News

Attack code surfaces targeting Java zero-day flaw

Robert Westervelt, News Director

Security researchers at FireEye Inc. are warning of a new zero-day vulnerability affecting the latest version of Java, which is being actively exploited by cybercriminals.

    Requires Free Membership to View

We have seen this unpatched exploit being used in limited targeted attacks.

Atif Mushtaq, senior researcher, FireEye Inc.

The Java vulnerability affects users of Internet Explorer, Mozilla Firefox and Safari. Exploit code targeting it was tested on Windows XP, Windows Vista and Windows 7 as well as Ubuntu Linux 10.04 and Mac OSX 10.7.4.

"We have seen this unpatched exploit being used in limited targeted attacks," wrote Atif Mushtaq, a senior researcher at Milpitas, Calif.-based FireEye.

A successful attack enables cybercriminals to install a dropper onto infected systems, which attempts to talk to a remote server to download additional malware. Oracle has not yet acknowledged the vulnerability. The next round of Java patches are scheduled for Oct. 16.

Java has been increasingly targeted by attackers using automated toolkits such as the Black Hole exploit kit. Danish vulnerability clearinghouse Secunia gave the zero-day flaw an "extremely critical" rating, noting that it is being actively exploited in the wild.

Attack code added to Metasploit
A reliable code module that targets the flaw was added to the Metasploit penetration testing framework and the researchers are recommending that firms should completely disable Java until a fix is available from Oracle.

"As a user, you should take this problem seriously, because there is currently no patch from Oracle," Boston-based Rapid7 researchers noted in a blog post on Monday.

Enterprise IT security teams should limit the use of Java across the organization, said Wolfgang Kandek, CTO of Redwood City, Calif.-based vulnerability management vendor Qualys Inc. in a blog post Monday. Internet Explorer could be set to forbid the use of Java, allowing only whitelisted websites, Kandek wrote.

"For once, users of the older Java v6 do seem to be better off as the vulnerability does not affect that version of Java," Kandek wrote.

Poison Ivy Trojan
San Mateo, Calif.-based AlienVault Inc. said its research team identified at least one of the Java zero-day flaw payloads delivered in the attack as a variant of the PoisonIvy Trojan.  

The notorious PoisonIvy malware was used in the attacks against RSA the security division of EMC Corp.  Last year nearly 30 firms in the chemical industry were targeted using a variant of PoisonIvy.

PoisonIvy is typically delivered via a remote administration toolkit (RAT).  The toolkit enables a relatively unsophisticated attacker a way to get details of the targeted computer networks and steal or modify computer files.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: