Categories: SecurityWorkspace

Yet Another Java Flaw Exploited In Attacks

Security firm FireEye has discovered yet another unpatched Java vulnerability that is being actively exploited by attackers to attack “multiple” systems.

“We detected a brand new Java zero-day vulnerability that was used to attack multiple customers,” said FireEye researchers Darien Kindlund and Yichong Lin in a blog post on Thursday. “Specifically, we observed successful exploitation against browsers that have Java v1.6 Update 41 and Java v1.7 Update 15 installed.”

Remote access

The vulnerability leads to arbitrary memory read and write access in a Java Virtual Machine process, according to FireEye. Upon exploitation it downloads a remote access tool called McRAT, which can be used to download further malicious code.

“The exploit is not very reliable, as it tries to overwrite a big chunk of memory,” the researchers wrote. “As a result, in most cases, upon exploitation, we can still see the payload downloading, but it fails to execute and yields a JVM crash.”

Kaspersky Lab confirmed on Friday that the exploit works against Java 7 Update 15, but does not work against older versions such as Java 7 Update 10. Kaspersky said the attacks appear to be targeted, but did not disclose further details as to who was being targeted.

“Since this exploit affects the latest Java 6u41 and Java 7u15 versions, we urge users to disable Java in your browser until a patch has been released; alternatively, set your Java security settings to ‘High’ and do not execute any unknown Java applets outside of your organisation,” FireEye advised.

The latest vulnerablity comes on the heels of a bug in the latest version reported by Polish security firm Security Explorations last week. That bug allows attackers to execute unsigned Java code to on a targeted Windows system regardless of the security control settings.

“Our Proof of Concept code that illustrates Issue 53 has been successfully executed in the environment of latest Java SE 7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 OS and with ‘Very High’ Java Control Panel security settings,” Adam Gowdiak, chief executive of Security Explorations, wrote in a posting on a Full Disclosure mailing list.

More bugs

Starting with SE 7 Update 10 (Java 7u10), Oracle added a new level of controls, he noted. For example, the company added the ability to disable any Java application running in the browser. The company also added the ability to set a security level of the user’s choosing for unsigned applets, Java Web Start applications and embedded JavaFX applications running in a browser as well as new dialogs to warn users when the JRE is insecure. These improvements, Gowdiak wrote, “don’t prevent silent exploits at all”.

“Users that require Java content in the web browser need to rely on a Click to Play technology implemented by several web browser vendors in order to mitigate the risk of a silent Java Plugin exploit,” he wrote. According to Security Explorations, Oracle confirmed it received the vulnerability report and that it will investigate it.

The increased frequency of these exploits has led Oracle to reduce the time between scheduled Java patches from four to two months and to set the security controls for Java applets in browsers to “High” by default.

Twitter, Facebook, Apple and Microsoft have all recently disclosed that their employees were hacked by targeted attacks using Java exploits. The exploits led Oracle to release an emergency, unscheduled security update on 1 February that fixed 50 flaws.

This was followed by another patch on 19 February. The next scheduled Java update is 16 April.

Are you a security pro? Try our quiz!

Originally published on eWeek.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

16 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

17 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

18 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

20 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

22 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

23 hours ago