Java Exploit Added to Crimeware Kits Soon After Discovery

A security researcher finds that seven exploit kits have added an attack for a previously unreported flaw in the latest version of the Java Runtime Environment.

Security experts are again calling for users to disable the Java browser plug-in and uninstall the software on their systems, following the discovery of a zero-day vulnerability in the latest version of the Java Runtime Environment.

Information about the vulnerability emerged Dec. 10, after a security professional discovered an exploit using the security hole to compromise systems. The vulnerability, which appears to only affect Java Runtime Environment (JRE) 1.7 and not prior versions, had not previously been known but appears to be similar to other Java security issues found in August 2012, said Jaime Blasco, labs manager at security-monitoring provider AlienVault.

The vulnerability allows a piece of Java code to break out, or escape, from the protected software container, or sandbox, that is a critical part of Java's security model, said Blasco, who had verified that the exploit worked.

"The most important thing about this is that it is a sandbox escape, not a memory exploitation or something similar, so most of the mitigations are not effective," he said.

The security professional who published details about the exploit, France-based security manager Charlie Hurel, worried that remaining quiet about the issue could lead to a large number of compromises.

"Hundreds of thousands of hits daily where I found it," he wrote in the alert. "This could be ... mayhem."

Last year, an academic paper by security researchers at Symantec found that stealthy attacks using unreported vulnerabilities can remain undiscovered for 10 months. Soon after such exploits are discovered, use of the attacks skyrocket as cyber-criminals add the exploits to their tool boxes.

That's exactly what happened with the latest Java vulnerability. By the end of day, security researchers confirmed that at least seven exploit kits—the underground software that allows cyber-criminals to quickly create illicit campaigns to steal money—had incorporated attacks that prey on the vulnerability.

The major exploit kits that had a variant of the attack included the Blackhole, Cool TK, Nuclear Pack and Sakura exploit kits. In addition, the Metasploit project, which develops a free penetration tool with frequent updates for the latest exploits, published its own module last night to exploit the flaw as well.

"This is just as bad as the last five (vulnerabilities in Java)," said HD Moore, chief security officer at vulnerability-management firm Rapid7 and the founder of the Metasploit project. "Within an hour, we had working code."

About 13 percent of users are currently using Java 1.7 and so are vulnerable to the latest attack. Users of older versions—including Mac OS X users—are not necessarily safe, however, as a bevy of older attacks will likely work against their systems.

Unlike last year's Flashback Trojan attack that used a flaw in Java to infect victims' systems, the latest attack is being used to spread a different form of malware: "ransomware." The scheme, which typically uses malware to lock a user's machine until they pay a fee, quickly spread across Europe to North America last year.

"We are talking about huge amounts of money here," said Bogdan Botezatu, senior threat analyst for security firm BitDefender. "And as long as they can make easy money, they will keep this up."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...