Incident Response, Patch/Configuration Management, TDR, Vulnerability Management

Hackers eye new Java exploits that impact users who haven’t upgraded

Attackers are always on the hunt for the most reliable exploits to add to crimeware kits – and it appears they currently are eyeing a number of "critical" bugs in Java that remain unpatched for many users.

According to researchers, hackers have swapped out one such exploit from Neutrino, a popular underground exploit kit, in search of a more effective alternative.

Timo Hirvonen, a senior analyst at security firm F-Secure, discovered that since Monday, saboteurs had been taking advantage of CVE-2013-2463, which was patched in June for Java 7 but still exists in Java 6 because that platform is no longer supported unless customers have a special contract with Oracle.

But now, it appears the exploit for this vulnerability has been removed from Neutrino, Hirvonen told on Thursday. Attackers are experimenting with similar vulnerabilities that have been patched in Java 7, but not version 6.

In Oracle's June critical patch update advisory, eight flaws in Java Runtime Environment's 2D sub-component, which is used to draw two-dimensional graphics, were assigned the top score of 10 out of 10 on Oracle's implementation of the Common Vulnerability Scoring System (CVSS).

So far, at least four of the bugs (CVE-2013-2463, 2471, 2465, and 2473) in the 2D sub-component of Java have been divulged in detail via proof-of-concept code being published online. The vulnerabilities leave Java users open to remote attack by attackers who do not require authentication, according to Oracle advisories.

Hirvonen said the four flaws are “highly similar,” but slight variances may have accounted for CVE-2013-2463 being nixed from the Neutrino exploit kit.

“It's actually very difficult to figure out how [they are] different exploits,” Hirvonen said of the disclosed bugs. “It's highly similar. I'm guessing what the cyber criminals will do is test which one of these exploits is the most reliable."

A researcher known as Kafeine said in a blog post that the that sellers of the exploit kit had already switched to another of the critical Java vulnerabilities, CVE-2013-2465, to determine if it was more effective in attacks.

"The reason is…that CVE-2013-2463 was not working for them," the researcher wrote. "[I]n fact no infection [occurred] with it [in the] past two days."

Half of Java users still are running version 6, cloud security company Qualys has found.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.