Java zero-day vulnerability hits Metasploit and Blackhole

News

Java zero-day vulnerability hits Metasploit and Blackhole

Warwick Ashford

The latest Java zero-day vulnerability is already available to users of the Metasploit tool and Blackhole exploit kit, say security researchers.

The Java vulnerability allows attackers to use a custom web page to force systems to download and run malware that does not have to be coded in Java.

1995: James Gosling launched Java

Researchers at security company FireEye said they had seen the unpatched exploit used in limited targeted attacks.

They said in a blog post that most of the recent Java run-time environments from  JRE 1.7 onwards are vulnerable.

DeepEnd Research said attacks using the vulnerability are likely to increase, as it is a fast and reliable exploit that can be used in drive-by attacks and all kinds of links in emails.

The inclusion of the vulnerability in Metasploit and Blackhole will only accelerate this. Symantec researchers report they have already spotting two websites created to exploit the flaw.

Since the discovery of the vulnerability, there has been much speculation about whether Java custodian Oracle will consider the vulnerability serious enough to release an out-of-cycle security patch.

If Oracle were to wait until its next scheduled patch release, JRE users will be at the mercy of exploits of the vulnerability until 16 October.

Although there has been no official word from Oracle, researchers from Security Explorations have told  Softpedia that Oracle is already working on a patch.

Security Explorations reported the issue to Oracle in April 2012 and a recent status report shows that it has been addressed, according to the security company’s chief executive Adam Gowdiak.

DeepEnd Research has developed an interim patch for systems administrators, but has advised users to simply disable Java in their browsers until an official patch is available.

DeepEnd  advised against downgrading to earlier versions of Java because of the many other vulnerabilities in the older versions.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy