JAVA SE 6 Update 34

Please see read below from our friends at Toymaster Security Lab

New 0-day for Java
A new Java 0-day vulnerability is out and affects the latest version of Java (Java 7 update 6) and is so far being used in limited targeted attacks.  So far, Java 6 versions seem to be unaffected.  Also, note that the attack does not crash the browser, but instead leaves it running, and the exploit loads immediately.  The vulnerability can be exploited through any browser running on any operating system, from Windows and Linux to OS X, that has Java 7 installed, and I believe Mac users are especially at great risk.  The vulnerability is not in Java 6; it’s in new functionality introduced in Java 7.

AV recognition at this time is 0/42 so your AV will not protect you right now, and just hoping AV catches it is not a viable option.

Of further concern – the exploit has also been integrated into the Metasploit Framework.

Personally, I recommend that unless you run Firefox with NoScript and AdBlock Plus (to control where you accept and execute Java from) and browse even known sites carefully, you should consider disabling Java 7 until a patch is released.  If Java is a must, then I recommend reverting to Java 6 update 34 which is not affected.

Brian Krebs also has a good write-up on this located here –

http://krebsonsecurity.com/2012/08/attackers-pounce-on-zero-day-java-exploit/

From Atif Mushtaq on 2012.08.26 at FireEye Intelligence Lab –

Zero-Day Season is Not Over Yet

New Java zero-day vulnerability has been spotted in the wild. We have seen this unpatched exploit being used in limited targeted attacks. Most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable. In my lab environment, I was able to successfully exploit my test machine against latest version of FireFox with JRE version 1.7 update 6 installed.

 Toymaster Security Lab Screenshot

Initial exploit is hosted on a domain named ok.XXX4.net. Currently this domain is resolving to an IP address in China. Attacker web site is fully functional at the time of writing this article i.e., on August 26, 2012.
Toymaster Security Lab Screenshot_2 A successful exploit attempt can result in a dropper (Dropper.MsPMs) getting installed on infected systems. The dropper executable is located on the same server.

http://ok.XXX4.net/meeting/hi.exe

Dropper.MsPMs further talks to its own CnC domain hello.icon.pk which is currently resolving to an IP address 223.25.233.244 located in Singapore.

Toymaster Security Labs_Screenshot 3
It’s just a matter of time that a POC will be released and other bad guys will get hold of this exploit as well. It will be interesting to see when Oracle plans for a patch, until then most of the Java users are at the mercy of this exploit. Our investigation is not over yet; more details will be shared on a periodic basis.

***************

More from Deep End Research –

Atif Mushtaq from FireEye covered the payload part of the exploit, which is helpful and something to look out for if you are protecting your network or your customers. We should note that attackers are not limited to .net addresses and already used other domains and  IP addresses.

The malicious executable name varies and it the future may get replaced by any kind of payload. At this point, it appears to be Poison Ivy RAT variant that is likely to be detected by many antivirus vendors.

More about Poison Ivy
Alienvault Nmap Script to detect Poison Ivy Clients
Will Brown: Detecting Poison Ivy 

Details about the exploited vulnerability, mitigation factors and tips.
1. The javascript in index.html is heavily obfuscated.
2. This vulnerability affects Java 7 (1.7) Update 0 to 6. Does NOT affect Java 6 and below.
3. It works in all versions of Internet Explorer, Firefox, and Opera. Does NOT work in Chrome. (Update: The original exploit we tested did not affect Chrome. We did not test Metasploit but reports are that their version works. All hackers and exploit kit makers now can use a freely available Metasploit module and you can expect a huge wave of drive-by attacks as well as email links. To be safe, perhaps best approach is not to use Java or patch it.)
4. It does not crash browsers (which does NOT mean it does not work!), the landing page looks like a blank page, sometimes one may see a flash of a rotating Java logo and the word “Loading”
Toymaster Security Labs Screenshot 4
5. The malicious Java applet is downloaded like you see on the picture below. At this point, if your system is not vulnerable or is patched, the attack stops. From the user perspective, it is impossible to tell if the attack was successful or not.
6. If the exploit is successful,  it downloads and executes a malicious binary, which calls to another IP address/domain  hello.icon.pk / 223.25.233.244
Toymaster Security Labs_Screenshot 5
7. Although older Java is not vulnerable to this attack, downgrading is not recommended due to many other vulnerabilities in the  older versions of Java.
8. Disable Java in your browser, apply the patch (see below), or use Chrome.

Malware behavior and indicators
Payload: : hi.exe  Size: 16896
MD5:  4A55BF1448262BF71707EEF7FC168F7D (Virustotal 26/42)

  1. Legitimate Portable Media Serial Number Service MsPMSNSv.dll is deleted from C\WINDOWS\system32 (Virustotal 0/42)
  2. Malicious mspmsnsv.dll is copied to C\WINDOWS\system32 (Virustotal 21/42)
  3.  “Portable Media Serial Number Service”  (WmdmPmSN in the registry)  is running.

***************
Reference Links –
* Vulnerability Note VU#636312
<http://www.kb.cert.org/vuls/id/636312>
* Zero-Day Season is Not Over Yet
<http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html>
* Let’s start the week with a new Java 0-day in Metasploit   <https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day>
* http://pastie.org/4594319
   <http://pastie.org/4594319>
* The Security Manager   <http://docs.oracle.com/javase/tutorial/essential/environment/security.html>
* Java 7 0-Day vulnerability information and mitigation.   <http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html>
* How to disable the Java web plug-in in Safari   <https://support.apple.com/kb/HT5241>
* How to turn off Java applets
<https://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets>

* NoScript
<http://noscript.net/>