The United States Computer Emergency Response Team (US-CERT) warned enterprises this week to disable Java in Web browsers, following the discovery on Aug. 27 of a zero-day vulnerability for which there is no security patch.
The US-CERT warning came one day after researchers at FireEye Inc. in Milpitas, Calif., discovered an active exploit for the vulnerability in the wild. According to Atif Mushtaq, a malware researcher at FireEye, all versions of Java 7 are vulnerable to the new exploit, which is hosted on a domain that resolves to an Internet Protocol (IP) address based in China.
According to the US-CERT advisory, the attack is hosted on a malicious Website that installs a Java applet capable of escalating security privileges. Attackers can then use this access to execute arbitrary code on the vulnerable computer. The advisory states that there is currently no known “practical solution to the problem” and the only option until Oracle Corp. issues a patch is to disable Java completely.
“Here we go again,” said Andrew Storms, director of security operations at San Francisco-based nCircle. “Another zero-day with active exploits in the wild and it looks like users will have to wait for quite a while to get any support,” he said, in an email response to Homeland Security Today. “Oracle isn’t known for releasing patches out of cycle and the next scheduled update for Java isn’t until October.”
And that could be problematic given the fact that Java is so ubiquitous that it tends to be overlooked, Storms added. In fact, Java is one of the most widely used programming languages in the world, running on more than 850 million desktop PCs and literally billions of mobile devices. It is a critical component to most modern software programs, from utilities to games and enterprise business applications.
“Enterprises and government certainly shouldn’t be waiting for a patch,” said David Harley, Senior Research Fellow at ESET North America, a San Diego, Calif.-based cybersecurity firm. “If they didn’t consider it long ago, they should be thinking about whether they have unnecessary Java deployments. Unfortunately, these are the groups who are already likely to have been hit by targeted attacks using this exploit, through a vector that’s proved its fragility time and time again.”
Researchers at Symantec Corp.’s Security Response Center said attackers have been using the zero-day vulnerability for at least five days, since August 22. According to Symantec, two compromised websites are serving up the malware: ok.XXXX.net/meeting/applet.jar and 62.152.104.XXX/public/meeting/applet.jar. In addition, two file names have been associated with the exploit: hi.exe and Flash_update.exe.
Adding to the urgency behind obtaining a patch, an exploit module based on the new vulnerability has been added to the Metasploit open source penetration testing toolkit, and can be used to exploit the flaw on affected systems running Windows, Linux, and Apple OS X operating systems.
“It’s just a matter of time that a POC [proof of concept exploit] will be released and other bad guys will get hold of this exploit as well,” said Mushtaq in a blog posting. “It will be interesting to see when Oracle plans for a patch, until then most of the Java users are at the mercy of this exploit.”
“Oracle really should take a page out of Microsoft’s security response book and start communicating with users about security issues,” said Storms. “Until then, the only recourse for government agencies and large organizations is to limit the use of Java or uninstall it altogether to prevent drive-by attacks.”