A Zero-Day notice released by kb.cert.org explains of a new Java 7 zero-day which fails to restrict access to privileged code.
The Oracle Java Runtime Environment (JRE) 1.7 allows users to run Java applications in a browser or as standalone programs. Oracle has made the JRE available for multiple operating systems.
The Java JRE plug-in provides its own Security Manager. Typically, a web applet runs with a security manager provided by the browser or Java Web Start plugin. Oracle's document states, "If there is a security manager already installed, this method first calls the security manager's checkPermission method with a RuntimePermission("setSecurityManager") permission to ensure it's safe to replace the existing security manager. This may result in throwing a SecurityException".
By leveraging unspecified vulnerabilities involving Java Management Extensions (JMX) MBean components and sun.org.mozilla.javascript.internal objects, an untrusted Java applet can escalate its privileges by calling the the setSecurityManager() function to allow full privileges, without requiring code signing. Oracle Java 7 update 10 and earlier are affected.This zero-day is already being utilized in the wild, and is described to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available. You can find the could on Metasploit’s site.
This exploit could be used on various compromised sites and convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.
To circumvent any attacks, you can now disable java running in your browser in Oracles new update.
