Zero-day vulnerabilities discovered: 2
Security bypass
The vulnerability allows a remote attacker to bypass security restrictions on the target system.The weakness exists due to unknown error related to the Java SE Deployment component. A remote attacker can bypass the click-to-play protection in Java.
Successful exploitation of the vulnerability results in security bypass on the vulnerable system.
Note: the vulnerability was being actively exploited.
Exploited by the Fancy Bear APT.
This was quite useful in Pawn Storm, as it used exploits targeting these vulnerabilities to carry out targeted attacks against North Atlantic Treaty Organization (NATO) members and the White House earlier this year.
Software: Oracle Java SE
Links:
http://blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day...
https://blog.qualys.com/laws-of-vulnerabilities/2015/10/21/oracle-critical-patch-update-october-2015
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html http://resources.infosecinstitute.com/the-shadow-of-the-russian-cyber-army-behind-the-2016-president...
Remote code execution
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to unknown error in Libraries component. A remote attacker can execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in full control of the vulnerable system.
Note: the vulnerability was being actively exploited.
The attacks were launched by a cyberespionage group known as Pawn Storm or APT28 targeting the White House and members of the North Atlantic Treaty Organization (NATO) back in April 2015.
The group has been active since 2007 and typically targets military, government and media organizations.
Software: Oracle Java SE
Links:
http://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/7033/oracle-java-se-remote-code...
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html http://www.pcworld.com/article/2948592/security/oracle-fixes-zeroday-java-flaw-and-over-190-other-vu...
http://www.computerworld.com/article/2947216/security/cyberespionage-group-pawn-storm-uses-exploit-f...
http://resources.infosecinstitute.com/the-shadow-of-the-russian-cyber-army-behind-the-2016-president...
https://www.tripwire.com/state-of-security/latest-security-news/java-zero-day-bug-192-other-security...
http://www.securityweek.com/oracle-patches-java-zero-day-exploited-pawn-storm-attackers
http://blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day...
https://duo.com/blog/update-flash-and-java-emergency-zero-day-patches