Java vulnerabilities have always been popular among cybercriminals (exploit kits authors) since they can work across multiple browsers and even multiple operating systems, the potential for infecting large numbers of users is very high.
On April 16, Oracle released its Java Critical Patch Update (CPU) for April 2013 that addressed vulnerabilities found in numerous supported products. Interestingly, one of the vulnerabilities, CVE-2013-2423, was publicly disclosed the following day and this was closely followed by a Metasploit proof of concept on April 20.
It didn’t take long for exploit kit authors to adopt this openly available vulnerability. We are currently seeing cases of Cool EK using this new Java vulnerability and we expect this exploit to be rolled out to other exploit kits.
The following Intrusion Prevention Signatures (IPS) are in place to block attacks using this exploit through the Cool EK exploit kit:
- Web Attack: Suspicious Executable Image Download
- Web Attack: Cool Exploit Kit Website 3
- Web Attack: Malicious Java Download 14
- Web Attack: Java CVE-2013-0431 RCE
- Web Attack: Java JMX RCE CVE-2013-0422
- Web Attack: Java CVE-2013-2423 RCE 2
Symantec detects the malicious files as Trojan.Maljava using our antivirus protection technology.
Symantec recommends users apply the critical Java patch released by Oracle as this vulnerability is now seen as a high priority. As listed above, Symantec has released new IPS signatures for proactive detection so we also recommend updating your Symantec security product with the latest security components. Please be aware of malware that masquerades as software updates and patches and only download the patch from the official website.