Serious security flaw spotted in Java

The exploit has already been added to the popular Blackhole exploit toolkit used by cybercriminals, as well as to Cool Exploit Kit.

Published Date
11 - Jan - 2013
| Last Updated
11 - Jan - 2013
 
Serious security flaw spotted in Java

Security experts and researchers have discovered a new loophole in the popular Java software that could allow attackers to infect your computer with malware.

The US-CERT group has released an alert saying that Java 7 Update 10 and the previous versions of the software come with the zero day vulnerability that allows attackers to remotely run arbitrary code. The attack can be induced if someone visits a website set up with the malicious code.

An independent malware researcher, Kafeine, spotted the exploit "in the wild" that is being extensively used in attacks -- on his blog on Thursday. The researcher also shared samples of the exploit with security companies. "This could be mayhem," he said. "I think it's better to make some noise about it." Read the full blog post here.

Researchers at Alien Vault Labs were able to reproduce the exploit in a fully patched new installation of Java. “The Java file is highly obfuscated but based on the quick analysis we did the exploit is probably bypassing certain security checks tricking the permissions of certain Java classes as we saw in CVE-2012-4681,” note the researchers.

The exploit has already been added to the popular Blackhole exploit toolkit used by cybercriminals, as well as to Cool Exploit Kit, a more exclusive spin-off of Blackhole, Botezatu said

Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, also confirmed the exploit. "We reproduced the exploitation mechanism on Java 1.7 Update 9 and Update 10. Other versions may be vulnerable as well, we're currently analyzing whether other older updates are vulnerable,” Botezatu is quoted by ComputerWorld as saying.

"The curator of Blackhole, a miscreant who uses the nickname 'Paunch,' announced yesterday on several Underweb forums that the Java zero-day was a 'New Year’s Gift,' to customers who use his exploit kit," writes Krebs on Security's Brian Krebs. "Paunch bragged that his was the first to include the powerful offensive weapon, but shortly afterwards the same announcement was made by the maker and seller of Nuclear Pack."