InformationWeek – (International) Java zero day attack: Second bug found. The zero-day Java attack recently discovered by security researchers, which appears to have been launched from China, is more complex than previously thought. While researchers had identified a Java 7 security-settings bug exploited in the attack, they have since found it is chained with a second vulnerability. ―Most of the online analysis talks about one vulnerability, where we saw two vulnerabilities being exploited to achieve full execution on a target, according to a blog post from a Python developer and security researcher at the information security firm Immunity. ―The first bug was used to get a reference to sun.awt.SunToolkit class that is restricted to applets, while the second bug invokes the getField public static method on SunToolkit using reflection, with a trusted immediate caller bypassing a security check. He said the bugs had to be chained together to create a working exploit. He also noted the ―getField Java bug was introduced with Java 7.0 — which debuted July 28, 2011 —and suggested a foreign nation state, or states, may have been ―enjoying it non-stop for - 14 - quite some time now.
Ali Loney, on August 29, 2012