CIS CYBER SECURITY ADVISORIES

MS-ISAC CYBER SECURITY ADVISORY NUMBER:
2012-063

DATE(S) ISSUED:
08/28/2012
08/29/2012 - Updated
08/30/2012 - Updated

SUBJECT:
Oracle Java Runtime Environment is prone to a remote code execution vulnerability.

ORIGINAL OVERVIEW:

OVERVIEW
A vulnerability has been discovered in Oracle Java Runtime Environment that can lead to remote code execution. The Java Runtime Environment is used to enhance the user experience when visiting web sites and is installed on most desktops and servers. This vulnerability may be exploited if a user visits or is redirected to a specifically crafted web page, or opens a specially crafted file.

Please note that there have been reports of active exploitation of this vulnerability and public exploit code is currently available. At this time, no patch is available from Oracle to mitigate this vulnerability.

August 29 - UPDATED OVERVIEW
Please note that the exploit code for this vulnerability has been incorporated into the Blackhole exploit kit which significantly increases the severity of this vulnerability.

August 30 - UPDATED OVERVIEW
Oracle has released a Security Alert which contains updates (patches) for this vulnerability as well as two additional vulnerabilities affecting Java running in web browsers. It is recommended to apply this update immediately after appropriate testing.


SYSTEMS AFFECTED:

  • Oracle JRE 1.7.0 Update 6

 

August 30 - UPDATED SYSTEMS AFFECTED:

  • Oracle JDK (Java Development Kit) and JRE 6 Update 34 and before
  • Oracle JDK (Java Development Kit) and JRE 7 Update 6 and before

 

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:
A vulnerability has been discovered in Oracle Java Runtime Environment that can lead to remote code execution. In order to exploit this vulnerability, an attacker must first create a malicious web page designed to leverage this issue. When the web page is visited, the attacker-supplied code is run in the context of the affected application.

Please note that there have been reports of active exploitation of this vulnerability and public exploit code is currently available. At this time, no patch is available from Oracle to mitigate this vulnerability.

Initial reports indicate that exploit code is being served from ok.aa24.net / meeting / index.html. The site then loads a Java applet containing the following class files:

  • Gondzz.class
  • Gondvv.class

The applet then checked to see if the system is vulnerable and downloads the following file:

ok.aa24.net / meeting / hi.exe

This file appears to be a variant of the Poison Ivy malware.

When executed, the file connects to hello.icon.pk (223.25.233.244) over port 80/TCP.

Please note that this is only one reported scenario and the exploit may be delivered via any specially crafted website and could subsequently reach out to any other system after the initial exploitation.

August 29 - UPDATED DESCRIPTION
Please note that the exploit code for this vulnerability has been incorporated into the Blackhole exploit kit which significantly increases the severity of this vulnerability.

August 30 - UPDATED OVERVIEW
Oracle has released a Security Alert which contains updates (patches) for this vulnerability as well as two additional vulnerabilities affecting Java running in web browsers. It is recommended to apply this update immediately after appropriate testing.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply the patch from Oracle, after appropriate testing, as soon as one becomes available.
  • Consider disabling Java completely on all systems until a patch is available.
  • Block all traffic to the systems identified in this advisory.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
  • Do not open email attachments from unknown or untrusted sources.

 

August 30 - UPDATED RECOMMENDATIONS
We recommend the following actions be taken:

  • Apply the patch from Oracle immediately, after appropriate testing.

 

REFERENCES:
SecurityFocus

http://www.securityfocus.com/bid/55213

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4681

ZDNet
http://www.zdnet.com/java-zero-day-vulnerability-actively-used-in-targeted-attacks-7000003233/

FireEye
http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html

AlienVault
http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/

August 29 - UPDATED REFERENCES
Websense:

http://community.websense.com/blogs/securitylabs/archive/2012/08/28/new-java-0-day-added-to-blackhole-exploit-kit.aspx

Krebs on Security:
http://krebsonsecurity.com/2012/08/attackers-pounce-on-zero-day-java-exploit/

SecureList:
http://www.securelist.com/en/blog/208193822/The_Current_Web_Delivered_Java_0day

PCWORLD:
http://www.pcworld.com/businesscenter/article/261573/unpatched_java_vulnerability_exploited_in_blackholebased_attacks.html

August 30 - UPDATED REFERENCES
Oracle:

http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html?printOnly=1

SANS:
http://isc.sans.edu/diary/Oracle+Releases+Java+Security+Updates/14008

US-CERT:
http://www.kb.cert.org/vuls/id/636312