[ISN] Oracle reportedly knew of critical Java bugs under attack for 4 months

From: InfoSec News <alerts_at_private>
Date: Thu, 30 Aug 2012 00:46:57 -0500 (CDT)
http://arstechnica.com/security/2012/08/critical-java-bugs-reported-4-months-ago/

By Dan Goodin
Ars Technica
Aug 29, 2012

Oracle engineers were briefed on critical vulnerabilities in the Java 
software framework more than four months before the flaws were exploited 
in malware attacks that take complete control of end-user computers, 
according to a published report.

Poland-based Security Explorations privately alerted Oracle to the bugs 
on April 2, IDG News reported on Wednesday. On Sunday, again—four months 
later, separate security researchers at FireEye reported targeted 
malware attacks that used the Oracle software to install the Poison Ivy 
backdoor trojan. The exploits were added to the popular BlackHole 
exploit kit on Monday evening, and have since snowballed. It can be 
found on more than a dozen separate websites, FireEye researcher Atif 
Mushtaq wrote in an update on Wednesday.

According to IDG News, two of the 19 vulnerabilities Security 
Explorations reported in April are those now under attack. By combining 
them, hackers are able to completely bypass security protections built 
into Java that are supposed to isolate Java applications from sensitive 
operating system functions. Neither of those were fixed during the most 
recent critical patch update for Java in June, although it did address 
three other issues the Polish firm reported. Oracle's next regular 
update isn't scheduled until the mid-October. The flawed Java components 
violate many of Oracle's own Secure Coding Guidelines for the Java 
Programming Language, Security Explorations said.

In an exploit analysis published on Tuesday, Immunity Inc. researcher 
Esteban Guillardoy wrote, "The first bug was used to get a reference to 
sun.awt.SunToolkit class that is restricted to applets while the second 
bug invokes the getField public static method on SunToolkit using 
reflection with a trusted immediate caller bypassing a security check. 
The beauty of this bug class is that it provides 100 percent reliability 
and is multiplatform. Hence this will shortly become the penetration 
test Swiss knife for the next couple of years (as did its older brother 
CVE-2008-5353)."

[...]
Received on Wed Aug 29 2012 - 22:46:57 PDT

This archive was generated by hypermail 2.2.0 : Wed Aug 29 2012 - 22:50:52 PDT