Java Zero-Day Attack Threats Widening, Security Experts Warn

Attackers exploit a previously unknown vulnerability in Java to attack at least one firm, but the speedy inclusion of the attack in popular exploit kits threatens wider compromises.

Security firms warned business users and consumers to remove Java if possible, after one company identified an attack against its customers using a previously unknown vulnerability in Java.

On Aug. 24, threat-protection firm FireEye stopped an attack targeting the flaw and over the weekend confirmed that the security issue was previously undiscovered. The attack exploited the vulnerability in the latest version of the software platform, Java 7, and can execute on Windows, Mac OS X and Linux, said Atif Mushtaq, a senior staff scientist with FireEye.

FireEye and other security firms have discovered that the attack is quite silent.

"Unlike other exploits, which, when they run, crash your browser and give you a feeling that something is wrong, this attack really works silently," Mushtaq said on Aug. 27. "Every big platform is really being targeted right now."

Known for its cross platform functionality and tag line, "write once, run everywhere," the Java software platform has become a very popular target of cybercriminals with major exploit kits, such as Blackhole, including at least a handful of exploits to target Java vulnerabilities. The software's widespread deployment, especially in enterprise environments and the necessity of keeping older, vulnerable versions around for backwards compatibility, give attackers an ideal environment to easily exploit targeted systems.

The failed attack, which led to the discovery of the vulnerability, attempted to install Poison Ivy, a well-known rootkit, but also one that has been used in some nation-state-related attacks. The attack emanated from servers in China, but experts are quick to point out that cyber-criminals utilize compromised servers in other countries to mislead investigators.

Mushtaq and other security researchers worried that Oracle, which took over the development of Java when it purchased Sun Microsystems, will delay releasing a patch until its regularly scheduled patch day on Oct. 16.

"Oracle almost never issues out-of-cycle patches but hopefully they will … consider it serious enough to do it this time," Mila Parkour, co-founder of DeepEnd Research, stated in a blog post on Aug. 27.

Speed is critical, because the exploit has already started appearing in many of the tools used by attackers and offensive security experts, such as penetration testers. The Metasploit Project, which manages the development of the project of the same name, released on Aug. 26 a module to exploit the vulnerability on all major platforms and browsers. And, a beta version of the Blackhole exploit kit-a popular way for cybercriminals to compromise computers and manage the resulting botnets-has included a version of the Metasploit attack.

After information on the attack came out, other security providers found signs of the attacks as well. Open-source security management provider AlienVault published details on Aug. 27 of an attack similar to the one reported by FireEye. It also confirmed the link to the Poison Ivy rootkit.

"A module has just been published for Metasploit, so it is time to disable Java in all your systems," the company stated. "And remember to search your logs for connections to the Domains/IPs related to this attack."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...