Zero-day exploit hits Java 7 and end-of-life Java 6

Just two weeks after Oracle released its latest critical patch updates, attackers have found a previously unseen flaw in Java 6 and 7 to compromise computers.

Researchers at security firms FireEye and CyberESI last week discovered the new Java attack, which successfully exploits flaws in Java 6 Update 41 and Java 7 Update 15 -- the most recent versions of Java that Oracle released on February 19.

In most cases the exploit will cause a Java virtual machine to crash before the malware can be installed on the target system, according to FireEye. However when it is successful, it will download a remote access tool called McRAT.

The malware entrenches itself on the target system by writing over a legitimate service library with its own malicious DLL.

“We urge users to disable Java in your browser until a patch has been released; alternatively, set your Java security settings to "High" and do not execute any unknown Java applets outside of your organization,” said FireEye researchers Darien Kindlund and Yichong Lin.

Interestingly, the McRAT trojan and the control server it calls to are the same that were used in attacks on security firm Bit9, according to, suggesting the same group is behind the new Java exploit.

A bigger question for Java 6 users is whether an update for that edition will become available. Oracle ended support for it in February and has said it will not release any more public updates for Java 6.

In January and February Oracle broke its “Critical Patch Update” cycle and released early updates for Java 6 and 7 in response to attackers exploiting a serious flaw, and given the status of Java 6 it's unlikely to see a repeat. Meanwhile, Oracle's next Critical Patch Update for Java 7 is not scheduled for release until April 16.

Java 7 is the dominant version of the software, but Java 6 is still used. January figures from PaaS provider, Jelastic, show that roughly 18 percent of its users are running Java 6 JVMs.

The exploit follows the discovery of two Java 7 vulnerabilities by Polish security researcher Adam Gowdiak. Oracle confirmed one as a flaw and described the other as “allowed behaviour”.

In addition, an exploit for flaws that were fixed on the February 1 release of Java 7 Update 13 has been bundled with several exploit kits, taking advantage of out of date Java.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.


Copyright © 2013 IDG Communications, Inc.

The 10 most powerful cybersecurity companies