The underground developers behind the Blackhole exploit kit updated the framework the week of 9 July with a module that can easily compromise computers systems using a month-old flaw in Java.
Because most PC users and companies can take months to update third-party software, the exploit will like remain effective for some time to come, security software firm Websense stated in a blog post published on 16 July.
It’s the latest demonstration of online attackers’ fondness for exploiting security holes in Java. Exploit kits, such as Blackhole, are used by cybercriminals to automate the creation of programs to infect victims’ computer systems and targeting flaws in Java has become a reliable method of infection. Since 2010, exploit kits have added almost a dozen Java vulnerabilities to their list of flaws targeted for exploitation, according to security software firm Websense.
Several characteristics of the Java software platform have made it a favorite of attackers. Java is popular and runs on a large number of operating systems giving attackers a potentially large base of victims. Moreover, the software update mechanism is not automatic by default and frequently leaves older – and vulnerable – versions on many systems.
Updates can be so confusing that exploits for known Java vulnerabilities have regularly had a greater than 70 percent chance of success, according to Jason Jones, lead of the advanced security intelligence team at Hewlett-Packard’s DVLabs.
“That’s a crazy success rate,” he says. “Especially since other exploits have had a (less than 15 percent) success rate.”
Many security experts, including Websense, recommend that users disable the Java browser plugin to protect against Internet attacks that use the plugin to compromise vulnerable systems.
The latest exploit built into the Blackhole kit may be based on a description written by security researcher Michael Schierl, who coded his own proof-of-concept in about an hour, according to a description of the effort. The program ended up being quite compact, about 50 lines of code.
“The resulting exploit is quite short…, and I am sure you can make it shorter if you really try,” he stated. “However, I don’t want to make it too easy for criminals to leverage this vulnerability just by copying and pasting; therefore I won’t publish my exploit code in the near future.”
Oracle patched the vulnerability in mid-June.
The latest Java exploit will likely get picked up by other toolkits, such as Phoenix, quite quickly says, Websense’s Astacio. The authors of the frameworks tend to borrow each other’s latest techniques, he says. More than five years ago, most attacks focused on vulnerabilities in Microsoft Office and then moved to Adobe’s Acrobat program. Only in the last few years have the attackers really focused on Java.
“Java was not heavily used for exploit kits two or three years ago, but they tend to trickle into one kit and then they spread to others,” he says.
Do you know the secrets of Wi-Fi? Take our quiz.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…