Home / malwarePDF  

Java/CVE-2013-1488


First posted on 16 October 2014.
Source: Microsoft

Aliases :

There are no other names known for Java/CVE-2013-1488.

Explanation :

Threat behavior

Threat in context

This exploit targets the Java plug-in for web browsers. Java programs (or applets) can be used by websites and run in a "sandbox" €“ where the plug-in enforces rules on what the applet can do so that it cannot escape the restricted environment.

What is an exploit?

Exploits are written to take advantage of weaknesses (or vulnerabilities) in legitimate software. A project called Common Vulnerabilities and Exposures (CVE) gives each vulnerability a unique number, in this case "CVE-2013-1488".

You can find more information on the CVE website or on our page about exploits.

Exploit details


History

This exploit is notable because it was announced in the Pwn2Own contest.

The title of this exploit is "JDBC driver manager improper toString calls" (JDBC means Java Database Connectivity).

Attack method

This exploit uses a defect in the security model rather than a buffer overflow or memory corruption issues. With memory corruption issues, the exploit might be affected by mitigation technology like DEP (Data Execution Prevention) or ASLR (Address Space Layout Randomization). However, attacking the security model means that this exploit might be effective on any platform the Java interpreter is on, for example Windows, MacOS, Linux, and DEP or ASLR may not be effective in mitigating the exploit.

In the Pwn2Own contest it was combined with a second exploit called CVE-2013-1489 (which we detect as Exploit:Java/CVE-2013-1489.A). CVE-2013-1489 is delivered in a .JNLP file. The attack chain works like this:

  1. A modified HTML file points to a modified .jnlp file
  2. The .jnlp file points to the potentially malicious .jar (JavaScript) file, and uses CVE-2013-1489 to bypass the usual prompt from Java that warns you are about to run an unsigned or potentially unsafe file.
  3. At this point, the .jar file would normally still still be in the Java sandbox - which means even if the .jar file is run, it doesn't have access to elevated privileges. However, in this exploit attack the .jar file uses Exploit:Java/CVE-2013-1488 to break out of the sandbox, thus giving the .jar file elevated privileges.
  4. From there, the .jar file has access to your PC and could then do anything.




Analysis by Chris Stubbs

Symptoms

Alerts from your security software may be the only symptom.

Last update 16 October 2014

 

TOP