New Java exploit on the loose, unofficial patch may help

Share this article:

Researchers are tracking a new, zero-day Java exploit that is being used in active attacks -- and users may have no choice but to disable the platform.

First reported Sunday by security firm FireEye, the vulnerability affects most versions of Java Runtime Environment, including the most recent iteration.

Proof-of-concept code has been published, and with no patch available, researchers now are bracing for an uptick in incidents beyond the limited and targeted occurrences that so far have been seen. So far, according to FireEye, exploits are being launched from IP addresses based in the Asia region.

Developers at vulnerability management company Rapid7, which owns the Metasploit Project, on Sunday added the exploit to their penetration testing framework. And the exploit is expected to show up -- if it hasn't already -- in the widely used BlackHole exploit toolkit, one of the most popular threats on the web.

"The number of these attacks has been relatively low, but it is likely to increase due to the fact that this is a fast and reliable exploit that can be used in drive-by attacks and all kinds of links in emails," researchers Andre' DiMino and Mila Parkour of DeepEnd Security said in a blog post.

Oracle, which releases Java patches on a quarterly basis, isn't scheduled to fix the software again until Oct 16., though researchers believe this vulnerability may warrant an out-of-cycle update.

In the meantime, DeepEnd Security said users should disable Java. But if they must run the technology, the all-volunteer organization is offering an unofficial patch.

Michael Schierl, a German software developer and Java expert, told SCMagazine.com on Monday that this particular exploit only affects instances where the Java sandbox is used, such as in browser applets. Other Java scenarios, such as when the software is used in back-end systems for applications or websites, are not impacted.

"My personal opinion is that Java in the browser is mostly useless these days and should not be used unless really needed," he said. "Most things that Java applets used to do can be done with HTML5 [markup language] nowadays or, if needed, with SVG (Scalable Vector Graphics) or Flash. While Flash has its security problems too, the attack surface of Flash is a lot smaller and it is a lot harder to build a reliable exploit for Flash vulnerabilities.

"Java on the server or on the desktop, however, is a nice way to generally build more secure applications than in native languages like C++," Schierl added. "Just let its sandbox die."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.