New zero-day vulnerability in Java browser applets

Today, the network has a completely new zero-day vulnerability in Java, which is already actively used. Vulnerability was detected by FireEye through their Malware Protection Cloud (MPC) technology.

Unlike other common Java vulnerabilities, where the security manager is treated in a simple way, random writing and reading the memory of the virtual machine process is used here. After the vulnerability has been triggered, the application searches for a memory address that contains information about the internal structure of the virtual machine, including the status of the security manager, and then overwrites zero in this part of the memory. Then, Win32 / McRat (Trojan-Dropper.Win32.Agent.bkvs) is loaded as svchost.jpg from the same server as the malicious JAR and started. An example HTTP GET request from McRat in a browser with a successful vulnerability is shown above.
')
The exploit is not very reliable because it tries to overwrite a large amount of memory at once. As a result, in most cases after the attack, McRat is loaded, but the virtual machine fails and cannot start it.

The company's specialists say that the vulnerability works in browsers that use the Java plug-in version 1.6 with update 41 and Java version 1.7 with update 15. Users are advised to disable the execution of Java plug-ins or change the Java security status settings to high and not run untrusted applets.

Oracle released both updates as scheduled on February 19 of this year, fixing five security issues. Emergency update before it closed fifty difficult places, because of which the machines of large companies, including Apple , Facebook and Microsoft, were compromised.

The absence of patches or any means of protection against a new vulnerability, besides disabling the execution of Java applets in the browser, allows us to call it a zero-day vulnerability. The frequency of their discovery makes one express dissatisfaction with Java security.
Based on The Next Web and Fire Eye blog