New Java Exploit Puts All Users at Risk
CREDIT: Audrey M Vasey/Shutterstock.com
A previously unknown security flaw in the latest version of Java is now so widespread that it could, according to cybercrime reporter Brian Krebs, affect 1 billion computers.
The vulnerability, which was discovered in the wild last week, puts all Java 7 users at risk. (If you haven't updated, don't ?the flaw exists only in the latest version; those who are still working with Java 6 need not fear.)
Security testing company Rapid7 said the proof was rolled into a Metasploit module that can exploit the flaw on Chrome in Mac OS X and on Windows XP. No platform is safe from this security flaw.
Krebs said in his blog that the creator of the BlackHole exploit kit, a popular malware-installing tool that is available for purchase in online black markets, was surprised anyone would just give this exploit away. According to the BlackHole creator, selling the exploit could have fetched $100,000.
According to statistics that Seculert shared with Krebs, now that the BlackHole kit has the Java zero-day exploit onboard, it's twice as effective. The kit, which infects the machines that visit a site it's lurking on, has a new success rate of 21 percent, up from about 11 percent.
The hack is valuable because it's so reliable. According to Immunity Inc. developer Esteban Guillardoy, who provides a detailed breakdown of the vulnerability here, the hack "provides 100 percent reliability" and, because it works on all operating systems, it "will shortly become the penetration-test Swiss knife for the next couple of years."
While the real solution to the problem is an official patch from Oracle, the technology giant is known for keeping a rigorous schedule when rolling out updates and fixes. Despite all the flack that’s likely heade their way, the next update shouldn’t be expected until October.
The exploit has mainly been used in targeted attacks for stealing government or corporate secrets but many security experts suggest immediately uninstalling or disabling Java altogether anyway. Sophos has instructions for doing so on their NakedSecurity blog.