Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote malicious users to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114. CVE-2013-0422 covers both the JMX/MBean and Reflection API issues. NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks. NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11. If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
oracle jre 1.7.0 |
||
oracle jdk 1.7.0 |
In early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were tr...
Police impound servers and neutralise threat - for now
Romanian police have seized servers associated with the Icepol ransomware scam, effectively taking down the pervasive threat for now. The Icepol Trojan extorted victims who downloaded it by sending prospective marks a fake message from local police accusing them of downloading copyrighted material or illegal pornography. The malware locked a victim's desktop before demanding a payment in return for unlocking it. Icepol was programmed to push out its warnings in one of 25 languages, making it som...
One of the biggest problems facing the IT security industry is the use of vulnerabilities in legitimate software to launch malware attacks. Malicious programs can use these vulnerabilities to infect a computer without attracting the attention of the user – and, in some cases, without triggering an alert from security software. That’s why cyber criminals prefer these attacks, known as exploits, over other infection methods. Unlike social engineering, which can be hit or miss, the use of vulne...
Here are answers to the most frequently asked questions related to Icefog, an APT operation targeting entities in Japan and South Korea. Icefog refers to a cyber-espionage campaign that has been active at least since 2011. It targets governmental institutions, military contractors, maritime and ship-building groups, telecom operators, satellite operators, industrial and high technology companies and mass media, mainly in South Korea and Japan. It is likely that the crew targets organizations in ...
While I was investigating the Trojan.JS.Iframe.aeq case (see blogpost) one of the files dropped by the Exploit Kit was an Applet exploiting a vulnerability: So basically I unzipped the .jar and took a look using JD-GUI, a java decompiler. These were the resulting classes inside the .jar file: The class names are weird, but nothing unusual. Usually the Manifest states the entry point (main class) of the applet. In this case there was no manifest, but we could see this in the applet call from the ...
Around one year ago I posted about what were the most common web attacks in Spain and how the malware was spread. It is time for an update! We regularly collect data regarding infected web sites based in our detections on KSN. Apart from the general verdicts that I usually find in the top of the rank, there was another one in the top 3 for the last months that caught my eye: Trojan.JS.Iframe.aeq. This verdict was quite popular during the last months specially in .ES sites. The detection shows th...
Metasploit boss says Oracle needs TWO years to make everything good
Security experts advise users to not run Java in their web browsers despite a patch from Oracle that mitigates a widely exploited security vulnerability. The database giant issued an emergency out-of-band patch on Sunday, but despite this the US Department of Homeland Security continues to warn citizens to disable Java plugins. "Unless it is absolutely necessary to run Java in web browsers, disable it even after updating to [Java 7 update 11]," the US-CERT team said in an update yesterday. "This...
Just a quick note, it’s only the second week of January, but early 2013 brings with it the first Java 0day mass exploit distribution of the year. There appears to be multiple ad networks redirecting to Blackhole sites, amplifying the mass exploitation problem. We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course,...