A new Java 0-day vulnerability is being exploited in the wild. If you use Java, you can either uninstall/disable the plugin to protect your computer or set your security settings to “High” and attempt to avoid executing malicious applets.
This latest flaw was first discovered by security firm FireEye, which says it has already been used “to attack multiple customers.” The company has found that the flaw can be exploited successfully in browsers that have Java v1.6 Update 41 or Java v1.7 Update 15 installed, the latest versions of Oracle’s plugin.
This confirms the flaw is indeed a 0-day. For those who don’t know, “0-day” or “zero-day” refers to a security hole that has not been publicly disclosed yet, and so doesn’t have a patch available.
Oracle released Java SE 6 Update 41 and Java SE 7 Update 15 on February 19, addressing five security fixes. This was a scheduled release, but it succeeded a previous emergency update that addressed 50 vulnerabilities. In February, Java exploits have resulted in computers being compromised at multiple companies, including Apple, Facebook, and Microsoft.
FireEye offered the following details in regards to the latest Java failure:
Not like other popular Java vulnerabilities in which security manager can be disabled easily, this vulnerability leads to arbitrary memory read and write in JVM process. After triggering the vulnerability, exploit is looking for the memory which holds JVM internal data structure like if security manager is enabled or not, and then overwrites the chunk of memory as zero.
Upon successful exploitation, it will download a McRAT executable from same server hosting the JAR file and then execute it.
The good news is that the security company says the exploit is “not very reliable” as it tries to overwrite a big chunk of memory and often results in the JVM crashing. Nevertheless, Oracle is looking into the latest problem.
Since the release of Java 7 Update 15, there has been at least one new vulnerability found in Oracle’s software. Unfortunately, it’s not clear if this exploit discovered by FireEye is related or not.
On February 25, Security Explorations, the Polish security firm responsible for identifying the majority of the latest Java security holes, sent Oracle yet another vulnerability notice, including proof of concept code for two flaws. Oracle began investigating the same day. On February 27, it declared the first alleged issue was not a vulnerability but confirmed the second issue.
Security Explorations disagreed with Oracle’s assessment regarding the first issue and provided Oracle with further examples as part of its argument. On February 28 (the same day FireEye discovered the latest version of Java was being exploited in the wild), Oracle said it would investigate the first issue again.
We recommend that regardless of what browser and operating system you are using, you should uninstall Java if you don’t need it. If you do need it, disable Java in your default browser, use a second browser when Java is required, and set your Java security settings to “High” so that it prompts you before loading an applet.
We have contacted Oracle to learn more about this issue.
Image credit: Sander Klaver