Exploit Tools Armed To Attack New Java Flaw

Two exploit kits begin attacks on systems unpatched against new cross-platform Java flaw

Security researchers have discovered that exploit kits are being updated with a recently discovered Java vulnerability, enabling the flaw to be widely exploited.

Researchers from M86 Security found that the Blackhole and Phoenix exploit kits are now capable of attacking systems using the CVE-2011-3544 vulnerability.The flaw, a design error in Java, allows untrusted code to be executed at an elevated level of privileges, according to M86 Security researcher Daniel Chechik.

Design error

“An attacker can bypass the scripting engine protection by generating an error object, using Rhino script, which runs in elevated privileges and executing code that disables the Security Manager,” Chechik wrote in a blog post. “Once the Security Manager is disabled, the attacker can execute code with full permissions.”

Rhino is a Javascript engine that runs under the Java Virtual Machine and can interact with Java applets, according to Chechik, who also confirmed that  M86 Security had found that the exploit has already been added into Blackhole version 1.2.1 and Phoenix version 3.0..

Chechik said it is unusual for an exploit to make its way into such kits so quickly as they normally rely on older bugs that have already been patched, depending upon system administrators’ laxity to ensure a ready supply of vulnerable systems.

In this case, however, the exploit kits were updated with the CVE-2011-3544 flaw more quickly and the updated version of Blackhole was released even before the flaw was patched.

Cross-platform

“The vulnerability is cross-platform and doesn’t require heap spray or buffer overflow techniques. That makes it very effective and therefore authors of exploit kits rushed to add it to their kits,” said Chechik. “The concerning aspect is that the Blackhole exploit kit was updated even before a patch was released by the vendor.”

A patch has now been released by Oracle, but systems are still at risk until the patch has been applied.

“We highly encourage users to keep their Java updated, or remove it if it is not needed,” Chechik wrote. “A patch for this Java vulnerability is available by now: Look for Java 6 Update 29, or Java 7 Update 1.”