CVE-2012-0507

What is Oracle Java SE?

Oracle Java SE includes the Java Runtime Environment (JRE), which enables browser-based Java applets — programs embedded in web pages that run inside the JRE security sandbox. The sandbox's Security Manager is supposed to prevent applets from accessing the operating system. Sandbox escape vulnerabilities bypass these restrictions and allow applets to execute arbitrary code with the privileges of the browser user. Java applet vulnerabilities were the dominant drive-by download vector from approximately 2010 to 2013, and CVE-2012-0507 is among the most significant of that era.

Overview

CVE-2012-0507 is a type confusion vulnerability in the java.util.concurrent.atomic.AtomicReferenceArray class in Oracle Java SE. An untrusted Java applet can exploit the flaw to store a reference to an object of an incorrect type into the array, bypassing the Security Manager's type safety checks and escaping the sandbox to execute arbitrary code on the host system.

This vulnerability is most notably associated with the Flashback Trojan — the largest Mac malware outbreak in history, which infected approximately 600,000 Macs globally.

Affected Versions

Technical Details

AtomicReferenceArray provides thread-safe atomic operations on arrays of object references. The type confusion flaw exists in how array element types are validated when storing values: by exploiting the compareAndSet operation with a crafted object hierarchy, an applet could bypass Java's type system and insert a reference of type Object[] where a specific class type was expected.

This type confusion allowed the applet to read and write arbitrary memory by treating the mistyped array as a different data structure, ultimately enabling access to protected Java internals and the ability to disable the Security Manager — achieving full code execution outside the sandbox.

Why it was so effective: The exploit required no memory corruption — it was a pure logic flaw in the type system, making it portable across all JVM implementations, operating systems, and processor architectures simultaneously.

Discovery

The vulnerability was discovered and exploited by the authors of the Flashback Trojan before Oracle published a patch. Oracle released the fix in the February 2012 Critical Patch Update — but Apple's distribution of Java for macOS lagged significantly behind Oracle's update, leaving Mac users vulnerable for approximately two months after the Windows/Linux fix was available.

Exploitation Context

Flashback Trojan on macOS (the most notable exploitation): The Flashback malware campaign exploited CVE-2012-0507 to silently install a trojan on Mac OS X systems visiting compromised websites. At peak infection in April 2012, approximately 600,000 Macs were infected — the largest macOS malware outbreak ever recorded. Flashback created a botnet used for ad fraud and credential theft. The scale shocked the security community, which had long assumed Macs were immune to drive-by malware.

Windows/Linux exploitation: Blackhole Exploit Kit, Cool Exploit Kit, and other crimeware platforms also incorporated CVE-2012-0507 to install Windows malware — banking trojans, spam botnets, and ransomware precursors — on vulnerable Windows users. The ransomwareUse: true flag reflects ransomware families' later use of Java exploit chains.

Remediation

1. Apply Oracle CPU February 2012 — update to Java 7u3 / 6u31 / 5.0u35 immediately
2. Mac users should apply Apple's "Java for OS X 2012-003" update, which was released in April 2012
3. Disable the Java browser plugin if it is not required — this eliminates the entire class of Java applet sandbox exploits
4. Java SE 6 and 7 have reached end-of-life; migrate to Java 17 LTS or 21 LTS for continued security support
5. For macOS environments, use a Mobile Device Management (MDM) solution to enforce Java plugin settings and monitor for Flashback indicators (the malware injected into launched applications)