At the beginning of this week anti-malware company F-Secure commented, “By all measures, Java is the current title holder for the lowest hanging fruit in computer security.” Just to prove the point, FireEye yesterday announced, “we detected a brand new Java zero-day vulnerability that was used to attack multiple customers.”
This, it should be said, is separate to an ongoing issue between Polish firm Security Explorations and Oracle. Security Explorations discovered two issues (which it describes as issues 54 and 55) in Java SE 7 and reported them under its own disclosure policy to Oracle. Thursday it posted on the full disclosure Seclists mailing list that Oracle had confirmed one of the issues (55), but had said the other (54) is ‘allowed behavior’.
“We disagree with Oracle's assessment regarding Issue 54,” wrote Adam Gowdiak. “If Oracle sticks to their assessment we'll have no choice than to publish details of Issue 54.”
Meanwhile, of course, FireEye has described not just a theoretical vulnerability but a new active exploit. Although the exploit is not very reliable, it has been successfully employed. Where successful, it downloads the McRAT trojan, which can both steal data (including passwords) and download further malware.
“We have notified Oracle and will continue to work with Oracle on this in-the-wild discovery,” writes FireEye. In this instance there is no dispute from Oracle, who has already assigned CVE-2013-1493 classification to the vulnerability.
In the meantime FireEye adds, “We urge users to disable Java in your browser until a patch has been released; alternatively, set your Java security settings to ‘High’ and do not execute any unknown Java applets outside of your organization.”