Incident Response, Malware, Network Security, Patch/Configuration Management, TDR, Vulnerability Management

New Java exploit on the loose, unofficial patch may help

Researchers are tracking a new, zero-day Java exploit that is being used in active attacks -- and users may have no choice but to disable the platform.

First reported Sunday by security firm FireEye, the vulnerability affects most versions of Java Runtime Environment, including the most recent iteration.

Proof-of-concept code has been published, and with no patch available, researchers now are bracing for an uptick in incidents beyond the limited and targeted occurrences that so far have been seen. So far, according to FireEye, exploits are being launched from IP addresses based in the Asia region.

Developers at vulnerability management company Rapid7, which owns the Metasploit Project, on Sunday added the exploit to their penetration testing framework. And the exploit is expected to show up -- if it hasn't already -- in the widely used BlackHole exploit toolkit, one of the most popular threats on the web.

"The number of these attacks has been relatively low, but it is likely to increase due to the fact that this is a fast and reliable exploit that can be used in drive-by attacks and all kinds of links in emails," researchers Andre' DiMino and Mila Parkour of DeepEnd Security said in a blog post.

Oracle, which releases Java patches on a quarterly basis, isn't scheduled to fix the software again until Oct 16., though researchers believe this vulnerability may warrant an out-of-cycle update.

In the meantime, DeepEnd Security said users should disable Java. But if they must run the technology, the all-volunteer organization is offering an unofficial patch.

Michael Schierl, a German software developer and Java expert, told SCMagazine.com on Monday that this particular exploit only affects instances where the Java sandbox is used, such as in browser applets. Other Java scenarios, such as when the software is used in back-end systems for applications or websites, are not impacted.

"My personal opinion is that Java in the browser is mostly useless these days and should not be used unless really needed," he said. "Most things that Java applets used to do can be done with HTML5 [markup language] nowadays or, if needed, with SVG (Scalable Vector Graphics) or Flash. While Flash has its security problems too, the attack surface of Flash is a lot smaller and it is a lot harder to build a reliable exploit for Flash vulnerabilities.

"Java on the server or on the desktop, however, is a nice way to generally build more secure applications than in native languages like C++," Schierl added. "Just let its sandbox die."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.