Java vulnerabilities have always been popular among cybercriminals (exploit kits authors) since they can work across multiple browsers and even multiple operating systems, the potential for infecting large numbers of users is very high.
On April 16, Oracle released its Java Critical Patch Update (CPU) for April 2013 that addressed vulnerabilities found in numerous supported products. Interestingly, one of the vulnerabilities, CVE-2013-2432, was publicly disclosed the following day and this was closely followed by a Metasploit proof of concept on April 20.
It didn’t take long for exploit kit authors to adopt this openly available vulnerability. We are currently seeing cases of Redkit and Cool EK using this new Java vulnerability and we expect this exploit to be rolled out to other exploit kits.
The following Intrusion Prevention Signatures (IPS) are in place to block attacks using this exploit through the Redkit and Cool EK exploit kits:
- Web Attack: Suspicious Executable Image Download)
- Web Attack: Cool Exploit Kit Website 3
- Web Attack: Malicious Java Download 14
- Web Attack: Java CVE-2013-0431 RCE
- Web Attack: Red Exploit Kit Website
- Web Attack: Java JMX RCE CVE-2013-0422
Symantec detects the malicious files as Trojan.Maljava using our antivirus protection technology.
Symantec recommends users to apply the critical Java patch released by Oracle as this vulnerability is now seen as a high priority. Please be aware of malware that masquerades as software updates and patches and only download the patch from the official website.