CIS 5.9 bypassed by java_rhino exploit

hey guys,

I made a video about CIS 5.9 being bypassed by a fairly new exploit called ‘java rhino’.
You can read more about this exploit here [] and here [].

This video shows how easy it is to setup this exploit, and exploit a system. A user only has to visit a link and he/she is infected. CIS 5.9 is bypassed. There is not 1 alert given at all.

All modules of CIS are active. Settings are:

  • Proactive Security
  • Sandbox set to ‘untrusted’

The rest of the settings are just the stock proactive security settings.

PC runs on windows 7 SP1 64 bit fully updated.
Java versions is 6 update 27 (released on October 2011)

I’ve tested this exploit against a few other av’s and the results where:

MSE – bypassed
Panda Cloud – bypassed
Avira free – bypassed
Avg free – bypassed
CIS – bypassed
Unthreat Free – bypassed
Spyshelter Premium – bypassed

Avast - protected system (detected exploit with signature)
Sandboxie – protected system After deleting contents in sandbox connection is broken
Noscript – protected system Will block the java applet/exploit

As you can see this is not only a CIS related problem. If a av does not have a signature for either the exploit and/or payload it will most likely by bypassed. Comodo’s D+ and FW did not help against this exploit.

Link to video: - YouTube

How to protect yourself against this exploit

To protect yourself against this exploit you can either:

  • Update you’re java version to version 29 or newer.
  • Uninstall java if you do not use it.

This will protect your PC against the java_rhino exploit. Java is one of the most exploited programs on the internet atm. There are new exploits coming out all the time.

If you want extra protection, you can read here about setting up CIS for protection against future java exploits (thanks to Ronny for figuring this out :-TU →;msg572054#msg572054

mod edit: obfuscated ( URLs replaced. kail

Yes, Java needs to be installed. Problem is that tons of people got java installed, although they never make use of it. A lot of people got a outdated version of java installed too…

Does it also need Net Framework. I don’t have that installed either.

Looks like a hole that needs to be plugged, in the mean time keep your Java up2date or uninstall if you don’t use it.
Replace ‘Java’ with everything that plugs in to your browser as they could also be exploited one way or the other.

I don’t think it needs Net Framework. Pretty sure it does not. Just needs java.

Thanks. Interesting video. I hope the CIS devs will look into it further. :-TU

How did avast exactly protect against it can you give exact details

Detected with Signature, so the exploit was blacklisted on their AV.

Yes, I hope so too. I think a possibility could be that Comodo just starts blocking all known payloads. This way a exploit could run, but it can’t make contact with the hackers machine. This would be more efficient then blocking all exploits I think.

When opening the page and starting the exploit Avast detected the exploit with a signature. It detected the exploit, not the payload. The PC was thereby not compromised.

This is Avast description after blocking the infection: Avast | Security Center

Thanks for the heads up

This finding could safe a lot of people.

Java should not be able to run without consent.

Was only the antivirus enabled of avast (data protection system), or things like script blockers ect too?

All avast systems where running, in stock setting. All shields where active.
I’m trying to find a way to submit this exploit to comodo atm.

Try uploading the sample detected by Avast

Two other questions are left:
What happens under defense+ safe mode with disabled sandbox? At least a question? (Blocked exploit otherwise).

What happens with firewall running on custom mode? Remote executing possible without question?

Will try this out right now.

Edit: Okay i tried this.

Turning of the sandbox did not display any alert or intrusions for D+.
Changing the FW to custom policy will actually give the user the option to block the payload!

The user will see this alert:
The alert does state that java.exe is a safe app and can safely be allowed. Users might get confused by this, and press allow. Anyways custom policy for the FW will give the users the option to block the payload :-TU

What happens if you have CIS configured as I suggest here?


how about turning off enhanced security mode?

Java Downloader Comodo Not Detected :embarassed:

Dragon can stand up to this… It asks if you want to run Java or not… ;D

As for CIS… I >believe< 6.0 will help protect vs this…

try this procedure disables antivirus, firewall, defense +, quit the CIS, terminate cmdagent, uncheck Run cloud behavior analysis based on unrecognized files and automatically check the files not recognized in the cloud
remove all files Trusted Files

important: delete all files in the folder C: \ Program Files \ COMODO \ COMODO Internet Security \ database
and restart the pc and redo the test
oops! after restart active antivirus, firewall and defense +, except the check in the clouds ;D
does not hurt to try :-TU

sorry my english!