New Java zero-day exploit could spread "mayhem"

Share this article:

Researchers at a threat and vulnerability management firm said Thursday morning that they have been able to replicate an exploit taking advantage of a fresh zero-day vulnerability in Java.

"With the files we were able to obtain, we reproduced the exploit in a fully patched new installation of Java," wrote Jaime Blasco, the labs manager at AlienVault.

A researcher known as Kafeine was among the first to spot the zero-day in the wild, deciding it was necessary to go public with the details because the exploit could "cause mayhem."

According to Blasco, the vulnerability resembles another Java flaw (CVE-2012-4681) that was widely exploited in late summer before Oracle, which maintains Java, issued a rare out-of-band patch

"The Java file is highly obfuscated, but based on the quick analysis we did, the exploit is probably bypassing certain security checks, tricking the permissions of certain Java classes as we saw in CVE-2012-4681," Blasco wrote. "Right now, the only way to protect your machine against this exploit is disabling the Java browser plug-in. Let's see how long it takes for Oracle to release a patch."

Another emergency fix may be necessary, considering the vulnerability's reach and effectiveness is about to exponentially increase now that it's been added to the commercially available BlackHole and Nuclear Pack exploit kits.

Java has been hard hit in recent years and represents arguably the most common attack vector, prompting a number of security experts to advise users to simply remove the software for good.

"My personal opinion is that Java in the browser is mostly useless these days and should not be used unless really needed," Michael Schierl, a German software developer, told SCMagazine.com in August. "Most things that Java applets used to do can be done with HTML5 [markup language] nowadays or, if needed, with SVG (Scalable Vector Graphics) or Flash. While Flash has its security problems too, the attack surface of Flash is a lot smaller and it is a lot harder to build a reliable exploit for Flash vulnerabilities."

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.