New Zero Day Java Vulnerability Being Exploited in the Wild

This family of JRE attacks is far too common. Basically, when an unsigned applet runs, the JRE tries really hard to prevent it from creating a ClassLoader object. However, if you manage to create a ClassLoader object, it's game over -- you can break out of the sandbox and do whatever you please.<p>&#60;shameless plug&#62; For those interested, a recent blog post of mine analyzes a similar attack that uses CVE-2008-5353: <a href="http://jsaxton.com/fun-with-wireshark-and-ie-java-exploits-part-2/" rel="nofollow">http://jsaxton.com/fun-with-wireshark-and-ie-java-exploits-p...</a> &#60;/shameless plug&#62;

If anyone's interested in how the exploit works, here is my humble interpretation of the pastebin link:<p>jsaxton86's comment sets the scene nicely so I'll just copy it here:<p>"This family of JRE attacks is far too common. Basically, when an unsigned applet runs, the JRE tries really hard to prevent it from creating a ClassLoader object. However, if you manage to create a ClassLoader object, it's game over -- you can break out of the sandbox and do whatever you please."<p>The exploit is very clever, it never actually creates an instance of the ClassLoader object, but rather it uses Java reflection to call a particular method on a ClassLoader object, which was tricked into creation inside a separate exploit involving the JMX (Java Management Extensions) framework.<p>JMX has its own methods to instantiate classes, and a subclass of ClassLoader ("sun.org.mozilla.javascript.internal.GeneratedClassLoader") is passed in as a String; then the method defineClass is called via reflection in a way that deceives all the ClassLoader protection. Once this method is allowed to be invoked via reflection, it's "game over" as explained at the start.<p><a href="http://pastebin.com/raw.php?i=cUG2ayjh" rel="nofollow">http://pastebin.com/raw.php?i=cUG2ayjh</a> <a href="http://www.oracle.com/technetwork/java/javase/tech/javamanagement-140525.html" rel="nofollow">http://www.oracle.com/technetwork/java/javase/tech/javamanag...</a> <a href="http://www.cs.rit.edu/usr/local/pub/swm/jdoc6/com/sun/jmx/mbeanserver/MBeanInstantiator.html" rel="nofollow">http://www.cs.rit.edu/usr/local/pub/swm/jdoc6/com/sun/jmx/mb...</a>

Someone has posted the source code here:<p><a href="http://pastebin.com/raw.php?i=cUG2ayjh" rel="nofollow">http://pastebin.com/raw.php?i=cUG2ayjh</a><p>This is a result of two vulnerabilities one of which Oracle tried to fix in the last patch release with CVE-2012-5088.<p><a href="http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/43113374306c" rel="nofollow">http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/...</a><p><a href="https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5088" rel="nofollow">https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5088</a>

Is there any reason to keep Java on your browser anymore? I can't remember the last time I needed it.

The exploit has already made it to exploit packs: <a href="http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/[1]" rel="nofollow">http://krebsonsecurity.com/2013/01/zero-day-java-exploit-deb...</a>

Metasploit module has been made available: <a href="https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/java_jre17_jmxbean.rb" rel="nofollow">https://github.com/rapid7/metasploit-framework/blob/master/m...</a>

How many use Java applets still? It is high time browser plugins for Java are killed. But the article advises to uninstall Java, not understanding Java browser plugin is different from Java.

Does this apply to server side java as well, or is it only the browser client crap that noone has used this decennium?

Nonsense... I have never heard of anyone being attacked in any way through java... it's just "security" firms that come up with all kinds of obscure things and try to scare people for pretty much nothing...

If this is known, why hasn't Sun fixed the issue?

<a href="http://superuser.com/questions/201613/disable-java-plugin-in-google-chrome" rel="nofollow">http://superuser.com/questions/201613/disable-java-plugin-in...</a>

Damn... I thought it was another remote DoS (like the semi-recent hashmap degenerating that could be triggered by using parameters in URL like aa=xx, ab=yy, ac=zz, etc. or the floating-point 12-years old bug that people noticed could be remotely triggered on any Tomcat server) and that, once again, I'd have to apply a workaround on my Java servers.<p>Thankfully this one is only concerning Java applets.<p>Java applets where probably the stupidest thing ever. They surely did s<i>ck and did bring terribly bad reputation to Java : (<p>Don't know who's still using them.<p>Can Google Chrome even be made to run Java applets?<p>I know latest OS X don't even </i>ship* with Java anymore...

Please, please, please turn on Click-to-Enable in your browser. You'll appreciate it even if not for the security benefits.<p><a href="http://howto.cnet.com/8301-11310_39-57536917-285/enable-click-to-play-for-chrome-plug-ins/" rel="nofollow">http://howto.cnet.com/8301-11310_39-57536917-285/enable-clic...</a>