Finding vulnerabilities

Java applet attack targets NATO, Java devs pissed about click-bait

Natali Vlatko
Security image via Shutterstock

A Java “zero-day” attack has been reported by security firm Trend Micro, which turns out to be a vulnerability in the Java applet. Java developers have vented their frustrations that they are once again forced to defend their ecosystem.

Security firm Trend Micro have discovered a Java applet vulnerability in Java 8 that has been exploited to attack members of NATO and a US defence organisation. The firm has reported that this is the first “zero-day attack against Java” since 2013.

The attack involves a new, unpatched susceptibility against the applet that leverages a three-year-old vulnerability in Microsoft Windows Common Controls CVE-2012-015. When the vulnerability is successfully exploited, “it executes arbitrary code on the default Java settings thus compromising the security of the system”.

Trend Micro addressed the older vulnerability in bulletin MS12-027, which provided a patch for the problem. The security firm has alerted Oracle and is currently working with them on a solution, however it has recommended “disabling Java” until a patch is supplied.

Don’t diss Java

Responding to the announcement, members of the Java community have criticised the suggestion to disable Java entirely, with their announcement seen as further fuelling the “Java hate”. Commenter sigzero was quick to highlight the issue: “JAVA APPLET! Stop the click bait. You don’t disable JAVA. Ugh”.

On Hacker News, user StevePerkins pointed out the misunderstanding this can cause:

I wish to God that Oracle would simply deprecate and discontinue browser-side Java applet support. Whenever people see a headline like “Java Vulnerability Found!”, it is virtually always referring to the client-side applet plugin. Yet 99% of readers don’t understand that, and think that Java is insecure in general.

Not only does this false representation of Java give the technology itself a bad name, but the developers aligned with it are also found in the firing line:

Java applets are basically the non-Microsoft business world’s answer to ActiveX. A dead 1990’s technology that no one has cared about in 15 years or more, which only still exists to support backwards-compatibility for some horrible crusty shops still running on XP or even NT/2000. No contemporary Java developer gives a fuck about applets, and by “contemporary” I mean “any greenfield development done since 9/11”. However, we’re all sick to death of having to defend our ecosystem against constant FUD, due to this horrible piece of obsolete legacy cruft.

Just kill it. Seriously.

The attack centres on emails containing links to malicious domains that host the JAVA_DLOADR.EFD exploit. A Trojan dropper (TROJ_DROPPR.CXC) is then delivered that drops a payload detected as TSPY_FAKEMS.C to the “login user” folder.

More details from the Trend Micro blog can be found here.

Natali Vlatko
An Australian who calls Berlin home, via a two year love affair with Singapore. Natali was an Editorial Assistant for (S&S Media Group).

Inline Feedbacks
View all comments