Oracle has released a patch designed to close serious vulnerabilities in Java 7 that quickly entered the wild last weekend and began to be integrated into various hacking kits, such as Black Hole, over the past several days.
Unconfirmed reports also indicate that the company was aware of the issues since last April and had planned to close the gaps in the next biannual update, which is scheduled for October. However, given that Java 7 is so widely deployed, various security experts were publicly urging customers to disable the software during the interim in order to avoid risks associated with drive-by hackers.
"These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password," stated a special advisory from Oracle. "To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user's system."
[Related: Java 7-Zero Day Attack Could Impact Enterprise BYOD]
The vulnerability, known as "CVE-2012-4681," will be effectively closed once the patch is installed, according to researchers who have successfully tested the patch.
"The patch is totally effective at blocking the exploit," said Tod Beardsley, Metasploit engineering manager at Rapid7. "We were not able to bypass it during testing, so we are confident that takes care of both vulnerabilities."
But, Beardsley added that he still believes disabling Java 7 is good advice, predicting that this is not the last zero-day attack that will leverage Java. "And, Java is not JavaScript, it's not Flash, and it's not even PDF," he added. "It's not used as ubiquitously as these other technologies, so for most people, you're not going to notice if your Java is disabled."
The Java 7 attack was discovered Sunday with the source determined to be based in China. While it was originally believed that the exploit was based on a single vulnerability, it was later discovered that the attack was based on not one but two vulnerabilities being used in tandem. It would basically download a file entitled "applet.jar," which then accesses, downloads and executes a payload known as "hi.exe," a variant of the malware known as "Poison Ivy," which then contacts and follows the instructions of command-and-control servers based in Asia.
Users are advised to install the patch as soon as possible.
"I'm very happy to see that Oracle did this," said Beardsley. "I think it shows that Oracle is getting the kind of flexibility that people have been wanting for years. Quarterly patches are fine, but they need to go faster and be more flexible. For something like Java that literally has a billion clients, they need to be quicker."
According to Kaspersky's "ThreatPost" blog, researchers have determined that one of the groups exploiting the vulnerability was also the source of the so-called Nitro attacks against chemical companies and defense contractors last year.
PUBLISHED AUG. 31, 2012
