New Java exploit on the loose, unofficial patch may help

Share this article:

Researchers are tracking a new, zero-day Java exploit that is being used in active attacks -- and users may have no choice but to disable the platform.

First reported Sunday by security firm FireEye, the vulnerability affects most versions of Java Runtime Environment, including the most recent iteration.

Proof-of-concept code has been published, and with no patch available, researchers now are bracing for an uptick in incidents beyond the limited and targeted occurrences that so far have been seen. So far, according to FireEye, exploits are being launched from IP addresses based in the Asia region.

Developers at vulnerability management company Rapid7, which owns the Metasploit Project, on Sunday added the exploit to their penetration testing framework. And the exploit is expected to show up -- if it hasn't already -- in the widely used BlackHole exploit toolkit, one of the most popular threats on the web.

"The number of these attacks has been relatively low, but it is likely to increase due to the fact that this is a fast and reliable exploit that can be used in drive-by attacks and all kinds of links in emails," researchers Andre' DiMino and Mila Parkour of DeepEnd Security said in a blog post.

Oracle, which releases Java patches on a quarterly basis, isn't scheduled to fix the software again until Oct 16., though researchers believe this vulnerability may warrant an out-of-cycle update.

In the meantime, DeepEnd Security said users should disable Java. But if they must run the technology, the all-volunteer organization is offering an unofficial patch.

Michael Schierl, a German software developer and Java expert, told SCMagazine.com on Monday that this particular exploit only affects instances where the Java sandbox is used, such as in browser applets. Other Java scenarios, such as when the software is used in back-end systems for applications or websites, are not impacted.

"My personal opinion is that Java in the browser is mostly useless these days and should not be used unless really needed," he said. "Most things that Java applets used to do can be done with HTML5 [markup language] nowadays or, if needed, with SVG (Scalable Vector Graphics) or Flash. While Flash has its security problems too, the attack surface of Flash is a lot smaller and it is a lot harder to build a reliable exploit for Flash vulnerabilities.

"Java on the server or on the desktop, however, is a nice way to generally build more secure applications than in native languages like C++," Schierl added. "Just let its sandbox die."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.