
New Java Browser Applets Zero Day Vulnerability

Today, the network has a completely new zero-day Java vulnerability, which is already actively used. The vulnerability was discovered by FireEye through their Malware Protection Cloud (MPC) technology .
Unlike other common Java vulnerabilities, where the security manager is bypassed in a simple way, it uses a random write and read memory of the virtual machine process. After the vulnerability is triggered, the exploit looks for a memory address that contains information about the internal structure of the virtual machine, including the status of the security manager, and then overwrites zero in this part of the memory. Then, Win32 / McRat (Trojan-Dropper.Win32.Agent.bkvs) is downloaded as a svchost.jpg file from the same server where the malicious JAR was located, and its launch. An example of an HTTP GET request from McRat in a browser with a successful vulnerability is given above.
The exploit is not very reliable, because it is trying to immediately overwrite a large amount of memory. As a result, in most cases, after the attack, McRat boots up, but the virtual machine fails and cannot start it.
The company's experts say that the vulnerability works in browsers that use the Java plug-in version 1.6 with update 41 and Java version 1.7 with update 15. Users are advised to disable the execution of Java plug-ins or change the Java security status settings to high and not execute untrusted applets.
Oracle released both updates as scheduled February 19 this year, they fixed five security issues. The emergency update to it covered fifty difficulties, because of which the cars of large companies, including Apple, were compromised, Facebook , and the Microsoft .
The absence of corrections or any means of protection against the new vulnerability, except for disabling the execution of Java applets in the browser, allows us to call it a zero-day vulnerability. The frequency of their detection makes us unsatisfied with Java security.
Based on The Next Web and Fire Eye Blog