As a Java zero-day spreads, disclosure questions arise

Share this article:

A zero-day Java exploit is growing more prevalent now that it has been added to the BlackHole exploit kit, a popular, commercially available framework for delivering web attacks.

Kurt Baumgartner, a senior security researcher at security firm Kaspersky Lab, said Tuesday in a blog post that infections are becoming more common, spreading from their initial starting point in China to computers in the United States, Russia, Belarus and Germany, among other nations.

News of the ramp-up in attacks comes as researchers at penetration testing company Immunity disclosed Tuesday that the exploits actually are taking advantage of two unpatched vulnerabilities in Java 7 -- not just one, as originally was believed.

"[O]ne is used to obtain a reference to the "sun.awt.SunToolkit" class, and the other is used to invoke the public "getField" method on that class," Immunity developer Esteban Guillardoy wrote in a technical analysis of the bugs.

Every major browser is susceptible to the attack.

Nearly all security experts recommend that users disable or uninstall Java in the browser to protect themselves. For those still desiring to run the software platform, nonprofit DeepEnd Research has created an unofficial patch, and it is available upon request.

The zero-day also has reignited debate around vulnerability disclosure practices. Some in the security community are upset that researchers publicly linked to the exploit code -- it also was added to the Metasploit pen testing framework -- while others believe the full disclosure will force Oracle to act quickly to fix the issue. The company next is scheduled to release Java security updates Oct. 16.

An Oracle spokesman did not immediately respond to a request for comment.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Beazley: employee errors root of most data breaches, but malware incidents cost ...

Insurance firm Beazley analyzed more than 1,500 data breaches it serviced between 2013 and 2014.

Apple issues seven updates, fixes more than 40 vulnerabilities in iOS 8, OS 10.9.5

Apple issues seven updates, fixes more than 40 ...

In one of its infrequent "Update Surprisedays," Apple plugged holes, boosted security and added features.

Canadian telecom co. Telus unveils first transparency report

The company received more than 100,000 government requests for customer data last year.