Avatar

The new Oracle Java arbitrary code execution vulnerability  has not only hit many news wires and social media outlets, but many victims as well, and it has been incorporated into several exploit kits. This critical vulnerability, as documented in IntelliShield alert 27845, could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system with the privileges of the user. If the user has administrator privileges, the attacker could completely “own” the system. A fix is currently not available.

Update: Oracle released a software update (JDK7 update 11) that fixes this vulnerability. The update is available on their website. If you disabled Java in the Java Control Panel, you will need to manually re-enable it after installing the patch by using the check box in the Security tab of the Java Control Panel. Oracle’s security advisory and JDK7 update 11 release notes includes more information about the patch.

The exploit is now found in several exploit kits!

There are many reports that the vulnerability is being “exploited in the wild”. Not only is the exploit publicly available, but it has been incorporated into exploit kits such as BlackholeCool, and Nuclear Pack. Exploit kits make it easy for criminals to spread malicious software using exploits that take advantage of well-known and new vulnerabilities. New exploit kits are loaded with some of the most dangerous zero-day exploits (including this one) and other features, which allow criminals to increase their profits.

The impact to the public is huge!  Java is used by millions of users around the world. It is used in Microsoft Windows, Apple’s Mac OS-X, and Linux systems, as well as many mobile devices.  

What’s the difference between this Java vulnerability and the one from 2012?

This Java vulnerability is due to improper security protections on built-in classes in the Java Runtime Environment. An unsigned Java applet can use the setSecurityManager() function to bypass security checks and access an elevated security context. There are a few allegations that the exploit for this new Java vulnerability (CVE-2013-0422) is very similar to the Java vulnerability reported late last year (CVE-2012-5088); however, it seems they are fairly different. This article describes some of the technical details of the exploit.

How can I protect my system?

Because a fix is not currently available, users are strongly advised to disable Java and the Java plug-in in web browsers. The following links include step-by-step instructions about how to disable Java in different web browsers:

If you are using Java 7 Update 10 or later, you can execute the Java installer with the WEB_JAVA=0 command-line option. Oracle’s Java documentation has more detailed information about this feature.

Cisco has released an Intrusion Prevention System (IPS) signature (signature ID 1804/0). Network and security administrators can use this signature in Cisco IPS appliances and services modules to provide threat detection and help prevent attempts to exploit this vulnerability.

For the latest updates about this vulnerability and all other threat and vulnerability data, remember to visit Cisco SIO at cisco.com/security.



Authors

Omar Santos

Distinguished Engineer

Cisco Product Security Incident Response Team (PSIRT) Security Research and Operations