Tuesday, August 28, 2012

[News] Java 7 0-Day vulnerability information and mitigation.

[News] Java 7 0-Day vulnerability information and mitigation.: The cat is out of the bag. There is a 0-day out there currently being used in targeted attacks. The number of these attacks has been relatively low, but it is likely to increase due to the fact that this is a fast and reliable exploit that can be used in drive-by attacks and all kinds of links in emails. Interestingly, Mark Wuergler mentioned on August 10 that VulnDisco SA CANVAS exploit pack now has a new Java 0-day. It makes you wonder if it is the same exploit that leaked from, or was found in the wild and then added to the CANVAS pack. Or if it is totally unrelated and there are two 0-day exploits now.
The purpose of this post is not to provide the vulnerability analysis or samples, but to offer additional information that may help prevent infections on some targeted networks. We all know what kind of damage Java vulnerabilities can cause if used in drive by exploits or in exploit packs. We believe that revealing technical vulnerability details in the form of a detailed technical analysis is dangerous, and releasing working exploits before the patch is vain and irresponsible.
The Oracle patch cycle is 4 months (middle of February, June, October) with bugfixes 2 months after the patch. The next patch day is October 16 - almost two months away. Oracle almost never issue out-of-cycle patches but hopefully they will do consider it serious enough to do it this time.
We have been in contact with Michael Schierl the Java expert who discovered a number of Java vulnerabilities, including recent the Java Rhino CVE-2011-3544 / ZDI-11-305 and CVE-2012-1723. We asked him to have a look at this last exploit . Michael sent his detailed analysis, which we will publish in the nearest future and a patch , which we offer on a per request basis today.
The reason for limited release is the fact that this patch can be reversed, thus making the job of exploit creation easier, which certainly is not our goal.
Atif Mushtaq from FireEye covered the payload part of the exploit, which is helpful and something to look out for if you are protecting your network or your customers. We should note that attackers are not limited to .net addresses and already used other domains and IP addresses.