Cisco Event Response: Oracle Security Alert for CVE-2012-4681

On August 22, 2012 Cisco Security Intelligence Operations (SIO) telemetry collection and analysis systems detected endpoints accessing websites that were being equipped to host and distribute a malicious Java Archive (JAR). On August 23 the initial attempt to download the JAR occurred but was prevented. Execution of the malicious JAR results in the exploitation of a 0-day vulnerability in the Java Runtime Environment (JRE).

This vulnerability was assigned CVE-2012-4681 and Oracle published its Security Alert for CVE-2012-4681 on August 30, 2012 to address and disclose affected products. This vulnerability only applies to client deployments of Java. Client endpoints running JRE Version 7 Update 6 and prior are vulnerable to CVE-2012-4681.

This vulnerability should be considered an urgent risk and users are strongly advised to apply the patch published by Oracle in the Security Alert.

The vulnerability exists because the affected software fails to properly restrict access to the setSecurityManager() function. An unauthenticated, remote attacker could exploit this vulnerability to bypass Java sandbox restrictions by convincing a user to visit a crafted HTML document or website that is designed to submit malicious input to the vulnerable system. Successful exploitation could allow the attacker to execute arbitrary code with elevated privileges on the system.

Threat Updates

September 10, 2012: The Cisco Product Security Incident Response Team (PSIRT) has investigated and determined no Cisco products are affected by CVE-2012-4681.

Event Intelligence

The following table identifies Cisco Security Intelligence Operations content that is associated with this Oracle Security Alert:

Cisco Security Intelligence Operations Analysis

Cisco SIO is monitoring the threat landscape and has observed multiple download attempts of malicious JAR files that exploit CVE-2012-4681. These download attempts were prevented using existing countermeasures and controls by Cisco IronPort Web Security Appliance devices and Cisco ScanSafe Cloud Web Security services.

The primary market segments from which Cisco SIO has observed download attempts are Energy, Oil, and Gas and Pharmaceutical and Chemical.

Web-based threats continue to evolve and exploit combinations continue to target endpoints using various tactics. Users may consider reevaluating browsing habits, securing your web browser, and the web browsers used to access various types of resources.

Cisco SIO has observed multiple exploit kits (BlackHole, Sakura, Nuclear, and RedKit) using CVE-2012-4681 as an attack vector. Exploit kit authors will continue to add this vulnerability to their kits, and it is strongly advised that users take action and perform one of the recommended countermeasures and controls provided in the next section of this Event Response.

Additionally, Cisco SIO detected and correlated sources hosting and distributing the malicious JAR exploiting CVE-2012-4681 and determined that the sources were also affiliated with the Nitro Exploit Kit back on August 1, 2012.