French researcher Kaffeine, who has been closely monitoring the Cool Exploit Kit, found a new Java exploit. “Hundreds of thousands of hits daily where i found it,” he noted. “This could be a mayhem.” At first he wasn’t sure whether to go public in case it caused more problems – but then he saw that Brian Krebs was also on its trail.
Krebs found it not in the wild but on the underground chat forums. “The curator of Blackhole,” wrote Krebs, “a miscreant who uses the nickname ‘Paunch,’ announced yesterday on several Underweb forums that the Java zero-day was a ‘New Year’s Gift,’ to customers who use his exploit kit.” And from there it spread. Kaffeine decided to go public, and published details.
AlienVault picked it up from Kaffeine. “With the files we were able to obtain we reproduced the exploit in a fully patched new installation of Java. As you can see below we tricked the malicious Java applet to execute the calc.exe in our lab.” This exploit works on all versions of Java across all platforms, and is in use by a growing number of exploit kits (Metasploit has already added a module targeting the vulnerability). It is, in short, a serious and immediate threat.
“We have seen ads from legitimate sites,” writes Kaspersky Labs’ Kurt Baumgartner, “especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course, adult sites.” Symantec claims to have been ‘proactively’ catching the exploit since January 9, but Kaspersky claims it has samples from mid-December.
The history of the exploit, however, is not as important as how quickly Oracle patches it; and what users do in the meantime. Trend Micro offers the following advice: “To prevent this exploit, and subsequently the related payload, we recommend users to consider if they need Java in their systems. If it is needed, users must use the security feature to disable Java content via the Java Control Panel, that shipped in the latest version of Java 7. The said feature disables Java content in webpages. If Java content is not needed, users may opt to uninstall Java as it can pose certain security risk.”