Java zero-day prompts calls again to disable

A zero-day Java vulnerability that affects all versions of the browser plug-in has been incorporated in popular exploit kits used by cybercriminals, security experts say.

The exploits for the vulnerability have been implemented within the Blackhole, Cool and Nuclear Pack kits. The flaw affects all versions of the Java plug-in, including the latest Java 7 Update 10.

HD Moore, chief security officer for Rapid7, said the exploits have already been found on compromised websites, which are capable of infecting visitors' PCs with malware. The exploits affect computers running Java in browsers on Windows, Mac OS X or Linux.

"In terms of the impact, this is about as bad as it gets," Moore said.

A French researcher who uses the handle Kafeine discovered the vulnerability Thursday. "This could be mayhem," the researcher said of the flaw.

AlienVault was able to reproduce an exploit of the flaw in a fully patched new installation of Java. "The Java file is highly obfuscated, but based on the quick analysis we did, the exploit is probably bypassing certain security checks, tricking the permission of certain Java classes," researcher Jaime Blasco said in the AlienVault Labs blog.

A similar bypass mechanism was used in exploits of an earlier Java vulnerability, listed as CVE-2012-4681 in the National Vulnerability Database.

[See also: Vulnerability management - The basics]

"Right now, the only way to protect your machine against this exploit is disabling the Java browser plugin," Blasco said. "Let's see how long does it take for Oracle to release a patch."

Security experts often criticize Oracle for moving too slowly in releasing Java patches and for not sharing enough information about vulnerabilities. Oracle did not respond to a request for comment.

The Java plug-in has become a favorite of criminals looking to hijack PCs for botnets and to steal personal data, credit card numbers and online banking credentials. A large number of computers are infected through drive-by-downloads on compromised websites, which are typically infected through Web exploit tool kits.

Java plug-ins are particularly vulnerable because users often do not deploy security updates in a timely fashion. Rapid7 estimates that 65% of the installations today are unpatched.

Experts recommend disabling Java in browsers, unless it is needed to access specific applications. In the latter cases, a separate browser should be dedicated for that single purpose.

Read more about application security in CSOonline's Application Security section.

Tags: applications, Rapid7, Data Protection | Application Security, security, zero-day, AlienVault, java, Access control and authentication, software, data protection

Coding error protects some Android apps from Heartbleed

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

ZENworks® Endpoint Security Management

Protect against bugs in USB Storage devices

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.