WRITE ONCE PWN ANYWHERE —

Critical flaw under active attack prompts calls to disable Java

Oracle's Java framework is once again under attack, thanks to new vulnerability.

An exploit that FireEye researchers observed on Sunday being hosted on a domain named ok.XXX4.net.
An exploit that FireEye researchers observed on Sunday being hosted on a domain named ok.XXX4.net.

A vulnerability in the latest version of Oracle's Java software framework is under active attack, and the damage is likely to get worse thanks to the availability of reliable exploit code that works on a variety of browsers and computer platforms, security experts warn.

The flaw in Java version 1.7 was reported on Sunday afternoon by FireEye security researcher Atif Mushtaq. A separate post published on Monday by researchers Andre M. DiMino and Mila Parkour said the number of attacks, which appear to install the Poison Ivy Remote Access Trojan, were low. But they went on to note that the typical delay in issuing Java patches, combined with the circulation of exploit code, meant it was only a matter of time until the vulnerability is exploited more widely by other attackers.

Members of Rapid7, the security company that helps maintain the open-source Metasploit exploit framework used by penetration testers and hackers, said they have already developed an exploit that works against Windows 7. They are in the process of testing it against the Microsoft Internet Explorer, Mozilla Firefox, and Google Chrome browsers running on other operating systems, including Ubuntu Linux 10.04 and Windows XP. They went on to suggest that users should disable Java until a patch plugging the gaping hole is released.

"As a user, you should take this problem seriously, because there is currently no patch from Oracle," a Rapid7 exploit developer wrote in a blog post. "For now, our recommendation is to completely disable Java until a fix is available."

According to KrebsonSecurity reporter Brian Krebs, there are indications the exploit will also be rolled into BlackHole, an exploit kit that sells advanced and highly weaponized exploits in underground forums. Like the Rapid7 researcher, Krebs recommends end users uninstall Java altogether, advice we at Ars think is worth following for those who have no need for the cross-platform application. Those who need Java to run applications such as Open Office or Freemind can still protect themselves by disabling Java in their browser to prevent drive-by attacks on booby-trapped websites.

The zero-day vulnerability is only the latest to affect Java, which over the past few years has emerged as one of the apps most frequently exploited by malware operators, along with Adobe's Reader and Flash programs.

Oracle has yet to comment on the reports or say when it plans to fix the vulnerability. The next scheduled patch release isn't until the middle of October. DiMino and Parkour have issued an unofficial patch they said prevents exploits from working. But the use of such patches can create stability problems, and in any event, it's only available on a per-request basis, so end users should probably consider other ways to protect themselves against this threat.

Dave Maynor, CTO of penetration-testing firm Errata Security, said in his own blog post that the exploit code included in Metasploit "worked like a charm" against a Windows 7 installation he tested. He went on to say that the attack also worked reliably against a fully patched Ubuntu 12.04 Linux machine once he took the time to remove the OpenJRE app that was included by default and installed the run-time environment provided by Oracle.

"Another 10 for 10," Maynor wrote of the attack running on Linux. "This is a high quality exploit that I expect to get a lot of use out of!"

Maynor said a Mac running Apple's OS X was able to only partially execute the exploit code. Technical details concerning the underlying vulnerability remain scarce, except, as noted in comments below, it appears to allow an unsigned, unprivileged process to overwrite its own security context token with reflection. Multiple reports claim it doesn't affect Java 1.6 and earlier versions. A report from security firm Alien Vault is here.

Post updated to include comments from Maynor, technical details, and to correct name of Errata Security blogger.

Channel Ars Technica