January 13, 2013
Fix For Java Vulnerability Coming Soon, Promises Oracle
redOrbit Staff & Wire Reports — Your Universse Online
A vulnerability in Java that hackers have been exploiting to infect computers with malware will be patched in the near future, the company that developed the software has announced.
The advisory, issued by the DHS US Computer Emergency Readiness Team, said an “unspecified vulnerability” in Java 7 Update 10 and earlier versions of the program made it possible for attackers to remotely execute malicious code, without authentication, on a vulnerable computer system, Emil Protalinski of Emil ProtalinskiThe Next Web reported on Saturday.
“The critical security hole,” which Protalinski identified as a 0-day vulnerability, “allows attackers to execute malicious software on a victim´s machine” and was “quickly exploited in the wild and made available in common exploit kits,” he said.
As previously reported here on redOrbit.com, the exploit had been added to the Blackhole exploit toolkit (which is typically installed on compromised websites and used browser vulnerabilities and other software to infect PCs) and the Cool Exploit Kit (which pushes a malware program that forces victims to pay a fee to unlock their compromised computer).
“The Department of Homeland Security said attackers could trick targets into visiting malicious websites that would infect their PCs with software capable of exploiting the bug in Java,” Finkle said. “It said an attacker could also infect a legitimate website by uploading malicious software that would infect machines of computer users who trust that site because they have previously visited it without experiencing any problems.”
In response to initial reports about the Java exploit, Apple addressed the issue by disabling the Java 7 plug-in on Macs, according to MacRumors. They did so by updating their “Xprotect.plist” blacklist to require a minimum of a to-date nonexistent “1.7.0_10-b19 version” of the software, meaning that any Apple-system running Java 7 will automatically fail the security check through the built-in OS X security software.
“On Friday, we learned the 0-day code would not have worked if Oracle had properly addressed an old vulnerability, according to Security Explorations, the security firm responsible for identifying most of the latest Java vulnerabilities,” Protalinski said. “Back in late August 2012, the company informed Oracle about the insecure implementation of the Reflection API, and Oracle released a patch for it in October 2012, but the fix wasn´t a complete one.”
“Also on Friday, Mozilla added all recent versions of Java to its Firefox add-on blocklist. These include Java 7 Update 9, Java 7 Update 10, Java 6 Update 37, and Java 6 Update 38; older Java versions were already blocklisted due to other vulnerabilities,” he added.