Warning: Java Zero Day Flaw Under Attack

Attackers have developed an exploit for a zero-day vulnerability in Java, and experts are concerned that widespread attacks are imminent

Java is under attack again. A zero-day vulnerability in Java is being actively exploited in the wild. The current attacks seem to be targeted, but security experts warn that more widespread attacks could be imminent.

Next to Adobe Reader and Adobe Flash, Java is probably one of the most ubiquitous and widely used applications. Unfortunately, it also provides attackers with plenty of holes and vulnerabilities to exploit, which makes it a popular target.

Proof-of-concept (PoC) code has been developed for the Metasploit Framework tool. Wolfgang Kandek, CTO of Qualys, explains that this is concerning because it makes the exploit available to a much wider audience, and probably means more attacks targeting the Java vulnerability are on the horizon.

Andrew Storms, director of security operations for nCircle, is concerned that it could be a while before a patch or update is released to resolve the vulnerability and guard against these attacks. "Oracle isn't known for releasing patches out of cycle and the next scheduled update for Java isn't until October. Part of the problem is that Java is so ubiquitous that it tends to be overlooked as a 'small' piece of software."

Kandek warns that until a patch is released, the only real defense users can employ is to limit the use of Java or uninstall it altogether. Uninstalling it may be a tad extreme, though. There are options within the Java security controls to restrict its use to well-known websites that are less likely to harbor malicious exploits.

Right now, it seems that only the newer version of Java--v7--is vulnerable to the zero-day. Java 1.6 might be safe, although it's not entirely clear at this time. The current attacks are aimed at Java 7 on Windows, but the Metasploit Framework PoC exploit also works on Mac OS X so Apple users should be on guard as well.

Thankfully, following the last Java exploit debacle, Apple implemented a proactive system that disables Java if it's not actively used over the previous 35 days. So, Mac OS X users who infrequently or rarely use Java should already have the software disabled and not have to worry.

If you're not sure whether your Java is enabled or disabled in Mac OS X, there's a way to find out. Kandek says, "Mac users can check on the state of Java by using the Java Preferences program, which allows the user to disable the connection between Java and the browser by unchecking the "On" field."

Storms takes issue with Oracle's lack of disclosure and transparency when it comes to threats like this. "Oracle really should take a page out of Microsoft's security response book and start communicating with users about security issues."

Storms sums up, "Until then, the only recourse for users is to disable Java in all Web browsers to protect against drive-by attacks."

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place