Java exploit added to Metasploit

By on
Java exploit added to Metasploit

Microsoft says up to half of all exploits are Java based.

A new exploit for a recently fixed vulnerability in Java has been added to the Metasploit penetration testing framework, according to vulnerability management firm Rapid7, which owns the open-source Metasploit Project.

The exploit takes advantage of a flaw in the Java Runtime Environment (JRE) component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier versions, according to a vulnerability summary.

Users can unknowingly become infected simply by visiting a malicious website.

"It's essentially zero-knowledge from the user's perspective," Jonathan Cran, director of quality assurance for the Metasploit Project, said. "It runs on their computer without them even realising it."

The exploit showed up in BlackHole exploit kit, an off-the-shelf software package used to install a range of malware, so Metasploit handlers decided to include it to raise awareness.

"Once it's in the kits, someone can buy it," Cran said. "It becomes much more widely distributed and used. It lowers the bar for entry."

News of the exploit comes on the heels of new numbers from Microsoft, which show that the most common exploit seen in the first half of 2011 was based on Java, a programming language created by Sun Microsystems, which is now owned by Oracle.

Tim Rains, director of product management in Microsoft's Trustworthy Computing group, said in a blog post this week that between the third quarter of last year and the second quarter of 2011, between a third and a half of all observed exploits were Java-based.

In total during that time, Microsoft's security technology blocked roughly 27.5 million Java exploit attempts.

"Many of the more commonly exploited Java vulnerabilities are several years old, and have had security updates available to them for years," Rains said.

"This illustrates that once attackers develop or buy the capability to exploit a vulnerability, they continue to use the exploit for years, presumably because they continue to get a positive return on investment."

Many organisations leave themselves wide open to attack because they are running legacy enterprise applications, some of which are mission-critical, that require older versions of JRE, said Ed Skoudis, an instructor at the SANS Institute.

Modern and "well-written" Java code can run across different versions, but code that was created five or ten years ago is a different story, he said.

"That's the problem," Skoudis said. "You can't just wave your hand and update all of Java because if you do that, you're going to break a whole bunch of apps. It's a real mess."

But because Java is platform independent, it remains a popular software choice for organisations. As a result, they should consider running legacy apps that can't be updated to the latest version of Java in virtual environments, Skoudis said.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition
Tags:

Most Read Articles

You must be a registered member of iTnews to post a comment.
| Register

Poll

How should the costs of Australia's piracy scheme be split?
Rights holders should foot the whole bill
50/50
ISPs should foot the whole bill
Government should chip in a bit
Other
Flash is heading towards its grave, and that's...
Great! Good riddance
Sad! Flash had some good qualities
Irrelevant. I don't care
What's Flash?
View poll archive

Whitepapers from our sponsors

What will the stadium of the future look like?
What will the stadium of the future look like?
New technology adoption is pushing enterprise networks to breaking point
New technology adoption is pushing enterprise networks to breaking point
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
The next era of business continuity: Are you ready for an always-on world?
The next era of business continuity: Are you ready for an always-on world?

Log In

Username:
Password:
|  Forgot your password?