"Please, for the love of your computer, disable Java on your browser."

Dan Goodin - Aug 28 2012



A comparison of code found in BlackHole and code published earlier as a proof-of-concept exploit.
F-Secure

Online attackers have wasted no time seizing on a critical vulnerability in Oracle's Java software framework that makes it possible to install malware on computers running Windows, Mac OS X, or Linux.

So far, all of the exploits reported to be in the wild attack Windows PCs, but according to Errata Security CTO David Maynor, it's not hard exploit Mac and Linux machines that have the latest version of Java from Oracle installed. Neither platform has it installed by default, however. The vulnerability has nothing to do with JavaScript.

On Monday night, about 24 hours after the vulnerability became public, attack code exploiting it was added to BlackHole, an exploit kit sold in underground forums, security researchers said. A quick inspection of the BlackHole attack by antivirus provider F-Secure found it used many of the same coding conventions contained in a proof-of-concept exploit published earlier by security researcher Joshua Drake. It also added to the Metasploit exploit framework used by penetration testers and hackers.

"There being no latest patch against this, the only solution is to totally disable Java," F-Secure researchers wrote. "Since this is the most successful exploit kit + zero-day... que horror. Please, for the love of your computer disable Java on your browser."

Researchers from Symantec on Tuesday reported two websites that are actively wielding the exploit, up from the single site discovered on Sunday.

The vulnerability is breathtaking for the way it almost completely subverts the security "sandbox" that is supposed to prevent malicious Java code from accessing sensitive operating-system functions. Exploiting it allows attackers with an unsigned, unprivileged process to overwrite the Java security context token with reflection. According to Symantec: "The vulnerability consists of a privilege escalation due to a class that allows access to protected members of system classes, which should not be accessible. Because of this, malicious code can bypass the restrictions imposed by the sandbox and use the 'getRuntime(0.exec()' function."

Immunity Inc. researcher Nico Waisman spectacular deep dive into the vulnerability is here. Researchers from Kaspersky Lab have additional details here about exploits being served in the wild.

Multiple reports claim it doesn't affect Java 1.6 and earlier versions, but rolling back to an older release could create other security problems. KrebsonSecurity has useful suggestions for disabling or limiting Java use here.