CTA: New Java Zero-Days
Update: Oracle has addressed the exploit known as CVE-2013-1493 with an emergency patch. You can read about this patch on Oracle’s blog here.
A few days ago we heard about yet another zero-day in Oracle Java from security firm FireEye. The exploit targets java versions 6 and 7. Details are on the company’s malware blog.
Unfortunately, a patch has not been released by Oracle. Users should disable java in their browsers using the following instructions (courtesy of Sophos):
- Disable Java in Internet Explorer
- Disable Java in Firefox
- Disable Java in Chrome
- Disable Java in Safari
- Disable Java in Opera
Oracle has yet to release any official statement, but a webpage has already been dedicated on their website to this issue, documented as CVE-2013-1493.
Fireeye as well as other sources confirm the exploit is not very reliable, and oftentimes results in a crash of the Java Virtual Machine (JVM). This same vulnerability has also been attributed to the Bit9 security breach discovered in January by the company, where the company’s security certificates were stolen.In addition, Polish researchers from a firm known as Security Explorations have also discovered two separate zero-days documented by Oracle as Issue 54 and 55. Both of these have been submitted to Oracle, but Issue 54 was confirmed by the company as “allowed behavior”.
It’s been a pretty bad start for Java this year, with Oracle addressing over 50 security holes released in two patches. With a long history of the software’s exploitation and no foreseeable end, consumers might want to consider discontinuing the use of java altogether unless absolutely necessary.
Joshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and in-depth analysis on current malware threats. He has over 5 years of experience working with US defense intelligence agencies where he analyzed malware and developed defense strategies through reverse engineering techniques. His articles on the Unpacked blog feature the latest news in malware as well as full-length technical analysis. Follow him on Twitter @joshcannell