SecureState Blog

Read SecureState's award winning blog.

Overview: There is a new vulnerability in Oracle Java 7 Update 10 and earlier,CVE-2013-0422. This vulnerability allows remote attackers to execute arbitrary code on a vulnerable system. This exploit has already been incorporated into two well-known crimeware suites (Blackhole and Nuclear Pack). This exploit has also been added to the Metasploit Framework, as seen here.

 

Description: The Oracle Java Runtime Environment (JRE) 1.7 allows users to run Java applications in a browser or as standalone programs. Oracle has made the JRE available for multiple operating systems.

The Java JRE plug-in provides its own Security Manager. Typically, a web applet runs with a security manager provided by the browser or Java Web Start plugin. Oracle’s document states:

“If there is a security manager already installed, this method first calls the security manager’s checkPermission method with a RuntimePermission(“setSecurityManager”) permission to ensure it’s safe to replace the existing security manager. This may result in throwing a SecurityException”.

By leveraging unspecified vulnerabilities involving Java Management Extensions(JMX) MBean components and sun.org.mozilla.javascript.internal objects, an untrusted Java applet can escalate its privileges by calling the thesetSecurityManager() function to allow full privileges, without requiring code signing. Oracle Java 7 update 10 and earlier are affected. (Source)

Impact: This attack requires user interaction to exploit this vulnerability. The target must visit a maliciously crafted page or open a malicious file for execution.

Solution: As of right now there is no fix for this vulnerability. However, starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the following link to disable Java:http://www.java.com/en/download/help/disable_browser.xml

What if Java cannot be disabled? There are circumstances where Java cannot be disabled for several corporations. Until this issue is patched there are measures that can be taken to help alert if your company has been affected by this vulnerability.

1) Ensure employees are educated and do not click potentially hazardous links or open suspicious files.

2) Ensure software is up to date.

3) Update IDS/IPS signatures. Kevin Ross from emergingthreats.net has provided three Snort signatures to help detect Nuclear Pack / Redkit / Blackhole Obfuscated Binary Downloads. These can be found here.