Monday, August 27, 2012

New Java 0-Day Exploit Doesn't Discriminate Against Browser or Operating System

Zero-day Java Exploit

Update: Oracle has released an emergency patch to fix the 0-day vulnerabilities currently being exploited.

-- End Update --

If you don’t need Java on your computer, disable it or remove it. Now.

Once again, security researchers are sounding the alarm about a zero-day vulnerability in Java that is actively being exploited in the wild via targeted attacks.

The security hole is said to be present in Java 7 (updates 0-6), but older versions of Java appear to be unaffected.

Of course, the real danger in this vulnerability is that the exploit code works against almost any browser and operating system that has Java installed. Researchers warn that the exploit code works against Internet Explorer, Firefox, Safari, and Opera running on Windows (7, Vista & XP), Ubuntu Linux and OS X (including Lion & Mountain Lion).

Initial reports suggested that the attack didn’t work against Google Chrome; however Rapid7 stated that they were able to successfully execute the attack in Google Chrome running on Windows XP. Write-ups of these tests can be seen here:

According to Brian Krebs of KrebsonSecurity.com, this zero-day exploit will soon be rolled into the widely-used BlackHole exploit kit as early as today. Let’s hope that isn’t the case, otherwise this exploit won't be reserved just for targeted attacks.

Given that Oracle just released their quarterly update for Java SE 6 & 7 on August 14th, the next update is not scheduled until this October. That leaves plenty of time for cybercriminals to launch a host of malware attack campaigns (unless Oracle issues an emergency fix), so it’s a good idea to disable Java browser plug-ins or uninstall it from your system until a patch is released.

Check if You Have Java Installed & React Accordingly


If you’re not entirely sure whether or not you have Java installed, you can always check your Programs in your computer’s Control Panel or head over to java.com and click the ‘Do I have Java?’ link.

If you have Java installed and do NOT need it, it is recommended that you remove it from your computer.

If you have Java installed and you DO need it, it is recommended that you dedicate a single browser to visiting Java-based websites and disable the Java plug-ins in all other browsers.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.

No comments:

Post a Comment