Malware

New Java Zero-Day Exploit Shows Multi-Platform Development

Posted on August 27th, 2012 by

Update September 10, 2012

This exploit has been patched by Oracle and Apple. You can find more information about the update here.

____

Update August 29, 2012

The exploit has been has now been given a reference number in the Common Vulnerability and Exposures List: CVE-2012-4681

____

There is a new Java zero-day exploit that was discovered last night, which is currently being used in targeted attacks against Windows users to deliver the Poison Ivy Remote Access Trojan. While this is in the wild, this is not being widely used at this time. What is more worrisome is the potential for this to be used by other malware developers in the near future.

The exploit in all major browsers and appears to work on some versions of Linux, OS X 10.7 and higher, as well as Windows, if you're using the latest version of Java.

At this time there is no patch available for this exploit, so it's highly recommend that you disable Java until this vulnerability has been fixed.

Java is a popular vehicle for malware authors - an unpatched Java flaw was largely responsible for the success of Flashback earlier this year. Additionally, Java applets have been part of the installation process for almost every malware attack on OS X this year. Oracle is on a quarterly patch schedule, which means the next likely patch will not be released until October 16. In malware terms, several weeks is quite a huge gap in protection. As source code for this exploit is already being distributed, the odds are very good that we'll see more working malware in the wild before this is patched. Given the interest lately in multi-platform malware and the fact that this vulnerability works on Linux and OS X, it is particularly important that we take preventative measures to protect ourselves.

Detection for the existing threat and the proof of concept (now included in the MetaSploit tool) are included in today's virus definitions. Intego VirusBarrier users are advised to update as soon as possible - this may not protect against all possible implementations of this exploit, but it is a generic detection that may help proactively protect against new variants based on the known implementation.

  • http://www.facebook.com/people/Stan-Burman/100001469278861 Stan Burman

    Do current Intego virus defs protect against this yet?

  • LysaMyers

    This is a vulnerability rather than malware, which means it’s a hole that something can get through rather than an active threat. If there is someone directly attacking you or a malware exploiting the vulnerability, there are a few ways you could be protected with security software. If you’re just using anti-malware, it could be that a malware author uses the published exploit code in a way the virus definitions could detect. (Which means, yes, Intego has added detection for the known exploit code) If there were malware using different code, or using it in a way that it’s very hidden, you could use a firewall to detect a connection attempt.

    The best course of action for vulnerable software is to update when a patch becomes available. But security software like Intego’s can be helpful in the interim to protect until that patch is available.

Sign up For Our Newsletter

Get the latest Mac security news direct to your inbox.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}