After news broke on Thursday that a new Java 0-day vulnerability had been discovered, and was already being included in multiple popular exploit kits, two new important tidbits have come in on Friday. Firstly, this whole fiasco could have been avoided if Oracle had properly patched a previous vulnerability. Furthermore, not only is the vulnerability being exploited in the wild, but it is being used to push ransomware.
The 0-day code would not have worked if Oracle had properly addressed an old vulnerability, according to Security Explorations, the security firm responsible for identifying most of the latest Java vulnerabilities. Back in late August 2012, the company informed Oracle about the insecure implementation of the Reflection API, dubbed Issue 32, and Oracle released a patch for it in October 2012, but the fix wasn’t a complete one.
“The company had released a fix for Issue 32 in Oct 2012,” Security Explorations CEO Adam Gowdiak wrote on Bugtraq mailing list. “However, it turns out that the fix was not complete as one can still abuse invokeWithArguments method to setup calls to invokeExact method with a trusted system class as a target method caller. This time the call is however done to methods of new Reflection API (from java.lang.invoke.* package), of which many rely on security checks conducted against the caller of the target method.”
The Polish security researcher went on to criticize Oracle later in the message:
This is not the first time Oracle fails to “sync” security of Core and new Reflection APIs. Just to mention the Reflection API filter. This is also not the first time Oracle’s own investigation / analysis of security issues turns out to be not sufficiently comprehensive.
We noted yesterday that the two most popular Web threat tools used by hackers to distribute malware, the BlackHole Exploit Kit (BHEK) and the Cool Exploit Kit (CEK), already included the latest Java exploit. Before we dive in to how CEK is already being used to push ransomware, here’s a bit of background information.
Created by the same guy, CEK is the high-end version of BHEK ($10,000 per month versus $1,500 per year). 0-day exploits are first incorporated into the former and only added into the latter once they have been disclosed.
For those who don’t know, ransomware is a very profitable type of threat which restricts access to the computer it infects, spamming the user with prompts that demand a ransom paid for functionality to be reinstated. Access is limited either by encryption or locking the system.
CEK has been used to distribute ransomware before, but now it’s also using this latest Java vulnerability to do so. Trend Micro has detected the exploits in question as JAVA_EXPLOIT.RG and HTML_EXPLOIT.RG, as well as the ransomware payloads as Reveton (TROJ_REVETON.RG and TROJ_REVETON.RJ).
“Reveton is one of the most common ransomware threats in existence today; these lock user systems and show spoofed notifications from local police agencies,” Trend Micro says. “These inform users that to unlock their system, they must pay a fine ranging from $200 to $300.”
Since our report yesterday, we have yet to hear from Oracle about this issue. Until the company provides guidance or issues a patch, we recommend uninstalling Java if you don’t need it and disabling it if you do.
Image credit: Bob Smith