Disable Java to protect from latest zero-day
Security researchers are warning of a zero-day vulnerability in all versions of Java, including the latest Java 7 update 10
Security researchers are warning of a zero-day vulnerability in all versions of Java, including the latest Java 7 update 10.
The vulnerability can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Exploits, which affect computers running Java in browsers on Windows, Mac OS X or Linux, have already been found on compromised websites and are capable of infecting visitors' PCs with malware.
The Blackhole and Nuclear Pack exploit kits are using this vulnerability in the wild, according to researchers at security firm Alien Vault.
In a blog post, Jaime Blasco, head of labs, said he was able to reproduce the exploit in a fully patched new installation of Java.
"The Java file is highly obfuscated but, based on the quick analysis AlienVault did, the exploit is probably bypassing certain security checks tricking the permissions of certain Java classes as we saw in CVE-2012-4681,” he wrote.
The US CERT said: “By leveraging unspecified vulnerabilities involving Java Management Extensions (JMX) MBean components and sun.org.mozilla.javascript.internal objects, an untrusted Java applet can escalate its privileges by calling the setSecurityManager() function to allow full privileges, without requiring code signing.
READ MORE ON JAVA SECURITY:
- How to secure Java amid growing Java security vulnerabilities
- Java security problems: Is disabling Java the answer?
- Java zero-day vulnerability hits Metasploit and Blackhole
- Security researchers spot new zero-day Java vulnerability
- Java malware, fileless malware pose threats to desktop security
- Consider disabling Java as malware targets JRE vulnerabilities
According to Blasco, the exploit is the same as the zero-day vulnerabilities seen in the past year in IE, Java and Flash.
“The hacker can virtually own your computer if you visit a malicious link thanks to this new vulnerability,” he said.
Avoid attacks by disabling Java
Security researchers agree that until a security update is available for Java from Oracle, the best way to avoid attacks exploiting this vulnerability is to disable Java.
The US CERT points out that in Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet.
The Java plug-in is popular with hackers as a means of carrying out drive-by download attacks through compromised websites.
Drive-by download attacks are set to remain a top attack method in 2013, according to the latest threat report from the European Union (EU) cyber security agency, Enisa.
In part, the popularity of drive-by attacks can be attributed to the fact that they are invisible and can be launched through links and malicious code on compromised legitimate websites.
But beyond that, drive-by attacks are becoming easier to carry out because of the increasing availability of exploit kits, according to Tim Rains, director of Microsoft Trustworthy Computing.
“For large enterprises, it has always been a challenge to keep all software and systems up to date and to ensure they have all the latest security improvements,” he said.
On top of this challenge, few organisations are able to say if all versions of a targeted piece of software have been patched.
“While they may understand the need to keep Java up to date, they may not realise they have several versions of Java running in their environment that need to be updated continually,” said Rains.
Attackers are taking advantage of these gaps around the world, including the UK where drive-by attacks have crept into the top 10 threats in the past two years.