Brian Krebs was first to mention having heard that CVE 2012-4681 was being added to the Blackhole exploit kit, and SophosLabs confirmed seeing it in the wild a few hours later.
In addition to CVE 2012-4681, SophosLabs noted that Blackhole still includes an exploit of CVE 2012-1723, which is a vulnerability in earlier versions of Java. Criminals are equal opportunity exploiters and don’t want to miss out on the opportunity to attack any/all Java users.
Some have asked if Mac users are at risk from the CVE 2012-4681 exploit and the answer is “Maybe.” The version officially distributed by Apple is Java 6, which is not vulnerable.
However, Oracle has made Java 7 available directly for OS X users, so if you installed the official Oracle version, you could be at risk.
Some Twitter users have reported that OS X users with Java 7 are being attacked, but the Blackhole kit is serving up Windows malware. I suppose this could be a blessing in disguise, as users are alerted to their insecure Java, but dodge the infection bullet. . . for now.
We recommend disabling Java or downgrading to Java 6 on any systems with humans actively interacting with internet-enabled applications.
PC World is reporting that a Polish security company called Security Explorations reported these 2 vulnerabilities and 17 others to Oracle back in April.
Why critical remote code execution vulnerabilities were not fixed in Oracle’s June patch is unknown. Oracle has yet to acknowledge these publicly, but had set expectations with Security Explorations that they were to be fixed in October.
If you need directions for disabling Java, I have created pages explaining how to do it:
Creative Commons black hole image courtesy of WikiMedia Commons.
* Troj/Agent-XNE: the original Poison Ivy payload.
* Mal/JavaKne-H: the Java applet downloader.
* Exp/20124681-A: the malicious Java code exploiting CVE 2012-4681.
* Troj/JavaBz-IA: Blackhole exploit kit components exploiting CVE 2012-4681.
Sophos Endpoint web protection will detect and block these attacks as follows:
* CXweb/BadDlod-G: known attack URL patterns associated with this vulnerability’s use in the wild.