Another year, another Java zero-day
The flaw was first spotted by ‘Malware Don’t Need Coffee’ blog and was subsequently confirmed by security firm AlienVault. “This could be a mayhem,” the blogger warned. They later tweeted the expoit had bee included in a host of massively popular exploit kits, including the prevalent Blackhole kit.
Jaime Blasco, AlienVault’s head of labs, was able to reproduce the exploit in a fully patched new installation of Java, confirming the zero-day could be exploited.
“The Java file is highly obfuscated but based on the quick analysis AlienVault did the exploit is probably bypassing certain security checks tricking the permissions of certain Java classes,” he wrote.
“The exploit is the same as the zero day vulnerabilities we have been seeing in the past year in IE, Java and Flash. The hacker can virtually own your computer if you visit a malicious link thanks to this new vulnerability.
“We also expect a Metasploit module to appear in the next few days, similar to the activities that occurred last year as well as most of the exploit kits adopting this new zero day sooner rather than later.”
Disable Java now
Security experts are now telling people, as they did with the various Java zero-day flaws that reared their ugly heads last year, to disable Java completely.
“If this particular Java exploit is genuine, and it appears to be so, then the same rules apply as always. If you are in a position to disable Java – then so do,” David Kennerley, head of threat research in EMEA for Webroot.
“Only visit well known sites, sites you know 99 percent of the time will be safe . Use different browsers for different functions – not all Java exploits affect every browser.
“Make sure your AV product is up-to-date. The exploit may be zero day and therefore not fixed, but this doesn’t mean on all occasions the payload and the malware actually downloaded will be new.
“An average day will see us detect 1000s of new pieces of malware dropped by Java and 10000s of already known pieces of malware dropped by Java.”
Oracle told TechWeekEurope it had nothing to say on the matter. It does have a critical patch update coming on 15 January, but it may not have enough time to address this particular issue.
Larry Ellison’s tech titan was plagued with Java flaws last year, one of which it reacted to in a prompt manner, pushing out an out-of-band update in August rather than waiting for one of its routine patching days.
But in the ensuing months, researchers pointed to other unpatched flaws, which allowed for remote code execution, but Oracle did not do anything outside of its schedule.
What do you know about online security? Try our quiz and find out!