Lucene search

K
threatpostBrian DonohueTHREATPOST:53FFA3071578083E01768081147BA316
HistoryMar 01, 2013 - 4:34 p.m.

The Java Zero-Day Procession Continues

2013-03-0116:34:30
Brian Donohue
threatpost.com
42

EPSS

0.966

Percentile

99.7%

After a glorious 72-hour stretch without one, security researchers confirmed yesterday that they found yet another zero-day vulnerability in Oracle’s thoroughly troubled Java platform.

With a little help from Hermes Bojaxhi and his team at Cyber Engineering Services, researchers from the security firm FireEye found that attackers have successfully exploited this latest zero-day vulnerability in the wild, compromising the machines of users running browsers with Java six update 41 and Java seven update 15.

FireEye researchers Darien Kindlund and Yichong Lin claim that this vulnerability is different from the seemingly endless parade of Java zero-days that precede it. A security manager could pretty easily disable the other vulnerabilities, Kindlund and Lin explain. This one, on the other hand, allows for arbitrary memory reading and writing in the Java Virtual Machine (JVM) process.

The exploit is compromising browsers by targeting JVM’s internal data structure, overwriting the memory there to zero in order to download a McRAT executable.

The exploit is apparently not all that reliable due to the large amount of data it attempts to overwrite. In most cases, Kindlund and Lin are watching JVM crash as it attempts, but ultimately fails to download the McRAT executable. However, when payload installs successfully, it reaches out to its command and control server with an HTTP request and starts copying itself into the dynamic link library.

McRAT is also performing the following pair of registry modifications: “REGISTRYMACHINESYSTEMControlSet001ServicesAppMgmtParameters”ServiceDll” = C:Documents and SettingsadminAppMgmt.dll” and “REGISTRYMACHINESYSTEMControlSet001ServicesAppMgmtParameters”ServiceDll” = %SystemRoot%System32appmgmts.dll.”

FireEye notified Oracle about the bug before publication and is urging users to disable Java in their browsers or set their Java security settings to “high” and avoid the execution of unknown Java applets until a patch is shipped. Oracle has since assigned a common vulnerability entry to the flaw: CVE-2013-1493.

It’s been a turbulent couple of months for Java as an absolute torrent of zero-day vulnerabilities has researchers seriously considering disabling Oracle’s nearly ubiquitous platform altogether.