Hackers Exploit Java Vulnerability, Disabling Software May Be Only Option
Lee Rannals for redOrbit.com – Your Universe Online
The exploit was added to the Blackhole exploit toolkit and the Cool Exploit Kit, which are used by cyber-criminals and are the two most popular Web threat tools used to distribute malware. The Blackhole kit is typically installed on websites that are compromised, and it uses vulnerabilities in web browsers and other software to inject malware into PCs.
The Cool Exploit Kit (Cool EK) surfaced in October, and was used to push a type of malware that demands a victim to pay a fee to unlock their compromised computer.
French security researcher Kafeine noticed the Cool kit was being used to exploit a critical vulnerability in Microsoft Windows. The flaw in the operating system’s font processing code was first exploited by the infamous worm Duqu.
The latest vulnerability is a sequence of events that take place in Java runtime. An analysis by F-secure showed similarity in the programming and the functionality of the exploits, which provide even more evidence that they were created by the same author or team.
Paunch, the main author of Blackhole, told Brian Krebs, an investigative journalist, that his exploit costs $10,000 a month.
Kafeine helped security firm Alien Vault Labs reproduce the exploit on a new, fully-patched installation of Java, and use a malicious Java applet to remotely execute the Calculator applications on Windows XP.
So far, researchers say that the only way around this latest exploit is just to disable your Java altogether, which seems nearly impractical for Web users to do.
“We recommend that regardless of what browser and operating system you’re using, you should uninstall Java if you don’t need it. If you do need it, use a separate browser when Java is required, and make sure to disable Java in your default browser,” The Next Web recommended to readers.
Oracle has yet to confirm the vulnerability or comment on its patching plans. The next critical patch update for Java is scheduled for February 19.
According to Computer World, when Oracle faced a similar situation in August, the company broke out of its quarterly patch release cycle and released an emergency update.
The latest version of Java, Java 7 Update 10, was released on December 11, and this update provides an option in the Java control panel to disable all Java content in browsers.