A zero-day attack against one of the most widely used software products in the industry has now been productized into the Black Hole exploit kit, which is very popular with the hacker community, according to researchers from WebSense Labs. This development means that the likelihood of infection has become elevated due to the sheer number of people who will be capitalizing on this latest attack vector involving Java 7, potentially affecting BYOD in the enterprise.
The attack was discovered on Sunday with the source determined to be based in China. It's been further discovered that the attack is based on not one but two vulnerabilities in Java 7 that are being used in tandem.
"This is actually two vulnerabilities knocked into one .jar file," said Chris Astacio, manager of security research at Websense Security Labs. "The unfortunate thing is that once a zero-day like this happens and is found out in the wild, a developer for a kit like Black Hole will find it, reverse engineer it and integrate it into his own kit. This can happen very quickly, and in this case it happened in about a day."
The attack is based on the downloading of a file entitled "applet.jar," which then accesses, downloads and executes a payload known as "hi.exe," a variant of the malware known as, "Poison Ivy," which then contacts and follows the instructions of command-and-control servers based in Asia.
It appears that all major browsers are more or less equally affected. While most of the attacks, thus far, have been focused on Windows machines, it is also believed that the same vulnerabilities impact Linux and OS X, including Mountain Lion 10.8.1, as well.
So far, antivirus packages have had a very spotty track record in dealing with the exploit. According to Astacio, only 19 out of the 42 major AV products are currently recognizing this attack.
NEXT: Closing Vulnerability Deemed Critical For Enterprise BYODIt has been noted that this zero-day attack impacts Java 7, but not Java 6. Nonetheless, Websense's Astacio recommends against substituting version 7 with version 6 because version 6 has vulnerabilities of its own. "The best advice is to either disable Java 7 or remove it altogether until the appropriate patches available," he said. "This is especially critical for enterprises that have mobile users in BYOD scenarios where the user might get their own device infected and then bring it back to the enterprise."
Astacio added that Java 7 is relatively straightforward to disable, based on a variety of instructions available on the Internet. He also recommends that most people delete the application altogether.
"Unless you actually need Java, you might choose to remove it from your system because of the history of exploits that have come out through it," he said. "Java is well known as a major attack vector for exploit kits. But if you absolutely do not need it, you're better off removing it altogether. Most consumer type websites do not require it, but there are some application's internal to enterprises that may require it."
Oracle's next regularly scheduled security download is not anticipated until October, but many speculate that an emergency patch will be issued. At this time, however, there's been no indication of any such plans. A third-party organization, DeepEnd Research, is offering a patch promised to close the vulnerabilities. That patch is reportedly available upon request from that organization.
PUBLISHED AUG. 29, 2012