Amazingly two, zero-day vulnerabilities have been found in the current version of Oracle’s Java Runtime Environment!, most of us would predict that it was just a matter of time before the vulnerabilities were weaponised.
Only hours after FireEye Malware Intelligence Lab researcher Atif Mushtaq disclosed his discovery of the vulnerabilities, proof-of-concept code appeared onlineand a module for Rapid7's popular exploit framework Metasploit was developed.
The exploit is now working its way in to BlackHole, the hacker’s Swiss Army toolkit for infecting unsuspecting users that visit BlackHole compromised sites.
Yesterday, as Mushtaq began to see evidence of a mounting large-scale attack against the vulnerability from several sites, he predicted that if it were worked into BlackHole, casualties would shoot into the thousands.
“We were able to count tens of thousands of new infected machines due to the Java zero-day since the exploit was added to the BlackHole exploit kit,” the company wrote.
As a result of the dual vulnerability in the most recent version of Java, attackers can spread malware simply by tricking users into visiting booby-trapped websites.
Malicious code can be loaded onto vulnerable computers without user interaction. The zero-day exploit has already made its way into the infamous Blackhole Exploit kit.
“Due to the Java 0-day, BlackHole exploitation success rate increased from 10 per cent to 25 per cent,” Aviv Raff, chief technology officer at Seculert.
Given that there is still no patchfrom Oracle, Pure Hacking chief technology officer Ty Miller recommended uninstalling Java ifit’s not something that users specifically need, since it is best practice to reduce the potential vectors for an attack.
However, he acknowledged that there are still some users who would need to have it installed.
“Java is used for far more than just web applications. It was designed to allow software to becreated to run across multiple operating systems. For instance, Java is the underlying programming language for Android applications that run on smartphones and tablets.
Java can be quite an important piece of software for Linux users, as it is a requirement for software such as OpenOffice, which is the open-source alternative to Microsoft Office,” he said.
A precautionary measure to prevent this would be for the non-Java users to disable this within their browsers to avoid being compromised.
Only hours after FireEye Malware Intelligence Lab researcher Atif Mushtaq disclosed his discovery of the vulnerabilities, proof-of-concept code appeared onlineand a module for Rapid7's popular exploit framework Metasploit was developed.
The exploit is now working its way in to BlackHole, the hacker’s Swiss Army toolkit for infecting unsuspecting users that visit BlackHole compromised sites.
Yesterday, as Mushtaq began to see evidence of a mounting large-scale attack against the vulnerability from several sites, he predicted that if it were worked into BlackHole, casualties would shoot into the thousands.
“We were able to count tens of thousands of new infected machines due to the Java zero-day since the exploit was added to the BlackHole exploit kit,” the company wrote.
As a result of the dual vulnerability in the most recent version of Java, attackers can spread malware simply by tricking users into visiting booby-trapped websites.
Malicious code can be loaded onto vulnerable computers without user interaction. The zero-day exploit has already made its way into the infamous Blackhole Exploit kit.
“Due to the Java 0-day, BlackHole exploitation success rate increased from 10 per cent to 25 per cent,” Aviv Raff, chief technology officer at Seculert.
Given that there is still no patchfrom Oracle, Pure Hacking chief technology officer Ty Miller recommended uninstalling Java ifit’s not something that users specifically need, since it is best practice to reduce the potential vectors for an attack.
However, he acknowledged that there are still some users who would need to have it installed.
“Java is used for far more than just web applications. It was designed to allow software to becreated to run across multiple operating systems. For instance, Java is the underlying programming language for Android applications that run on smartphones and tablets.
Java can be quite an important piece of software for Linux users, as it is a requirement for software such as OpenOffice, which is the open-source alternative to Microsoft Office,” he said.
A precautionary measure to prevent this would be for the non-Java users to disable this within their browsers to avoid being compromised.
No comments:
Post a Comment
Enter your Comment...