Java native layer vulnerabilities and now seeing use to infiltrate businesses and government systems, researchers said.
These new attacks on Oracle’s Java platform are getting increasingly complex, said Trend Micro threats analyst Jack Tang in a blog post.
“Java exploits can be divided into two types: Java layer exploits and Java native layer exploits,” he said. “In the past, Java layer vulnerabilities were more common, but that is no longer the case. Before 2013, there was a three-to-one ratio of Java layer vulnerabilities to Java native layer vulnerabilities. Starting this year, however, we are now seeing more native layer flaws.”
Tang said the move to target Java Native Layer exploits is troubling as they show an advance in sophistication within the cyber criminal community.
“Java native layer exploits target the Java native layer runtime. These exploits are harder to create, as they need to bypass OS-level protections like ASLR [address space layout randomization] and DEP [Data Execution Prevention]. In addition, the skills needed to create native layer exploits are more difficult to acquire,” he said.
“This year, however, attackers clearly have the capability to take advantage of native layer vulnerabilities. Two methods of exploitation are becoming more common, one is to make use of a Java array length overflow to tamper with the JavaBeans. Statement object’s AccessControlContext member.”
Tang said the exploits detected are more perilous as they grant the attack a number of powers over successfully infected systems.
“An attacker can then use the array object to get or set the following buffer precisely. They can tamper with the following JavaBeans,” he said. “Statement object’s acc field, which points to a AccessControlContext object. In general, the acc field will be tampered to point to a full permission AccessControlContext object. This will let arbitrary code be run on the affected system.”
Oracle’s Java platform has been a growing target for cyber criminals. Over the last year the attacks have forced Oracle to release a number of out of cycle security updates.
Despite fixes being ready and available, quite a few companies are not releasing updates, which means attackers are still targeting the vulnerabilities.
Tang said businesses to update their systems as soon as possible.