FireEye has discovered an unpatched Java bug that is being used to actively attack systems
Security firm FireEye has discovered yet another unpatched Java vulnerability that is being actively exploited by attackers to attack “multiple” systems.
“We detected a brand new Java zero-day vulnerability that was used to attack multiple customers,” said FireEye researchers Darien Kindlund and Yichong Lin in a blog post on Thursday. “Specifically, we observed successful exploitation against browsers that have Java v1.6 Update 41 and Java v1.7 Update 15 installed.”
The vulnerability leads to arbitrary memory read and write access in a Java Virtual Machine process, according to FireEye. Upon exploitation it downloads a remote access tool called McRAT, which can be used to download further malicious code.
“The exploit is not very reliable, as it tries to overwrite a big chunk of memory,” the researchers wrote. “As a result, in most cases, upon exploitation, we can still see the payload downloading, but it fails to execute and yields a JVM crash.”
Kaspersky Lab confirmed on Friday that the exploit works against Java 7 Update 15, but does not work against older versions such as Java 7 Update 10. Kaspersky said the attacks appear to be targeted, but did not disclose further details as to who was being targeted.
“Since this exploit affects the latest Java 6u41 and Java 7u15 versions, we urge users to disable Java in your browser until a patch has been released; alternatively, set your Java security settings to ‘High’ and do not execute any unknown Java applets outside of your organisation,” FireEye advised.
The latest vulnerablity comes on the heels of a bug in the latest version reported by Polish security firm Security Explorations last week. That bug allows attackers to execute unsigned Java code to on a targeted Windows system regardless of the security control settings.
“Our Proof of Concept code that illustrates Issue 53 has been successfully executed in the environment of latest Java SE 7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 OS and with ‘Very High’ Java Control Panel security settings,” Adam Gowdiak, chief executive of Security Explorations, wrote in a posting on a Full Disclosure mailing list.
Starting with SE 7 Update 10 (Java 7u10), Oracle added a new level of controls, he noted. For example, the company added the ability to disable any Java application running in the browser. The company also added the ability to set a security level of the user’s choosing for unsigned applets, Java Web Start applications and embedded JavaFX applications running in a browser as well as new dialogs to warn users when the JRE is insecure. These improvements, Gowdiak wrote, “don’t prevent silent exploits at all”.
“Users that require Java content in the web browser need to rely on a Click to Play technology implemented by several web browser vendors in order to mitigate the risk of a silent Java Plugin exploit,” he wrote. According to Security Explorations, Oracle confirmed it received the vulnerability report and that it will investigate it.
The increased frequency of these exploits has led Oracle to reduce the time between scheduled Java patches from four to two months and to set the security controls for Java applets in browsers to “High” by default.
Twitter, Facebook, Apple and Microsoft have all recently disclosed that their employees were hacked by targeted attacks using Java exploits. The exploits led Oracle to release an emergency, unscheduled security update on 1 February that fixed 50 flaws.
This was followed by another patch on 19 February. The next scheduled Java update is 16 April.
Are you a security pro? Try our quiz!
Originally published on eWeek.