun.awt.SunToolkit' class and the other is used to invoke the public ‘getField' method on that class.
Guillardoy said: “The beauty of this bug class is that it provides 100 per cent reliability and is multiplatform. Hence this will shortly become the penetration test Swiss knife for the next couple of years.
“The exploit is making use of the java.beans.Expression, which is a java.beans.Statement subclass. There are two Expression instances that are used to trigger these two different bugs.”
Initially reported yesterday, researchers are tracking a zero-day Java exploit that affects most versions of Java Runtime Environment, including the most recent iteration.
According to media reports, the exploit has been added to both the Metasploit tool and Blackhole. Security blogger Brian Krebs said that the curator of Blackhole ‘Paunch' confirmed that the now-public exploit code worked nicely, and said that he planned to incorporate it into Blackhole as early as today. Paunch confirmed that if it were sold privately, the price of such an exploit would be about $100,000.
One of the first reports on the exploit was from FireEye. Atif Mushtaq of the FireEye Malware Intelligence Lab, said that it had seen the "first indication of a large scale attack", with it observing over a dozen domains actively attacking systems with this exploit so far, which is increasing rapidly.
He said: “After seeing the reliability of this attack, I have no doubt in my mind that within hours the casualties will be in the thousands. Almost all of the domains are hosting multiple exploits. If nothing else works, the new Java zero-day kicks in and all of a sudden the machine is compromised.”
Java parent Oracle is not due to release its next batch of patches until the 16th October, despite every major browser being susceptible to the attack. An Oracle spokesman did not immediately respond to a request for comment.
Nearly all security experts recommend that users disable or uninstall Java in the browser to protect themselves. An unofficial patch is available upon request from DeepEnd Research.
Mushtaq said: “It's very disappointing that Oracle hasn't come forward and announced a date for an emergency update patch. Once again I strongly recommend if it is not critical, uninstall the JRE plug-in from your browser.
“Users of Mac and Linux might choose OpenJDK, an open source implementation of the JRE provided by Oracle. If uninstallation is not an option, then in order to avoid accidental visits to attacker websites, a user might choose to use iOS devices that are not affected by this exploit.”
Krebs said: “Note that regressing to the latest version of Java 6 (Java/JRE 6 Update 34) is certainly an option, but not a very good one either. If you do not need Java, get rid of it, and if you do need it for specific applications or sites, limit your use of Java to those sites and applications, using a secondary browser for that purpose.”