Newly Discovered Java Flaw Seen Exploited in Wild

Information on a Java flaw that has been seen in targeted attacks in the wild, and has been tested to work on most major Web browsers for both Mac and PC, was reported on Monday by security firm FireEye.

According to researchers, all versions of Java (including the Java 7 Update 6) are susceptible to attack, and can lead to the installation of malware on a system.

The hole is due to an issue in how the "setSecurityManager()" function in Java is called. Attackers can exploit this issue and set its own privileges on a targeted system, allowing the downloading and execution of malicious software.

"A successful exploit attempt can result in a dropper (Dropper.MsPMs) getting installed on infected systems," said FireEye in a blog post. "The dropper executable is located on the same server."

Security experts have found that a variant of the Poison Ivy Trojan has been used in the targeted attacks. The exploit is said to have come from an IP address of a Chinese Web site, with the malware currently connected to a Singapore command and control server.

While the handful of attacks  seen in the wild have come from this Chinese IP address, researchers are warning that due to the relative ease of exploiting this hole, along with a proof-of-concept exploitbeing published online last night,  be on the lookout for similar attacks in the near future.

"The number of these attacks has been relatively low, but it is likely to increase due to the fact that this is a fast and reliable exploit that can be used in drive-by attacks and all kinds of links in emails," wrote security researchers Andre' M. DiMino and Mila Parkour in a blog post.

While Oracle has not released a statement on when an update will be available, security experts are suggesting that users temporarily disable the Java plugin.

"IT administrators only defense at the moment is to limit the use to Java," said Wolfgang Kandek, CTO of security firm Qualys, Inc. "This can be implemenetd by uninstalling Java where not needed or by using the Zone mechanism in Internet Explorer, forbidding Java use in the Internet Zone (setting Registry Key 1C00 to 0 in Zone 3) and allowing it only on whitelisted websites in the Trusted Zone."

For those who must use Java, an unofficial patch can be found here.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.