CVE-2013-1493 aka Yet Another Oracle Java 0day
Less than 15 days after the release of Oracle Java CPU Special Update of 19 February, another Java 0day is reported exploited in the wild !
FireEye has report, in a blog post, the discovery of a new Oracle Java 0day targeting latest versions JSE 6 Update 41 and JSE 7 Update 15.
After successful exploitation of the newly discovered vulnerability, CVE-2013-1493, “svchost.jpg” (b6c8ede9e2153f2a1e650dfa05b59b99) file is loaded from the same server hosting the Java 0day. Then McRAT (aka Trojan.Naid) malware (4d519bf53a8217adc4c15d15f0815993) is dropped. Regarding the detection ratio of this malware (21/46), it seem that the Java 0day could be used in Exploit Pack.
- VirusTotal analysis of dropped McRAT.
- Malwr analysis of dropped McRAT.
- Anubis analysis of dropped McRAT.
Symantec has report some connections through the new Oracle Java 0day with the Bit9 security incident. In the actual Java 0day security incident case, “appmgmt.dll” file, dropped by “svchost.jpg“, is detected by Symantec as Trojan.Naid. Trojan.Naid sample is connecting 22.214.171.124 C&C server. In the Bit9 security incident case, Trojan.Naid was also present and also connecting to 126.96.36.199 C&C server. Symantec detect this Java 0day as “Trojan.Maljava.B” and regarding associated threat assessment, less than 49 computers were infected and less than 2 websites were used in the watering hole attack.
Some security researchers are actually studying the sample, it is question of days before this 0day will be widely exploited.
We advise you to deactivate Java plug-in execution asap.
Samples are appearing on VirusTotal like “svchost.jar” (a721ca9b2ea1c362bd704b57d4d5a280) with an actual detection ratio of 17/46.
I recommend you to read these related posts
- Watering Hole Campaign Use Latest Java and IE Vulnerabilities
- Oracle update to Java 7 Update 17 and to Java 6 Update 43, but…
- Year 2012 Main Exploitable Vulnerabilities Interactive Timeline
- KaiXin Exploit Kit Evolutions
- Oracle Java Critical Patch Update April 2013 Review
- Bye Bye Java SE 6, Security Enhancements in Java SE 7U10
- CVE-2012-0500 Oracle Java Web Start Plugin Command Line Argument Injection Metasploit Demo
- CVE-2012-0507 Java AtomicReferenceArray Type Violation Vulnerability Metasploit Demo
- CVE-2013-2465 Java storeImageArray Vulnerability Metasploit Demo
- Java Applet JMX 0day Remote Code Execution Metasploit Demo