First Java zero-day of 2013 implemented into exploit kits

News by Dan Raywood

Warnings have been made about a zero-day threat in Java that is reportedly being exploited in the wild.

Warnings have been made about a zero-day threat in Java that is reportedly being exploited in the wild.

It was spotted by researcher Kafeine, who initially held off on disclosing the flaw until it was acknowledged elsewhere, but he did release his research deciding it was necessary because the exploit could "cause mayhem".

The flaw would allow a context-dependent attacker to execute arbitrary code on a user's system using specially crafted Java content, for example when it is embedded into a web page.

One of those to talk about the flaw was security blogger Brian Krebs, who said that the authors of exploit kits Blackhole and Nuclear Pack had added the exploit.

He said: “The curator of Blackhole, a miscreant who uses the nickname ‘Paunch', announced yesterday on several Underweb forums that the Java zero-day was a ‘New Year's Gift', to customers who use his exploit kit. Paunch bragged that his was the first to include the powerful offensive weapon, but shortly afterwards the same announcement was made by the maker and seller of Nuclear Pack.”

Krebs continued with his advice to disable Java if it is not needed. Oracle did not comment at the timing of writing.

As well as being implemented into the Blackhole and Nuclear exploit kits, the source has also been posted on Pastebin and a module integrated into Metasploit.

According to Trustwave SpiderLabs' preliminary analysis, the zero-day is using a similar tactic to CVE-2012-5088, which was patched by Oracle last October.

Jaime Blasco, head of labs at AlienVault, said: “With the files we were able to obtain we reproduced the exploit in a fully patched new installation of Java. We tricked the malicious Java applet to execute the calc.exe in our lab.

“The Java file is highly obfuscated but based on the quick analysis we did the exploit is probably bypassing certain security checks  tricking the permissions of certain Java classes as we saw in CVE-2012-4681. Right now the only way to protect your machine against this exploit is disabling the Java browser plug-in. Let's see how long it does take for Oracle to release a patch.”

Wolfgang Kandek, CTO of Qualys, said: “Since there is no patch available, IT administrators should look into the option of disabling Java in the browser. This process has been made easier in the most recent version of Java 7 by including the option in the Java Control Panel.”

Kaspersky Lab's Kurt Baumgartner said that while there doesn't appear to be a high level of server-side polymorphic obfuscation in the class files themselves, the hosted exploit files are being updated and have changed since they were initially detected.

He said: “The first appearance of the exploit's prevention in our KSN community seemed to be January 6th but as we dig back further, we find related samples from mid-December.

“We have seen ads from legitimate sites, especially in the UK, Brazil and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java zero-day. These sites include weather sites, news sites, and of course, adult sites.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews