As a Java zero-day spreads, disclosure questions arise

A zero-day Java exploit is growing more prevalent now that it has been added to the BlackHole exploit kit, a popular, commercially available framework for delivering web attacks.

Kurt Baumgartner, a senior security researcher at security firm Kaspersky Lab, said Tuesday in a blog post that infections are becoming more common, spreading from their initial starting point in China to computers in the United States, Russia, Belarus and Germany, among other nations.

News of the ramp-up in attacks comes as researchers at penetration testing company Immunity disclosed Tuesday that the exploits actually are taking advantage of two unpatched vulnerabilities in Java 7 -- not just one, as originally was believed.

"[O]ne is used to obtain a reference to the "sun.awt.SunToolkit" class, and the other is used to invoke the public "getField" method on that class," Immunity developer Esteban Guillardoy wrote in a technical analysis of the bugs.

Every major browser is susceptible to the attack.

Nearly all security experts recommend that users disable or uninstall Java in the browser to protect themselves. For those still desiring to run the software platform, nonprofit DeepEnd Research has created an unofficial patch, and it is available upon request.

The zero-day also has reignited debate around vulnerability disclosure practices. Some in the security community are upset that researchers publicly linked to the exploit code -- it also was added to the Metasploit pen testing framework -- while others believe the full disclosure will force Oracle to act quickly to fix the issue. The company next is scheduled to release Java security updates Oct. 16.

An Oracle spokesman did not immediately respond to a request for comment.