Security researchers spot new zero-day Java vulnerability

August 29, 2012 by  
Filed under Every thing you Need to Know

Security researchers have spotted a new Java vulnerability in the wild for which there is nosecurity patch as yet.

The Java vulnerability, which is being used for targeted attacks, allows attackers to use acustom web page to force systems to download and run malware that does not have to be coded inJava.

“We have seen this unpatched exploit being used in limited targeted attacks. most of the recentJava run-timeenvironments i.e., JRE 1.7x, are vulnerable,” security firm FireEye said in a blogpost.

In a lab environment, FireEye’s Atif Mushtaq said he was able to exploit his test machineagainst the latest version of FireFox with JRE version 1.7 update 6 installed.

“It’s just a matter of time that a POC [proof-of-concept] will be released andother bad guys will get hold of this exploit as well,” Mustaq wrote.

“It will be interesting to see when Oracle plans for a patch, until then most of the Java usersare at the mercy of this exploit.”

DeepEnd Research said that attacks using the vulnerability are likely to increase, as it is afast and reliable exploit that can be used in drive-by attacks and all kinds of links inemails.

The next patch scheduled for release by Oracle is 16 October. 

“Oracle almost never issue out-of-cycle patches, but hopefully they will do consider it seriousenough to do it this time,” DeepEnd Research said in a blogpost.

DeepEnd Research said it has developed an interim patch for the vulnerability, but said thepatch would be offered only on a per-request basis to systems administrators at organisations thatrely on Java.

“The reason for limited release is the fact that this patch can be reversed, thus making the jobof exploit creation easier, which certainly is not our goal,” DeepEnd said.

DeepEnd Research also said the patch was not an official one and had limited testing. 

“In general, it is best to disable Java in your browser,” it said.

DeepEnd advised against downgrading to earlier versions of Java because of the many othervulnerabilities in the older versions.

Read More

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!