Yesterday was an interesting one for the security world, it was a buzz over the new Java 0-Day and today is no different.
It turns out however that it’s not just one (1) zero-day, it’s two and they were introduced back in July of 2011. We shared our initial thoughts on the vulnerability yesterday.
Today though Esteban Guillardoy put out a more in-depth analysis of the vulnerability. Thought you too would enjoy the read. It’s good to note that I’m by no means well-versed on desktop based malware but I still enjoyed the read, my focus is web-based malware.
Quick Summary Of Analysis
Turns out all this fuzz started with a tweet from Joshua J. Drake: https://twitter.com/jduck1337/status/239875285913317376 in which he shared this snippet: http://pastie.org/4594319. It’s using this implementation Guillardoy was able to succinctly outline the details of the vulnerability.
The first thing we notice, is that most of the online analysis talks about one vulnerability where we saw two 2 vulnerabilities being exploited to achieve full execution on a target. – Guillardoy
Here is a summary of his findings, please read his article to get the context and better understand how this works:
- Creates java.security.AccessControlContext instance with a java.security.ProtectionDomain with full permissions
- Replaces AccessControlContext of a java.beans.Statement instance to be able to execute code
The two specific vulnerabilities he identifies are:
- One obtains a reference to the sun.awt.SunToolkit class
- The other is used to invoke the public getField method on that class
He goes on to explain that the exploit is making use of the java.beans.Expression which is a java.beans.Statement subclass and clearly articulates how. Again, encourage you read it.
The part I was and am most interested in is in the delivery mechanism, which seems to be through websites.
At Sucuri we have already started to see this variant and recorded what to look for in our labs. If you’re concerned you can always use our free website scanner, SiteCheck, its been updated to detect this variant.
It should be of no surprise to see this making its way into the various malware kits on the market, ThreatPost is reporting it in the BlackHole Exploit Kit and I’d assume that by the end of the week it’ll be well distributed in others.
Turns out DeepEnd Research has put out an unofficial patch that has to be requested. The product owners however are still working, diligently I’m sure, to get this pig patched. In the interim, I can’t help but place the emphasis on disabling Java in your environment.
I would add though that while the variant appears to be targeting Windows, there is a lot of speculation on the interwebs that because of the nature of Java, platform agnostic, it could make its way into MAC OS’s. The down-side there, is if you remember Flashback, a patch will take much longer to reach the users as it must go through the Apple’s gate-keepers. But let’s not speculate too much now and see what happens.
There are a number of resources online that can help you disable your Java, ThreatPost shared a good one on their post and we shared a few on ours.