iTnews
  • Home
  • News
  • Technology
  • Security

Java exploit on the loose, unofficial patch issued

By Dan Kaplan on Aug 28, 2012 11:46AM
Java exploit on the loose, unofficial patch issued

Experts say attacks may become more widespread.

Researchers are tracking a new, zero-day Java exploit that is being used in active attacks that may force users to disable the platform.

The vulnerability affects most versions of Java Runtime Environment, including the most recent iteration.

Proof-of-concept code has been published, and with no patch available, researchers now are bracing for an uptick in incidents beyond the limited and targeted occurrences that so far have been seen.

FireEye which discovered the flaw on Sunday said exploits are being launched from IP addresses based in the Asia region.

The exploit was added to the Metasploit Project penetration testing framework. and was expected to show up in the widely used BlackHole exploit toolkit, one of the most popular threats on the web.

"The number of these attacks has been relatively low, but it is likely to increase due to the fact that this is a fast and reliable exploit that can be used in drive-by attacks and all kinds of links in emails," researchers Andre' DiMino and Mila Parkour of DeepEnd Security said in a blog post.

Oracle, which releases Java patches on a quarterly basis, isn't scheduled to fix the software again until 16 October, though researchers believe this vulnerability may warrant an out-of-cycle update.

In the meantime, DeepEnd Security said users should disable Java. But if they must run the technology, the all-volunteer organisation is offering an unofficial patch.

Michael Schierl, a German software developer and Java expert, told SC on Monday that this particular exploit only affects instances where the Java sandbox is used, such as in browser applets.

Other Java scenarios, such as when the software is used in back-end systems for applications or websites, are not impacted.

"My personal opinion is that Java in the browser is mostly useless these days and should not be used unless really needed," he said.

"Most things that Java applets used to do can be done with HTML5 [markup language] nowadays or, if needed, with SVG (Scalable Vector Graphics) or Flash. While Flash has its security problems too, the attack surface of Flash is a lot smaller and it is a lot harder to build a reliable exploit for Flash vulnerabilities.

"Java on the server or on the desktop, however, is a nice way to generally build more secure applications than in native languages like C++," Schierl added. "Just let its sandbox die."

This article originally appeared at scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
7deepend 65279securityexploitsfireeyejavametasploitoraclepatchingrapidsecurityvulnerabilities

Partner Content

Why Genworth Australia embraced low-code software development
Promoted Content Why Genworth Australia embraced low-code software development
How to turn digital complexity into competitive advantage
Promoted Content How to turn digital complexity into competitive advantage
"We're seeing some good policy put in place, but that's the exception"
Partner Content "We're seeing some good policy put in place, but that's the exception"
Accenture and Google Cloud team up to create a loveable, Australian-first, renewable energy product
Promoted Content Accenture and Google Cloud team up to create a loveable, Australian-first, renewable energy product

Sponsored Whitepapers

Extracting the value of data using Unified Observability
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership

Events

  • CRN Channel Meets: CyberSecurity Live Event
  • IoT Insights: Secure By Design for manufacturing
  • Cyber Security for Government Summit
By Dan Kaplan
Aug 28 2012
11:46AM
0 Comments

Related Articles

  • Researchers hacked Oracle servers to demo serious vulnerability
  • Researchers find APT campaigns share known vulnerabilities
  • RBA pushes first IaaS workload into Azure
  • Oracle accredited 'certified strategic' gov cloud provider
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Qantas calls time on IBM, Fujitsu in tech modernisation

Qantas calls time on IBM, Fujitsu in tech modernisation
Service NSW hits digital services goal two years early

Service NSW hits digital services goal two years early
SA Police ignores Adelaide council plea for facial recognition ban on CCTV

SA Police ignores Adelaide council plea for facial recognition ban on CCTV
NBN Co says TPG tie-up could help Telstra sidestep spectrum limits

NBN Co says TPG tie-up could help Telstra sidestep spectrum limits

Digital Nation

Integrity, ethics and board decisions in the digital age
Integrity, ethics and board decisions in the digital age
The security threat of quantum computing
The security threat of quantum computing
Crypto experts optimistic about future of Bitcoin: Block
Crypto experts optimistic about future of Bitcoin: Block
COVER STORY: Operationalising net zero through the power of IoT
COVER STORY: Operationalising net zero through the power of IoT
IBM global chief data officer on the rise of the number crunchers
IBM global chief data officer on the rise of the number crunchers
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.