There's More Than One Java 0-Day Being Exploited; Where's Oracle?!

Update: Oracle has released an emergency patch to fix the 0-day vulnerabilities currently being exploited.

-- End Update --

As the minutes tick away, more information about the new Java 0-day vulnerability (CVE-2012-4681) we blogged about a few days ago has surfaced, and it’s not pretty. At all.

More Than One Java Bug Putting Users at Risk

Researchers have discovered that the exploit code that’s been used in targeted attacks wasn’t leveraging just one Java 0-day vulnerability, but two.

“The first bug was used to get a reference to sun.awt.SunToolkit class that is restricted to applets while the second bug invokes the getField public static method on SunToolkit using reflection with a trusted immediate caller bypassing a security check,” Esteban Guillardoy of Immunity Inc. explained in a Tuesday blog entry.

What Does Oracle Have to Say About All This?

So far, Oracle has not commented on the 0-day vulnerability reports currently circulating.

As if their silence wasn’t bad enough, Computer World reports that Oracle has known about the 0-day vulnerabilities for months.

Adam Gowdiak, founder and CEO of Security Explorations, stated that Oracle was notified about the two security holes – along with 12 other flaws – on April 2nd. The company continued to send Java 7 vulnerabilities to Oracle until a total of 29 bugs were reported.

There hasn’t been any explanation as to why Oracle has been dragging its feet to close the security holes, but a status report Security Explorations received on August 23^rd from Oracle stated they were planning on fixing the two vulnerabilities currently being used in attacks in their October Critical Patch Update (CPU), along with 17 other Java 7 flaws that Security Explorations had previously submitted.

Java 0-day Exploit Code Added to BlackHole Exploit Kit

A visit to nearly any internet security website will land you face to face with the same advice:

If you don’t need Java on your PC, uninstall it immediately. If you do need it, at least disable the Java plug-ins on your web browser to minimize the chances of a malware infection.

That advice stems from the fact that the 0-day Java exploit code has been added to the widely-used BlackHole exploit kit.

"So far we have observed over a dozen domains actively attacking systems with this exploit, and the count is increasing rapidly." Atif Mushtaq from FireEye warned in a blog post on Tuesday, "After seeing the reliability of this attack, I have no doubt in my mind that within hours the casualties will be in the thousands."

That sounds about right. The exploit code isn't reserved just for targeted attacks anymore. All it takes is a visit to a compromised site housing the BlackHole exploit pack.

Again, this Java exploit code does not discriminate against browsers or operating systems – researchers were able to successfully execute attacks against IE, Firefox, Opera, Safari, and Chrome on systems running Windows, OS X, and Ubuntu Linux.

It all depends what cybercriminals have configured the attack to drop on a victim’s machine: Windows-specific malware, or malware targeting a different OS.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.