The use of zero-day exploits in attacks has not been too far from the headlines of late. Today, Kafeine from Malware don't need Coffee has released a blog detailing yet another Java zero-day—Oracle Java Runtime Environment Unspecified Remote Code Execution Vulnerability (CVE-2013-0422)—active in the wild and distributed through the Cool Exploit pack. The good news, however, for Symantec customers who use our intrusion prevention signature (IPS) technology, is that Symantec proactively blocked the JAR file containing the exploit from the Cool Exploit Kit with IPS signature Web Attack: Malicious JAR File Download 11. Symantec telemetry also shows the Cool Exploit Kit beginning to serve the exploit as of January 9, and it being proactively caught by our products. There are also new reports of other Exploit kits containing this exploit that Symantec is actively investigating.
Figure 1. Cool Exploit Kit attack serving new Java zero-day
Additional information on Trojan.Ransomlock.G can be found here.
The use of a zero-day in the Cool Exploit Kit does not come as much of a surprise. There has been a lot of coverage of late in relation to the Cool Exploit Kit author (supposedly the same author as the Blackhole exploit kit) having a large budget for buying up new zero-days. If this is the case, this may be the first zero-day in a string of zero-days to come from the Cool Exploit Kit.
While an advisory from Oracle has not been released yet, in tests Symantec confirmed that the zero-day was successful in exploiting the latest version of Java (1.7.0_10) available from their website.
Symantec has the following IPS signatures in place that specifically protect against the Cool Exploit Kit:
Symantec detects the JAR file that contains the exploit as Trojan.Maljava and our analysis is ongoing.
There is a rise in zero-days being seen in the wild recently. To aid in protection against zero-day attacks, Symantec recommends that you employ the latest Symantec technologies.