NEWS FROM THE LAB - Wednesday, August 14, 2013

Java - The Gift That Keeps On Giving Posted by Timo @ 08:54 GMT

I bet vulnerability researchers love Java. It seems that especially the 2D sub-component of Java has felt their love lately: since the out-of-band patch for CVE-2013-0809 and CVE-2013-1493 in March 2013, 2D has been the most patched sub-component with a total of 18 fixed vulnerabilities. Fortunately, CVE-2013-1493 has been the only one of these exploited in the wild.

On Monday August 12th, a link to yet another Java exploit was shared:


Unlike the Tweet says, the exploit is not 0day. It exploits CVE-2013-2465, yet another vulnerability in the 2D sub-component. The issue affects Java 7 versions up to update 21 but it has been patched in the latest version, Java 7 update 25. We have released a detection for the exploit (Exploit:Java/CVE-2013-2465.A) but so far we have not seen in the wild.

Even though CVE-2013-2465 is not exploited in the wild (yet), another Java vulnerability affecting Java 7 update 21 is: CVE-2013-2460. The exploit was introduced in Private exploit kit in July and since then we have seen it also in Sweet Orange exploit kit. In addition, Kaspersky has spotted the vulnerability being exploited in watering hole attacks (the JAR file mentioned in the post exploits CVE-2013-2460, not CVE-2012-4681).

To sum up, it does make a difference whether you run Java 7 update 25 or Java 7 update 21. If uninstalling Java or at least disabling the browser plugin is not an option for you, make sure you have the latest version of Java installed.

Grumpy cat

Post by — @Timo

Updated to add: …and giving and giving.