January 22, 2013
Another Java Exploit Found In ‘Watering Hole’ Attack
Michael Harper for redOrbit.com — Your Universe Online
At this point, the words “Java” and “exploit” have become so tightly knit and so often used that they´ve faded into white noise as quickly as they´ve joined. Today, there´s yet another development in the long and monotonous story about Java that just refuses to stop unfolding.
According to Ars Technica, the same exploits which were fixed in recent updates to Internet Explorer and Java are being used as hackers target websites with a human rights bent. These attackers are said to be taking advantage of those slow to either disable Java -- the best solution -- or to update to the latest patched version of Java, the best option if you really, 100% have to use Java.
As a brief recent history, a security flaw in Java 11 was being sold along with a hackers “toolkit” that allowed anyone with a certain amount of money to target any user with the un-patched version of Java. Things got so out of hand, the U.S. Department of Homeland Security saw it fit to issue a warning to all citizens who had yet to disable or update their versions of Java. As it turns out, a warning from the federal government really greases the pipeline and a new patch for Java was promptly released.
Less than 24 hours after this update was released, another exploit which had not been addressed in the latest patch was being sold to the first 2 hackers with a spare $5,000. The hacker with access to this exploit likely kept it hidden so as to capitalize on Java´s weakness.
A day or so later, it had been discovered yet another opportunistic hacker had taken advantage of Java´s bad name and began disguising malware as Java 7 Update 11. In addition to warning people to disable Java, security experts began warning people to only download a Java update from Oracle´s own website.
Less than a week later, security experts at Avast! blog have found attackers have taken over human rights sites -- specifically the site for Reporters Without Borders -- in what´s known as a “watering hole attack.” Just as it sounds, these attackers have set up camp at the site for Reporters Without Borders and are simply waiting for those visitors with out-of-date versions of either Internet Explorer or Java.
“It seems that the entity or entities behind the watering hole attacks don´t care to be caught or detected, and it also seems that they don´t care if the Internet Explorer and Java vulnerabilities are patched,” writes Jundrich Kubec with Avast! blog. “They act as opportunists and try to take advantage from the time frame between the patch release and the patch application of some users, companies and non-governmental organizations.”
It is sadly common for such watering hole attackers to target human rights activist sites. Last spring, attackers took advantage of -- you guessed it -- a Java exploit, sending infected emails about the Dalai Lama and his annual speech about the Tibetan uprising.
Again, if you don´t need Java, it´s best to simply disable it altogether to protect yourself and your system from these kinds of attacks.