Security researchers at FireEye Inc. are warning of a new zero-day vulnerability affecting the latest version of Java, which is being actively exploited by cybercriminals.
We have seen this unpatched exploit being used in limited targeted attacks.
Atif Mushtaq, senior researcher, FireEye Inc.
The Java vulnerability affects users of Internet Explorer, Mozilla Firefox and Safari. Exploit code targeting it was tested on Windows XP, Windows Vista and Windows 7 as well as Ubuntu Linux 10.04 and Mac OSX 10.7.4.
"We have seen this unpatched exploit being used in limited targeted attacks," wrote Atif Mushtaq, a senior researcher at Milpitas, Calif.-based FireEye.
A successful attack enables cybercriminals to install a dropper onto infected systems, which attempts to talk to a remote server to download additional malware. Oracle has not yet acknowledged the vulnerability. The next round of Java patches are scheduled for Oct. 16.
Java has been increasingly targeted by attackers using automated toolkits such as the Black Hole exploit kit. Danish vulnerability clearinghouse Secunia gave the zero-day flaw an "extremely critical" rating, noting that it is being actively exploited in the wild.
Attack code added to Metasploit
A reliable code module that targets the flaw was added to the Metasploit penetration testing framework and the researchers are recommending that firms should completely disable Java until a fix is available from Oracle.
"As a user, you should take this problem seriously, because there is currently no patch from Oracle," Boston-based Rapid7 researchers noted in a blog post on Monday.
Enterprise IT security teams should limit the use of Java across the organization, said Wolfgang Kandek, CTO of Redwood City, Calif.-based vulnerability management vendor Qualys Inc. in a blog post Monday. Internet Explorer could be set to forbid the use of Java, allowing only whitelisted websites, Kandek wrote.
"For once, users of the older Java v6 do seem to be better off as the vulnerability does not affect that version of Java," Kandek wrote.
Poison Ivy Trojan
San Mateo, Calif.-based AlienVault Inc. said its research team identified at least one of the Java zero-day flaw payloads delivered in the attack as a variant of the PoisonIvy Trojan.
PoisonIvy is typically delivered via a remote administration toolkit (RAT). The toolkit enables a relatively unsophisticated attacker a way to get details of the targeted computer networks and steal or modify computer files.