CIS CYBER SECURITY ADVISORIES

MS-ISAC CYBER SECURITY ADVISORY NUMBER:
2012-063

DATE(S) ISSUED:
08/28/2012

SUBJECT:
Oracle Java Runtime Environment is prone to a remote code execution vulnerability

OVERVIEW:

OVERVIEW:
A vulnerability has been discovered in Oracle Java Runtime Environment that can lead to remote code execution. The Java Runtime Environment is used to enhance the user experience when visiting web sites and is installed on most desktops and servers. This vulnerability may be exploited if a user visits or is redirected to a specifically crafted web page, or opens a specially crafted file.

Please note that there have been reports of active exploitation of this vulnerability and public exploit code is currently available. At this time, no patch is available from Oracle to mitigate this vulnerability.


SYSTEMS AFFECTED:

  • Oracle JRE 1.7.0 Update 6

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:

A vulnerability has been discovered in Oracle Java Runtime Environment that can lead to remote code execution. In order to exploit this vulnerability, an attacker must first create a malicious web page designed to leverage this issue. When the web page is visited, the attacker-supplied code is run in the context of the affected application.

Please note that there have been reports of active exploitation of this vulnerability and public exploit code is currently available. At this time, no patch is available from Oracle to mitigate this vulnerability.

Initial reports indicate that exploit code is being served from ok.aa24.net / meeting / index.html. The site then loads a Java applet containing the following class files:

  • Gondzz.class
  • Gondvv.class

The applet then checked to see if the system is vulnerable and downloads the following file:

ok.aa24.net / meeting / hi.exe

This file appears to be a variant of the Poison Ivy malware.

When executed, the file connects to hello.icon.pk (223.25.233.244) over port 80/TCP.

Please note that this is only one reported scenario and the exploit may be delivered via any specially crafted website and could subsequently reach out to any other system after the initial exploitation.


RECOMMENDATIONS:

  • Apply the patch from Oracle, after appropriate testing, as soon as one becomes available.
  • Consider disabling Java completely on all systems until a patch is available.
  • Block all traffic to the systems identified in this advisory.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
  • Do not open email attachments from unknown or untrusted sources

REFERENCES:

SecurityFocus
http://www.securityfocus.com/bid/55213

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4681

ZDNet
http://www.zdnet.com/java-zero-day-vulnerability-actively-used-in-targeted-attacks-7000003233/

FireEye
http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html

AlienVault
http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/