Zero-day vulnerability in Oracle Java SE

Error Handling
CVE-2012-4681

The researchers of FireEye began investigation of the vulnerability after Twitter post made by Joshua J. Drake on August, 26.

Vulnerability details

Advisory: SB2012082601 - Remote code execution in Oracle Java SE

Vulnerable component: Oracle Java SE

CVE-ID: CVE-2012-4681

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-388 - Error Handling

Description:

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to improper handling of Rhino Javascript errors. A remote attacker can create a specially crafted Web site, trick the victim into visiting it and bypass sandbox restrictions to download and execute arbitrary code  with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Known APT campaigns:

Operation KE3CHANG

A cyber espionage campaign, which we call тАЬKe3chang,тАЭ that falsely advertises information updates about the ongoing crisis to compromise MFA networks in Europe. The timing of the attacks precedes a G20 meeting held in Russia that focused on the crisis in Syria. Are known 23 command-and-control (CnC) servers operated by the Ke3chang actor and 21 compromised machines connecting to the CnC server. These included what appear to be three administrative tests by the attackers and two connections from other malware researchers. Among the targets, FireEye identified nine compromises at government ministries in five different European countries. Eight of these compromises were at MFAs.

Public Exploits:

- Java 7 Applet - Remote Code Execution (Metasploit) [Exploit-DB]

External links:

http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
http://rhn.redhat.com/errata/RHSA-2012-1225.html
https://www.fireeye.com/blog/threat-research/2012/08/java-zero-day-first-outbreak.html
https://www.fireeye.com/blog/threat-research/2012/08/zero-day-season-is-not-over-yet.html
https://www.alienvault.com/blogs/labs-research/new-year-new-java-zeroday
https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-jav...
https://immunityproducts.blogspot.com/2012/08/java-0day-analysis-cve-2012-4681.html

About zero-day vulnerabilities

Zero-day vulnerability is an undisclosed vulnerability in software that hackers can exploit to compromise computer programs, gain unauthorized access to sensitive data, penetrate networks, etc. We consider vulnerability a zero-day when there is no solution provided from software vendor and the vulnerability is being actively exploited by malicious actors.

Zero-day candidate is a potential zero-day vulnerability in software which might have been used in targeted attacks, however there is no evidence to support this suggestion.