Java flaws already included in Blackhole exploit kit, Oracle was informed of vulnerabilities in April

Filed Under: Featured, Java, Malware, Oracle, Vulnerability

Blackhole consumes JavaIt took less than 12 hours from the time the proof of concept for the latest Java zero-day vulnerabilities went public for exploits of those vulnerabilities to be included in a commercial crimeware kit.

Brian Krebs was first to mention having heard that CVE 2012-4681 was being added to the Blackhole exploit kit, and SophosLabs confirmed seeing it in the wild a few hours later.

In addition to CVE 2012-4681, SophosLabs noted that Blackhole still includes an exploit of CVE 2012-1723, which is a vulnerability in earlier versions of Java. Criminals are equal opportunity exploiters and don't want to miss out on the opportunity to attack any/all Java users.

Some have asked if Mac users are at risk from the CVE 2012-4681 exploit and the answer is "Maybe." The version officially distributed by Apple is Java 6, which is not vulnerable.

However, Oracle has made Java 7 available directly for OS X users, so if you installed the official Oracle version, you could be at risk.

Some Twitter users have reported that OS X users with Java 7 are being attacked, but the Blackhole kit is serving up Windows malware. I suppose this could be a blessing in disguise, as users are alerted to their insecure Java, but dodge the infection bullet. . . for now.

SophosLabs has increased the threat level to high after seeing this exploited both by the Blackhole exploit kit and in specific targeted attacks.

We recommend disabling Java or downgrading to Java 6 on any systems with humans actively interacting with internet-enabled applications.

PC World is reporting that a Polish security company called Security Explorations reported these 2 vulnerabilities and 17 others to Oracle back in April.

Why critical remote code execution vulnerabilities were not fixed in Oracle's June patch is unknown. Oracle has yet to acknowledge these publicly, but had set expectations with Security Explorations that they were to be fixed in October.

How to disable Java

If you need directions for disabling Java, I have created pages explaining how to do it:

Creative Commons black hole image courtesy of WikiMedia Commons.

Sophos Anti-Virus on all platforms detects and blocks the various components of this malware as follows:

* Troj/Agent-XNE: the original Poison Ivy payload.
* Mal/JavaKne-H: the Java applet downloader.
* Exp/20124681-A: the malicious Java code exploiting CVE 2012-4681.
* Troj/JavaBz-IA: Blackhole exploit kit components exploiting CVE 2012-4681.
* Troj/ExpJS-FQ: JavaScript/HTML used to load malicious Java archive.

Sophos Endpoint web protection will detect and block these attacks as follows:

* CXweb/BadDlod-G: known attack URL patterns associated with this vulnerability's use in the wild.

, , , , , ,

You might like

6 Responses to Java flaws already included in Blackhole exploit kit, Oracle was informed of vulnerabilities in April

  1. Elmo Eldridge · 727 days ago

    Is there a way to disable Java at the browser level for all users on a machine, or does each user have to disable Java for themselves?

    • nig‭ger · 727 days ago

      Just delete Java, download portable Java and use that with applications that require it.

  2. Jackie · 727 days ago

    I received a msg from my computer that a Java update is available. Should I download it , or ignore it? I am confused and scared after reading this.

    • Andrew Ludgate · 726 days ago

      You should download it, assuming the alert was from a trusted application. However, the update will not protect against this 0-day exploit. You should also disable the Java plugin in your web browser, following the links listed at the end of the article.

  3. MikeP · 726 days ago

    It is not always an option to remove/disable Java. Many on-line banking systems require Java in some form so you 'have' to have it available. I know of no alternative yet.

    • Andrew Ludgate · 726 days ago

      One of the rules for on-line banking for years has been to do it from a different web browser than you use for casual web browsing.

      In this case, disable Java in your regular web browser, and keep it enabled in the browser you use specifically for your banking.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.