Security researchers have spotted a new Java vulnerability in the wild for which there is no security patch as yet.
The Java vulnerability, which is being used for targeted attacks, allows attackers to use a custom web page to force systems to download and run malware that does not have to be coded in Java.
In a lab environment, FireEye’s Atif Mushtaq said he was able to exploit his test machine against the latest version of FireFox with JRE version 1.7 update 6 installed.
“It's just a matter of time that a POC [proof-of-concept] will be released and other bad guys will get hold of this exploit as well," Mustaq wrote.
“It will be interesting to see when Oracle plans for a patch, until then most of the Java users are at the mercy of this exploit."
Read more about security threats
- APTs: Are they really a concern for all businesses?
- Revisiting JRE security policy amid new ways to exploit Java
- Should a Java Runtime Environment (JRE) be kept up to date?
DeepEnd Research said that attacks using the vulnerability are likely to increase, as it is a fast and reliable exploit that can be used in drive-by attacks and all kinds of links in emails.
The next patch scheduled for release by Oracle is 16 October.
“Oracle almost never issue out-of-cycle patches, but hopefully they will do consider it serious enough to do it this time,” DeepEnd Research said in a blog post.
DeepEnd Research said it has developed an interim patch for the vulnerability, but said the patch would be offered only on a per-request basis to systems administrators at organisations that rely on Java.
“The reason for limited release is the fact that this patch can be reversed, thus making the job of exploit creation easier, which certainly is not our goal,” DeepEnd said.
DeepEnd Research also said the patch was not an official one and had limited testing.
“In general, it is best to disable Java in your browser,” it said.
DeepEnd advised against downgrading to earlier versions of Java because of the many other vulnerabilities in the older versions.