InformationWeek – (International) Java zero-day attack: Second bug found. The zero-day Java attack recently discovered by security researchers, which appears to have been launched from China, is more complex than previously thought. While researchers had identified a Java 7 security-settings bug exploited in the attack, they have since found it is chained with a second vulnerability. Most of the online analysis talks about one vulnerability, where we saw two vulnerabilities being exploited to achieve full execution on a target, according to a blog post from a Python developer and security researcher at the information security firm Immunity. The first bug was used to get a reference to sun.awt.SunToolkit class that is restricted to applets, while the second bug invokes the getField public static method on SunToolkit using reflection, with a trusted immediate caller bypassing a security check. He said the bugs had to be chained together to create a working exploit. He also noted the getField Java bug was introduced with Java 7.0, which debuted July 28, 2011, and suggested a foreign nation state, or states, may have been, enjoying it non-stop for quite some time now.
Ali Loney is a Senior UX Designer at Walmart Labs. She is based in Canada and was the former Graphic Designer at Sonatype.
Explore All Posts by Ali Loney