Oracle JRE Sandbox Restriction Bypass - Flashback Trojan

April 5, 2012

Java is a programming language originally developed by James Gosling at Sun Microsystems (which has since merged into Oracle Corporation) and released in 1995 as a core component of Sun Microsystems' Java platform. Java is a general-purpose, concurrent, class-based, object-oriented language that is specifically designed to have as few implementation dependencies as possible. Java is currently one of the most popular programming languages in use, particularly for client-server web applications, with a reported 10 million users.

Java applications are typically compiled to bytecode (class file) that can run on any Java Virtual Machine (JVM) regardless of computer architecture. Therefore, JVM can be supported by any browser like IE, Firefox, Google Chrome and Safari with any operating system such as Windows, Linux, MacOS and so on. A Java applet is a Java application delivered to users in the form of Java bytecode. Java applets are executed in a sandbox, preventing them from accessing local data like the clipboard or file system.

The base Java Security sandbox is comprised of three major components: the byte code Verifier, the Class Loader, and the Security Manager. Each of these components must work properly in order for Java to perform in a secure fashion. Type safety is the most essential element of Java's security. Type safety means that a program cannot perform an operation on an object unless that operation is valid for that object.

There is a type safety vulnerability in the Java Runtime Environment. The vulnerable version of the JVM does not properly check the object type. A malicious Java application or applet could use this flaw to cause the Java Virtual Machine to crash or bypass the Java sandbox restrictions. Successful exploitation of this vulnerability allows a Java applet to bypass JVM sandbox restrictions and achieve execution with full privileges.

Multiple virus variants taking use of this vulnerability have been observed in the wild. The viruses have been named as Flashback Trojan, and it has been reported affected hundreds of thousands of Macs. SonicWALL UTM team has researched this vulnerability and created the following IPS and GAV signatures to cover both the vulnerability and the active viruses in the wild.

  • IPS: 7661 Oracle JRE AtomicReferenceArray Sandbox Restriction Bypass
  • GAV: 31909 MacOSX.Flashback.E
  • GAV: 51475 MacOSX.Flashback.A
  • GAV: 31902 MacOSX.Flashback.G
  • GAV: 51945 MacOSX.Flashback.C

This vulnerability has been referred by CVE as CVE-2012-0507.