Critical Java vulnerability due to incomplete earlier patch

The critical Java vulnerability that is currently under attack was made possible by an incomplete patch Oracle developers issued last year to fix an earlier security bug, a researcher said.

The revelation, made Friday by Adam Gowdiak of Poland-based Security Explorations, is the latest black eye for Oracle’s Java software framework which is installed on more than 1 billion PCs, smartphones, and other devices.

Miscreants use these exploits to turn compromised websites into platforms for silently installing keyloggers and other types of malicious software on the computers of unsuspecting visitors.

Last year saw a steady stream of attacks that exploited Java vulnerabilities, allowing miscreants to surreptitiously install keyloggers and other malicious software when unwitting people browsed compromised websites. The abuse has already continued into 2013, when on Thursday researchers reported yet another critical bug that is being “massively exploited in the wild”.

According to Gowdiak, the latest vulnerability is a holdover from a bug (referred to here as Issue 32) that Security Explorations researchers reported to Oracle in late August. Oracle released a patch for the issue in October but it was incomplete, he said in an e-mail to Ars that was later published to the Bugtraq mailing list.

“Bugs are like mushrooms, in many cases they can be found in a close proximity to those already spotted,” Gowdiak wrote. “It looks like Oracle either stopped the picking too early or they are still deep in the woods.”

Oracle representatives didn’t immediately respond to a request for comment. This post will be updated if a reply comes later.

People who don’t use Java much should once again consider unplugging Java from their browser, while those who don’t use it at all may want to uninstall it altogether. The release notes for Java 7 Update 10—the most recent version—say users can disable the program from the browser by accessing the Java Control Panel. KrebsOnSecurity has instructions here for other ways to do this.

Exploits of the latest Java vulnerability, which were first observed more than a month ago, are the combination of two bugs. The first involves the Class.forName() method and allows the loading of arbitrary (restricted) classes. The second bug relies on the invokeWithArguments method call and was also a problem with Issue 32 that Oracle purportedly patched in October.

“However, it turns out that the fix was not complete as one can still abuse invokeWithArguments method to setup calls to invokeExact method with a trusted system class as a target method caller,” Gowdiak wrote. “This time the call is however done to methods of new Reflection API (from java.lang.invoke.* package), of which many rely on security checks conducted against the caller of the target method.”

Developers of the Metasploit framework for hackers and penetration testers have released a module that should exploit the vulnerability on machines running Windows, Apple OS X, and Linux regardless of the browser they’re using. The US-CERT, which is affiliated with the Department of Homeland Security, is advising people to disable Java in Web browsers.