Java has become the attack vector of choice for many malware authors for just these reasons, combined with Oracle’s lengthy patch cycle. “Oracle,” comments Intego, “is on a quarterly patch schedule, which means the next likely patch will not be released until October 16.” This it adds, is a huge gap in protection, and the company worries that the exploit will be used by other malware authors before it is patched.
This has been made all the more likely by the exploit’s rapid inclusion in Metasploit. “On Sunday,” wrote Metasploit’s sinn3r, we heard “that someone was passing around a reliable Java 0-day exploit.” They got hold of it, and “Within a couple of hours, we have a working exploit” coded into the latest version of Metasploit.
David Maynor from Errata Security tested the Metasploit version. “I have tested the following operating systems: Windows7, Ubuntu 12.04, OSX 10.8.1. I have tested the following browsers: Firefox 14.0.1 (Windows, Linux,OSX), IE 9, Safari 6. The same exploit worked on all of them.” Since cybercriminals don’t tend to waste 0-day opportunities on mass attacks, but tend rather to use them in highly targeted attacks, the potential use of this exploit by different criminal groups against different high value targets over the next few weeks becomes a clear and present danger.
FireEye was one of the first companies to discover the exploit in the wild. It discovered the exploit on ok.XXX4.neton an IP address resolving to China. If successful, the exploit installs a dropper (Dropper.MsPMs). This talks to a C&C server at an IP address hosted in Singapore. But everyone believes that this could be just the beginning.
It is one time when timely software patching won’t help – there is no Java patch available for this problem. Using and updating anti-malware could help, depending on what malware is delivered via the exploit. However, if zero-day malware is delivered via a zero-day exploit it cannot be stopped by traditional means. It reinforces the advice coming from more and more security experts: if you don’t absolutely need Java, get rid of it. Even sinn3r says, “For now, our recommendation is to completely disable Java until a fix is available.”