A previously unknown and currently unpatched vulnerability in the latest version of Java is being “massively exploited” according to researchers. Code that exploits the vulnerability has been added to Blackhole, Cool, Nuclear Pack, and Redkit exploit kits. The attack code is reportedly “highly obfuscated” meaning it’s likely getting past security checks. According to researchers, the problem could have been avoided had Oracle patched a previously known vulnerability, related to Reflection API, that has been in place since at least August 2012.
According to Kaspersky Lab:
“There appears to be multiple ad networks redirecting to Blackhole sites, amplifying the mass exploitation problem. We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course, adult sites.”
The vulnerability can be exploited to call arbitrarily security sensitive methods with a trusted class set as a caller. This allows to bypass certain security checks relying on the caller class. Researchers have verified the vulnerability by using remotely inserted code to start the Windows Calculator application.
CERT issued the following advisory:
Overview – Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Description – Java 7 Update 10 and earlier contain an unspecified remote-code-execution vulnerability. This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits.
Impact – By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.
Researchers are recommending that you uninstall the Java browser plugin if you do not use it.