Feedly:TrendLabs Security Intelligence Blog. New Headaches: How The Pawn Storm Zero-Day Evaded Java’s Click-to-Play Protection

from TrendLabs Security Intelligence Blog

Several months ago, we disclosed that Pawn Storm was using a then-undiscovered zero-day Java vulnerability to carry out its attacks. At the time, we noted that a separate vulnerability was used to bypass the click-to-play protection that is in use by Java. This second vulnerability has now been patched by Oracle as part of its regular quarterly update. Click-to-play requires the user to click the space where the Java app would normally be displayed before it is executed. In effect, it asks the user if they are really sure they want to run any Java code. Bypassing click-to-play protection allows for malicious Java code to run without any alert windows being shown. This was quite useful in Pawn Storm, as it used exploits targeting these vulnerabilities to carry out targeted attacks against North Atlantic Treaty Organization (NATO) members and the White House earlier this year.