A new exploit for a recently fixed vulnerability in Java has been added to the Metasploit penetration testing framework, according to vulnerability management firm Rapid7, which owns the open-source Metasploit Project.
The exploit takes advantage of a flaw in the Java Runtime Environment (JRE) component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier versions, according to a vulnerability summary. Users can unknowingly become infected simply by visiting a malicious website.
“It’s essentially zero-knowledge from the user’s perspective,” Jonathan Cran, director of quality assurance for the Metasploit Project, told SCMagazineUS.com on Thursday. “It runs on their computer without them even realizing it.”
The exploit showed up in BlackHole exploit kit, an off-the-shelf software package used to install a range of malware, so Metasploit handlers decided to include it to raise awareness.
“Once it’s in the kits, someone can buy it,” Cran said. “It becomes much more widely distributed and used. It lowers the bar for entry.”
News of the exploit comes on the heels of new numbers from Microsoft, which show that the most common exploit seen in the first half of 2011 was based on Java, a programming language created by Sun Microsystems, which is now owned by Oracle.
Tim Rains, director of product management in Microsoft’s Trustworthy Computing group, said in a blog post this week that between the third quarter of 2010 and the second quarter of 2011, between a third and a half of all observed exploits were Java-based. In total during that time, Microsoft’s security technology blocked roughly 27.5 million Java exploit attempts.
“Many of the more commonly exploited Java vulnerabilities are several years old, and have had security updates available to them for years,” Rains said. “This illustrates that once attackers develop or buy the capability to exploit a vulnerability, they continue to use the exploit for years, presumably because they continue to get a positive return on investment.”
Many organizations leave themselves wide open to attack because they are running legacy enterprise applications, some of which are mission-critical, that require older versions of JRE, said Ed Skoudis, an instructor at the SANS Institute. Modern and “well-written” Java code can run across different versions, but code that was created five or ten years ago is a different story, he said.
“That’s the problem,” Skoudis told SCMagazineUS.com on Thursday. “You can’t just wave your hand and update all of Java because if you do that, you’re going to break a whole bunch of apps. It’s a real mess.”
But because Java is platform independent, it remains a popular software choice for organizations. As a result, they should consider running legacy apps that can’t be updated to the latest version of Java in virtual environments, Skoudis said.