Warnings have been made of a new exploit that takes advantage of a recently patched flaw in Java that is being incorporated into exploit kits.
According to security blogger Brian Krebs, the exploit attacks a vulnerability that exists in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier. He also said that it is slowly being incorporated into the BlackHole exploit kit, one of the most widely deployed exploit packs on the market.
“If you are using Java 6 Update 29, or Java 7 Update 1, then you have the latest version that is patched against this and 19 other security threats. If you are using a vulnerable version of Java, it's time to update. Not sure whether you have Java or what version you may be running? Check out this link and then click the ‘Do I have Java?' link below the big red ‘Free Java Download” button',” he said.
“Java exploits are notoriously successful when bundled into commercial exploit packs, software kits that can turn a hacked website into a virtual minefield for web users who aren't keeping up to date with the latest security patches. Users would need only to browse to a booby-trapped site with a version of Mozilla Firefox or Internet Explorer that is running anything older than the latest Java package and the site could silently install malware.”
Krebs also said that as Java is cross-platform software, this attack could theoretically be used to infiltrate non-Windows systems, such as computers running Mac OS X, but he had only heard about it being used to target Windows PCs.
Monitoring a cyber crime forum, Krebs said the hacker principally responsible for maintaining and selling BlackHole claimed the new Java exploit was being rolled out for free to existing licence holders. For all others, the exploit can be had for $4000, in addition to the cost of a BlackHole licence – $700 for three months, $1000 for six months or $1500 per year.
The author of BlackHole also sells his own hosted solution, in which customers can rent bulletproof servers with pre-installed copies of his kit for $200 a week, or $500 per month.
Bill Morrow, executive chairman of Quarri Technologies, said browsers at the endpoint continue to be the weakest part of networks.
“As companies of all sizes increasingly use browsers as the primary platform for the delivery of information, browsers have also become the primary point of theft or data leakage, by not only malware, but also by end-users. Not knowing the security state of the endpoint is a critical security gap for a website or web application owner.”