A new Java zero-day vulnerability has been seen exploiting hundreds of thousands of machines. This 0day has already been incorporated into Cool Exploit Kit and Blackhole, in addition to Nuclear Pack and Redkit. This vulnerability affects Java 7 versions up to and including the current version of Java, 7u10. It should be noted that while it only affects version 7, Java 6 users will be forced to automatically upgrade to version 7 in February of this year, which means that even more people will be exposed to this vulnerability than are currently exposed.
Proof of concept code is already publicly available and we expect to see fully functioning exploit code incorporated into even more exploit frameworks within the next few days.
The bug itself allows the attacker to bypass certain security mechanisms in the Java sandbox, elevating the privileges of the attacker on the system, so they can execute any code they want to on the vulnerable system within the context of the current user. This means that if you are currently running with administrator privileges, the attacker’s code will be able to access a huge amount of the system’s resources, compared to if you were running with lower privileges. To mitigate this kind of risk, there are solutions such as PowerBroker for Windows, which help businesses manage desktop privileges.
For the time being, the current mitigation is to disable Java. If you don’t need it, remove it from the system entirely.
Those customers who are protected by Retina CS for enterprise threat management or Retina Network for vulnerability scanning, can detect this vulnerability with the following audits:
- 18000 – Oracle Java Security Bypass Remote Code Execution (Zero-Day) – Windows
- 18001 – Oracle Java Security Bypass Remote Code Execution (Zero-Day) – UNIX/Linux