Fake ‘Amazon order’ email exploits recent Java vulnerability CVE 2012-4681
02 Sep 2012 09:44 PM
Following our recent blog posts regarding the propagation of
Java vulnerability CVE-2012-4681 (New
Java 0-day used in small number of attacks) and its subsequent inclusion in
the infamous Blackhole Exploit Kit (New
Java 0-day added to Blackhole Exploit Kit), the Websense®
ThreatSeeker® Network has detected a new malicious email campaign purporting to
be an order verification email from Amazon directing victims to a page
containing the recent Java exploit.
If successful, this exploit could allow the cyber-criminals
behind this campaign to deliver further malicious payloads to the victim’s
machine which, for example, could lead to the exfiltration of personal and
Oracle have released an out-of-band patch for this Java
release Java 1.7.0_07 to fix CVE-2012-4681) and Websense customers are
protected from this and other threats by ACE™, our Advanced Classification
On 1st September, Websense® ThreatSeeker® Network
intercepted over 10,000 malicious emails with the subject ‘You Order With
Amazon.com’ enticing the recipient to ‘click here’ to verify a fictitious order as shown in this sample:
Once the victim has clicked the link, they are redirected to
an obfuscated page hosting the Blackhole
Exploit Kit – in this case, hxxp://atjoviygdm.dnset.com/main.php?page=8e2cf5bb67d777a4
. The Payload view below highlights the Java Archive ‘Leh.jar’ which is
then used to exploit CVE-2012-4681
should the victim’s machine be vulnerable, an analysis of this file can also be
found on VirusTotal.
machine, such as determining the browser type and version as well as the Adobe
Flash, Adobe Reader and Java versions, and then based
on this information selects the
‘best’ exploit to use against this particular victim.
This email campaign further illustrates the ingenuity and
speed at which cyber-criminals package and propagate malicious content along
with social-engineering techniques in order to exploit both recent software
vulnerabilities and the trusting nature of end-users.
Oracle release Java 1.7.0_07 to fix CVE-2012-4681
30 Aug 2012 11:26 AM
Oracle did what all of us were hoping they would do - release an out-of-band patch for the latest Java zero-day vulnerability. The new version of Java, 1.7.0_07 and 1.6.0_35, both fix the vulnerabilities mentioned in CVE-2012-4681 that we've blogged about here and here. We have tried the patch and verified that it works as designed.
If you need Java we recommend that you install this update immediately. If you have no need for Java we recommend that you uninstall Java all together instead if you haven't already done so. More information from Oracle about the vulnerability and patch is available in their security alert.
New Java 0-day added to Blackhole Exploit Kit
28 Aug 2012 04:44 PM
Earlier today we blogged about a new Java zero-day vulnerability (CVE-2012-4681) being used in a small number of attacks. That's about to change as exploit code for the Java vulnerability has been added to the most prevalent exploit kit out there; Blackhole.
Here's a snippet of the updated Blackhole code:
The Pre.jar file (VirusTotal link) will use the new vulnerability to install the malware (VirusTotal link) itself. In this particular attack it was a banking trojan as can be seen from our ThreatScope report. Websense customers using our Advanced Classification Engine (ACE) were proactively protected against the updated Blackhole kit by our real-time analytics.
Technically the new vulnerability is actually two separate vulnerabilities. A technical analysis of these two vulnerabilities is available at the blog Immunity Products in this post.
New Java 0-day used in small number of attacks
27 Aug 2012 02:57 PM
Over the weekend, information started appearing that there was a new Java zero-day vulnerability (CVE-2012-4681) being used in a small number of attacks. We have analyzed samples from the attack and can confirm that Websense customers using products that have our Advanced Classification Engine (ACE) have been protected against this zero-day attack by real-time analytics dating back to early 2009.
We have confirmed that the exploit doesn't work on version 1.6.x of Java, but it does work on 18.104.22.168 and 22.214.171.124 (latest available versions). David at Errata Security has tried and verified that the same exploit works just as well on Linux and OS X including Mountain Lion 10.8.1. That's right folks, yet another cross-platform vulnerability in Java, and with the increasing amount of Mac malware that we're seeing, we wouldn't be surprised if this starts being used against Mac users shortly.
Regardless of which browser and operating system that you use, make sure you disable or better yet, uninstall Java, unless you really need it. Brian Krebs has instructions on how to disable Java in browsers both on Windows and Mac. There's already a Metasploit module for the new vulnerability, which increases the risk of it being applied in attacks against a larger amount of targets.