Zero-Day Season is Not Over Yet

[speedy57]

New Java zero-day vulnerability has been spotted in the wild. We have seen this unpatched exploit being used in limited targeted attacks. Most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable. In my lab environment, I was able to successfully exploit my test machine against latest version of FireFox with JRE version 1.7 update 6 installed.

Initial exploit is hosted on a domain named ok.XXX4.net. Currently this domain is resolving to an IP address in China. Attacker web site is fully functional at the time of writing this article i.e., on August 26, 2012.

A successful exploit attempt can result in a dropper (Dropper.MsPMs) getting installed on infected systems. The dropper executable is located on the same server.

http://ok.XXX4.net/meeting/hi.exe

Dropper.MsPMs further talks to its own CnC domain hello.icon.pk which is currently resolving to an IP address 223.25.233.244 located in Singapore.

It's just a matter of time that a POC will be released and other bad guys will get hold of this exploit as well. It will be interesting to see when Oracle plans for a patch, until then most of the Java users are at the mercy of this exploit. Our investigation is not over yet; more details will be shared on a periodic basis.

:view: http://blog.fireeye....t-over-yet.html

[Catoja]

JAVA UPDATE OR LOOSE IT LOL

[Israeli_Eagle]

But every new and saved file is checked via any good AV (for example NOD32) anyway, right?

Ok, not 100% safe but still probably 95%. ;)

[speedy57]

But every new and saved file is checked via any good AV (for example NOD32) anyway, right?

Ok, not 100% safe but still probably 95%. ;)

We're talking about Java, not files that you download. :whistle:

[Israeli_Eagle]

JAVA itself can do almost nothing anyway, the problem would be when JAVA could transfer executable code to infect something.

But the newest version is now 7u7. So...... History! :)