Oracle issues patch for Java flaws; attacks tied to Nitro gang

Oracle has released a rare out-of-band patch to fix zero-day vulnerabilities in Java 7 that are being exploited by an attacker group based in China that last year targeted the chemical industry and some defense contractors.

After the flaw became known on Aug. 26, some security experts had advised users to just turn off Java, which runs on billions of computers. Oracle has rarely issued emergency patches, and its next quarterly update wasn’t due until mid-October.

The update addresses vulnerabilities in Java 7 (1.7) Update 0 to 6 — the flaw doesn’t exist in earlier versions — and affects all versions of Internet Explorer, Firefox and Opera. An exploit developed by Rapid7 for the penetration-testing Metasploit toolkit also works in Chrome.


Related coverage:

Zero-day exploit hits Java – should you just turn it off?

Chemical industry targeted by cyber spy attacks


Tod Beardsley, Metasploit engineering manager for Rapid7, said in a phone interview that researchers there had tested Oracle’s patch and “it proved effective in blocking our exploit.” He said Rapid7 was continuing to test to see if a bypass exists, but he was confident the patch would hold up.

Security researchers in recent days have said that attacks have been taking advantage of two flaws in Java 7 and that at least some of the attacks are coming from a group Symantec last year dubbed Nitro for its attacks on the chemical industry.

Esteban Guillardoy of security firm Immunity Inc. wrote in a blog post that his analysis found that two zero-day vulnerabilities, rather than one as originally reported, were being exploited and that the underlying vulnerability has existed since July 2011. He also wrote that the exploit he examined was multi-platform and would “shortly become the penetration test Swiss knife for the next couple of years.”

Symantec, meanwhile, said in an Aug. 30 post that it had traced recent exploits of the flaw to the Nitro gang that in 2011 used phishing e-mails to target mostly chemical companies in attacks that downloaded the Poison Ivy Remote Access Trojan, which Symantec calls Backdoor.Darkmoon and which also is being used in the current attacks.

Last year, Nitro attackers used phishing e-mails that included as an attachment a password-protected, self-extracting zip file posing as commonly installed software. When the user ran the file, the computer was infected with Poison Ivy. 

“In these latest attacks, the attackers have developed a somewhat more sophisticated technique,” Symantec said. “They are using a Java zero-day, hosted as a .jar file on websites, to infect victims.”

The attackers are using some of the same tools they used last year, including Poison Ivy/ Backdoor.Darkmoon, the same command-and-control infrastructure, and reusing file names such as Flash_update.exe. “The Nitro attackers appear to be continuing with their previous campaign,” Symantec said.

Although the number of attacks initially were reported to be few, the flaw was considered a serious issue because of Java’s presence on so many computers, including those in government. The Federal Desktop Core Configuration has allowed Java since 2008.

Security writer Brian Krebbs, noting that Oracle says more than 3 billion devices have Java, did some rough math with the help of Secunia, maker of the Personal Software Inspector program, and estimated that more than a billion devices could be open to attack.

Although the flaws were publicly disclosed only a few days ago, the Polish company Security Explorations said it had privately briefed Oracle and the vulnerabilities in April, IDG News reported.  

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above