As a Java zero-day spreads, disclosure questions arise

Share this article:

A zero-day Java exploit is growing more prevalent now that it has been added to the BlackHole exploit kit, a popular, commercially available framework for delivering web attacks.

Kurt Baumgartner, a senior security researcher at security firm Kaspersky Lab, said Tuesday in a blog post that infections are becoming more common, spreading from their initial starting point in China to computers in the United States, Russia, Belarus and Germany, among other nations.

News of the ramp-up in attacks comes as researchers at penetration testing company Immunity disclosed Tuesday that the exploits actually are taking advantage of two unpatched vulnerabilities in Java 7 -- not just one, as originally was believed.

"[O]ne is used to obtain a reference to the "sun.awt.SunToolkit" class, and the other is used to invoke the public "getField" method on that class," Immunity developer Esteban Guillardoy wrote in a technical analysis of the bugs.

Every major browser is susceptible to the attack.

Nearly all security experts recommend that users disable or uninstall Java in the browser to protect themselves. For those still desiring to run the software platform, nonprofit DeepEnd Research has created an unofficial patch, and it is available upon request.

The zero-day also has reignited debate around vulnerability disclosure practices. Some in the security community are upset that researchers publicly linked to the exploit code -- it also was added to the Metasploit pen testing framework -- while others believe the full disclosure will force Oracle to act quickly to fix the issue. The company next is scheduled to release Java security updates Oct. 16.

An Oracle spokesman did not immediately respond to a request for comment.

Share this article:

Sign up to our newsletters

More in News

Apple's iOS 7.1.1 fixes Webkit bugs, encryption bypass issue

Released Tuesday, the update prevents exploit via "triple handshake" attacks, which could allow a bypass of encryption safeguards.

'Unauthorized' media contact a fireable offense for U.S. intel employees

The new media policy states that U.S. intelligence employees who have "unauthorized" contact with the media could lose their jobs.

AOL Mail hack furthers spam campaign using spoofed accounts

AOL confirmed on Monday that it was aware of the issue and working to remediate the situation.