Java zero-day exploit goes mainstream, 100+ sites serve malware

Blackhole exploit toolkit adds attack code that leverages unpatched bugs

By , Computerworld |  Security, java, Oracle

Yesterday, Michael Coates, Mozilla's director of security assurance, urged Firefox users to disable the browser's Java plug-in because Oracle has not issued fixes. Others, including US-CERT (United States Computer Emergency Readiness Team) have given the same advice, or recommended the more drastic measure of uninstalling Java entirely.

Firefox developers are also ready to issue a kill order for the vulnerable Java 7 plug-in, according to a discussion on its Bugzilla code change and bug-fixing database.

Mozilla has the ability to add extensions or plug-ins to the Firefox add-on blocklist if they cause significant security or performance issues. Firefox automatically queries the blocklist and notifies users before disabling the targeted add-ons.

"Oracle is unlikely to patch this ahead of their scheduled October update and that's plenty of time for evil-doers to profit if we don't block until then," said Daniel Veditz, a Firefox security engineer, on Bugzilla.

Oracle is scheduled to release its next Java security update Oct. 12.

Although the current exploits -- and Blackhole -- target only Windows PCs, some machines running OS X will also be vulnerable to attacks if hackers integrate the Java zero-days in Mac-specific malware.

Apple stopped bundling Java with OS X starting with 2011's Lion; this year's Mountain Lion also omits Java. Those users, however, may still have Java 7 installed. When a browser encounters a Java applet, OS X asks the user for permission to download the Oracle software.

People running the older Snow Leopard (2009) and Leopard (2007) are apparently not at risk, since Java 7 requires the more recent Lion and Mountain Lion. The unpatched vulnerabilities are present only in Java 7.

While more than half of all Macs were running Lion or Mountain Lion as of July 31, statistics on OS X Java 7 installations were unavailable.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.


Originally published on Computerworld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

SecurityWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question