This morning the first big Java 0-day exploit of 2013 was discovered, and it is already being used in exploit kits worldwide. Regular readers may remember these exploit kit rules from Joel Esler. The combination of existing rules 25041 and 25042 will detect the method the exploit kit authors are using to drop malware after this exploit. Since they're enabled in the Sourcefire balanced and security policies by default, most of you have had protection since December that will keep you safe from the current iteration of the attacks being used in the wild.
Based on information from Malware don't need Coffee and Krebs on Security it looks like this exploit is being used in at least four different active exploit kits - Blackhole, Cool Exploit Kit, Nuclear Pack, and Redkit. Source code has popped up on pastebin as well, and the VRT has been able to compile it and confirm that it is functional. We anticipate that a Metapsloit module will be developed shortly, and that this will be very wildly exploited in the field in the coming days via a variety of different vectors.
Since those additional vectors would not be detected by the SIDs above, we've written SIDs 25301 and 25302 as additional layers of protection; they will be released in our next SEU (ed: 778), which is targeted for today. We will be following additional developments related to this vulnerability as they progress, and will issue additional detection as circumstances dictate. ClamAV signatures are named Java.Exploit.Agent-14 through Java.Exploit.Agent-16.
At the time of writing, Oracle had not yet issued an official response, though unless they have previous intelligence regarding this vulnerability, a patch will likely be at least days in the making. Anyone who can continue to do their job with Java disabled in their browser is strongly encouraged to do so immediately, as that's the only way to ensure complete safety against this attack or others like it - which, based on the history of Java 0-days over the last 12 months, are likely to happen at some point within the not-too-distant future.
UPDATE, 1/11/13 @ 10:11 a.m.: Sourcefire's FireAMP group also released an awesome screenshot of their product's infection trajectory when working with a live copy of this attack, which you can see below:
![]()
As you can see, this shows the time of infection, an outgoing connection afterwards, and other relevant information about the nature of the attack as it unfolds in real-time. If you want reports like this on your network, you can click here to sign up for a free trial version of the product.
Based on information from Malware don't need Coffee and Krebs on Security it looks like this exploit is being used in at least four different active exploit kits - Blackhole, Cool Exploit Kit, Nuclear Pack, and Redkit. Source code has popped up on pastebin as well, and the VRT has been able to compile it and confirm that it is functional. We anticipate that a Metapsloit module will be developed shortly, and that this will be very wildly exploited in the field in the coming days via a variety of different vectors.
Since those additional vectors would not be detected by the SIDs above, we've written SIDs 25301 and 25302 as additional layers of protection; they will be released in our next SEU (ed: 778), which is targeted for today. We will be following additional developments related to this vulnerability as they progress, and will issue additional detection as circumstances dictate. ClamAV signatures are named Java.Exploit.Agent-14 through Java.Exploit.Agent-16.
At the time of writing, Oracle had not yet issued an official response, though unless they have previous intelligence regarding this vulnerability, a patch will likely be at least days in the making. Anyone who can continue to do their job with Java disabled in their browser is strongly encouraged to do so immediately, as that's the only way to ensure complete safety against this attack or others like it - which, based on the history of Java 0-days over the last 12 months, are likely to happen at some point within the not-too-distant future.
UPDATE, 1/11/13 @ 10:11 a.m.: Sourcefire's FireAMP group also released an awesome screenshot of their product's infection trajectory when working with a live copy of this attack, which you can see below:
As you can see, this shows the time of infection, an outgoing connection afterwards, and other relevant information about the nature of the attack as it unfolds in real-time. If you want reports like this on your network, you can click here to sign up for a free trial version of the product.