The Latest in IT Security

New Java 0-day used in small number of attacks

28
Aug
2012

Over the weekend, information started appearing that there was a new Java zero-day vulnerability (CVE-2012-4681) being used in a small number of attacks. We have analyzed samples from the attack and can confirm that Websense customers using products that have our Advanced Classification Engine (ACE) have been protected against this zero-day attack by real-time analytics dating back to early 2009.

We have confirmed that the exploit doesn't work on version 1.6.x of Java, but it does work on 1.7.0.5 and 1.7.0.6 (latest available versions). David at Errata Security has tried and verified that the same exploit works just as well on Linux and OS X including Mountain Lion 10.8.1. That's right folks, yet another cross-platform vulnerability in Java, and with the increasing amount of Mac malware that we're seeing, we wouldn't be surprised if this starts being used against Mac users shortly. 

Regardless of which browser and operating system that you use, make sure you disable or better yet, uninstall Java, unless you really need it. Brian Krebs has instructions on how to disable Java in browsers both on Windows and Mac. There's already a Metasploit module for the new vulnerability, which increases the risk of it being applied in attacks against a larger amount of targets.

The obfuscated JavaScript above will download a file called applet.jar (VirusTotal report), which, in turn, uses the vulnerability to download the payload hi.exe (VirusTotal report) that it saves as update.exe and executes on the system. The downloaded EXE file is a variant of Poison Ivy that tries to connect to a known malicious host in Singapore. See our ThreatScope report for more information about the file.

Leave a reply


Categories

WEDNESDAY, OCTOBER 18, 2017

Featured

Archives

Latest Comments

Social Networks