FYI...
Java 0-Day exploit-in-the-wild
- https://secunia.com/advisories/50133/
Last Update: 2012-08-28
Criticality level: Extremely critical
Impact: System access
Where: From remote ...
Solution Status: Unpatched
Software: Oracle Java JRE 1.7.x / 7.x
CVE Reference: http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-4681 - 6.8
... vulnerability is confirmed in version 7 update 6 build 1.7.0_06-b24. Other versions may also be affected.
Solution: No official solution is currently available...
Reported as a 0-day.
Original Advisory:
http://blog.fireeye.com/research/201...-over-yet.html
- https://isc.sans.edu/diary.html?storyid=13984
Last Updated: 2012-08-27 20:29:15 UTC - "... targets Java 1.7 update 6, there is currently no patch available, the exploit has been integrated into the metasploit framework..."
- https://krebsonsecurity.com/2012/08/...-java-exploit/
August 27, 2012
- http://www.deependresearch.org/2012/...formation.html
August 27, 2012 - "... currently being used in targeted attacks..."
- http://labs.alienvault.com/labs/inde...d-in-the-wild/
August 27, 2012 - "... On the analyzed sample the payload is downloaded from ok.aa24 .net/meeting /hi.exe... The payload drops C:\WINDOWS\system32\mspmsnsv.dll (replace the file if present) and starts the Portable Media Serial Number Service. The malware connects to hello.icon .pk port 80. It seems to be a Poison Ivy variant. hello.icon .pk resolvs to:
223.25.233.244
223.25.233.0 – 223.25.233.255
8 to Infinity Pte Ltd ..."
> https://www.virustotal.com/file/09d1...200f/analysis/
File name: hi.exe
Detection ratio: 32/42
Analysis date: 2012-08-28 12:59:25 UTC
- https://www.virustotal.com/file/09d1...200f/analysis/
File name: hi.exe
Detection ratio: 36/42
Analysis date: 2012-08-29 10:55:45 UTC
___
- http://www.kb.cert.org/vuls/id/636312
Last revised: 28 Aug 2012 - "... Disabling the Java browser plugin may prevent a malicious webpage from exploiting this vulnerability..."
- http://www.symantec.com/connect/blog...-cve-2012-4681
8.28.2012 - "... attackers have been using this zero-day vulnerability for at least five days, since August 22... we have confirmed that the zero-day vulnerability works on the latest version of Java (JRE 1.7), but it does -not- work on the older version JRE 1.6*..."
* http://forums.spybot.info/showpost.p...08&postcount=5