Latest Java zero-day exploit renews calls to disable it

A zero-day Java exploit found for sale in the criminal underground has renewed calls to disable the cross-platform runtime environment in Web browsers.

The latest exploit of a vulnerability not yet publicly known was reported on Tuesday by Brian Krebs, author of the KrebsonSecurity blog. An established member of the Underweb forum, an invitation-only site, was selling the exploit for Java JRE 7 Update 9, the latest version of the platform. The expected price was in the "five digits."

The flaw was in the Java class "MidiDevice.Info," a component that handles audio input and output, Krebs said. The seller claimed "code execution was very reliable" on Firefox, Microsoft Internet Explorer and Windows 7.

The latest exploit discovery comes three months after two other zero-day vulnerabilities and exploit code were found, one by a security researcher at Accuvant and the other by a developer at Immunity. The flaws were in Java 7 and affected Windows, Mack OS X and Linux operating systems running a browser with a Java plug-in.

The latest exploit was unusual because they are seldom sold in such an open manner, said Chester Wisniewski, a senior security adviser for Sophos. "Granted it is on a members only criminal forum, but it sounds like the post was rather straight forward."

Java is used in 3 billion devices worldwide, says its steward, Oracle. The platform's ubiquity makes it a favorite hacker target, along with the fact that the platform often goes unpatched in people's computers. Security company Rapid7 estimates that 65% of the installations today are unpatched.

"Many people don't even know Java is installed on their computers and browsers, and that's a huge problem," said Andrew Storms, director of security operations at nCircle.

Oracle contributes to the problem by not working more closely with the security industry in building better defenses in Java, Storms said. The company shares very little information with security experts between patches.

[See also:Oracle knew about currently exploited Java vulnerabilities for months, researcher says]

"We could all benefit by Oracle stepping up the game to engage the community at large," Storms said.

Experts recommend disabling Java in Web browsers, unless it is needed to access specific business applications. In the latter case, a separate browser should be dedicated for the sole purpose of accessing those applications.

"IT departments should really consider if users need to access Java for business critical applications, otherwise, they should get rid of it," said Rob Rachwald, director of security strategy at Imperva.

Another option is to configure a client firewall to block a browser's Java plug-in from accessing the Internet, unless the destination site is on a whitelist.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Tags: Data Protection | Malware, applications, zero-day, Microsoft, java, legal, software, data protection, cybercrime, sophos

Financial services firms to increase cyber security budgets this year, PwC claims

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

AVG Internet Security 2011 Business Edition

Ultimate protection for your small or medium-sized business

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.