Follow:

 

Exploit:Java/CVE-2010-3552.A


Exploit:Java/CVE-2010-3552.A is a detection for HTML code that uses a certain Java plug-in to exploit a vulnerability in Java described in CVE-2010-3552, otherwise known as the Java Skyline exploit. Successful exploitation leads to remote code execution.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

This threat exploits a known vulnerability in Java. After removing this threat, make sure that you install the updates available from the vendor. You can read more about this vulnerability in Java, as well as where to download the software update from the following links:

It may be necessary to remove older versions of Java that are still present. Keeping old and unsupported versions of Java on your system presents a serious security risk. To read more about why you should remove older versions of Java, see the following information.

Threat behavior

Exploit:Java/CVE-2010-3552.A is a detection for HTML code that uses a certain Java plug-in to exploit a vulnerability in Java described in CVE-2010-3552, otherwise known as the Java Skyline exploit. Successful exploitation leads to remote code execution. 

Installation

When a user visits a website that contains this malicious Java class, Exploit:Java/CVE-2010-3552.A, using a system that has a vulnerable version of Sun Java, security checks may be bypassed which allows arbitrary code execution.

Payload

When the exploitation is successful, Exploit:Java/CVE-2010-3552.A attempts to download and execute a file, often a malicious program, from a specified URL.

We observed it using the following URL to download a binary file via HTTP and execute it as "test.exe":

86.55.210.234/d3vi**/bl.php?i=10

Note: This URL has been modified, even though at the time of writing, the site was unavailable.

Analysis by Jonathan San Jose


Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.


Prevention


Alert level: Severe
First detected by definition: 1.105.1068.0
Latest detected by definition: 1.117.2303.0 and higher
First detected on: Jun 01, 2011
This entry was first published on: Jun 01, 2011
This entry was updated on: Jul 04, 2011

This threat is also detected as:
No known aliases