Websense Security Labs™ is following reports that a new Java zero day vulnerability (CVE-2013-0422) is being exploited in the wild by exploit kits. Early this morning, a researcher who goes by the handle Kafeine disclosed that he has started seeing exploits of a new Java vulnerability appearing in multiple exploit kits in the wild. Following up on his post, we have confirmed that we are protecting against the landing pages of these exploit kits with Websense ACE (Advanced Classification Engine) technology. The landing page is the first thing that loads in an exploit-kit-based attack. It’s used to scan clients for vulnerabilities and send the appropriate exploits. This is one of the seven stages of an attack that you can read about here. The kits identified as using this zero day code so far are Cool Exploit Kit, Blackhole Exploit Kit, Red Kit, and Nuclear Exploit Pack.
Snippet of POC code:
The fact that exploits of this vulnerability were found in the wild and in exploit kits is huge. It’s common knowledge that exploit kit developers don’t typically write exploits on their own. In fact, exploit kit authors typically copy and paste code to include exploits in their packs. Since this exploit is already in exploit kits, it could spread very rapidly to other kit authors who are anxious to get a zero day in their code. A zero day in exploit kits means a higher success rate for “loads” of malicious binaries, and therefore adds lots of value to the kit. Because this vulnerability is in Java, there’s also a possibility that it could be applied to client platforms like Mac OS and Linux, as well as Windows.
This makes two web-based vulnerabilities in the wild in less than a month. It’s a dangerous time to be on the web. We strongly encourage that Java be removed from client computers. If that’s impossible due to proprietary applications, please use a separate browser with Java enabled for required applications only. Your every day browser can handle web surfing just fine without Java enabled. As for the current IE zero day, there is a “Fix It” solution available from Microsoft, however keep in mind that a fix it solution isn’t going to be as strong as a full patch solution.
Oracle has pushed out an update for the Java vulnerability which is available here.
Microsoft has also published a Out Of Band patch for CVE-2012-4792, which you can read more about here.