An interesting case of JRE sandbox breach (CVE-2012-0507)

Jump to navigation Jump to search

(Publication) Google search: [1]

An interesting case of JRE sandbox breach (CVE-2012-0507)
Malware Zbot
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2012 / 20 Mar 2012
Editor/Conference Microsoft
Link (Archive copy)
Author Jeong Wook (Matt) Oh, Chun Feng


Recently we received a few samples that exploit the latest patched JRE (Java Runtime Environment) vulnerability. These samples are kind of unusual to see, but they can be used to develop highly reliable exploits. The malicious Java applet is loaded from an obfuscated HTML file. The Java applet contains two Java class files - one Java class file triggers the vulnerability and the other one is a loader class used for loading.

The vulnerability triggering class is actually performing deserialization of an object array and uses a vulnerability in the AtomicReferenceArray to disarm the JRE sandbox mechanism. The attacker deliberately crafted serialized object data. This reference array issue is very serious since the exploit is not a memory corruption issue, but a logical flaw in the handling of the array. So the exploit is highly reliable and that might be one of the reasons why the bad guys picked up this vulnerability for their attacks. We determined this vulnerability to be CVE-2012-0507.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR945,
   editor = {Microsoft},
   author = {Jeong Wook (Matt) Oh, Chun Feng},
   title = {An interesting case of JRE sandbox breach (CVE-2012-0507)},
   date = {20},
   month = Mar,
   year = {2012},
   howpublished = {\url{}},