Java Under AttackJava zero-day vulnerability is under attack by at least four active campaigns. Oracle has yet to respond. What to do?Security experts have a message for all businesses: Disable Java now, and keep it disabled. An exploit for a previously unknown and currently unpatched vulnerability in Java is being used by cyber-criminals to infect computers with malware, according to security researchers. Attackers are using such exploits to silently install malware on the computers of users who visit compromised websites, in what are known as drive-by download attacks. The Java zero-day vulnerability, dubbed CVE-2013-0422, "allows remote attackers to execute arbitrary code via unknown vectors, possibly related to 'permissions of certain Java classes,'" according to the National Vulnerability Database. The flaw affects all versions of Java 7, including Oracle Java 7 Update 10, which is the most recent version. With some estimates suggesting that 34% of all PCs currently run a version of Java 7, the zero-day vulnerability may now be present on over 400 million systems. Technology giant Oracle, which maintains Java, has yet to issue an official response regarding the latest zero-day Java flaw, which suggests that a fix won't be immediately forthcoming. Indeed, this is far from the first time that security experts have sounded warnings over Java. Last year, the discovery of a zero-day flaw in Java 7 affecting Windows, OS X, and Linux led also led to calls that Java should be immediately disabled in all browsers. Some companies have been pursuing stronger measures. In October Apple issued an update that excised Java from all Apple browsers. To run Java, users would need to download the software from Oracle. "We first observed the new Java 0-day on Dec 17th, very low rates until the morning of Jan 9th when detection rate surged," said Costin Raiu, a senior security researcher at Kaspersky Lab. "The 0-day attack code that was spotted in the wild today is yet another instance of Java security vulnerabilities that stem from insecure implementation of the Java Reflection API," said Adam Gowdiak, the founder of Security Explorations, a Polish security company that specializes in Java vulnerability research.
What is a Zero-day attack? A zero-day exploit is one that takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known. There are zero days between the time the vulnerability is discovered and the first attack.
|