The underground developers behind the Blackhole exploit kit updated the framework the week of 9 July with a module that can easily compromise computers systems using a month-old flaw in Java.
Because most PC users and companies can take months to update third-party software, the exploit will like remain effective for some time to come, security software firm Websense stated in a blog post published on 16 July.
It’s the latest demonstration of online attackers’ fondness for exploiting security holes in Java. Exploit kits, such as Blackhole, are used by cybercriminals to automate the creation of programs to infect victims’ computer systems and targeting flaws in Java has become a reliable method of infection. Since 2010, exploit kits have added almost a dozen Java vulnerabilities to their list of flaws targeted for exploitation, according to security software firm Websense.
Several characteristics of the Java software platform have made it a favorite of attackers. Java is popular and runs on a large number of operating systems giving attackers a potentially large base of victims. Moreover, the software update mechanism is not automatic by default and frequently leaves older – and vulnerable – versions on many systems.
Updates can be so confusing that exploits for known Java vulnerabilities have regularly had a greater than 70 percent chance of success, according to Jason Jones, lead of the advanced security intelligence team at Hewlett-Packard’s DVLabs.
“That’s a crazy success rate,” he says. “Especially since other exploits have had a (less than 15 percent) success rate.”
Many security experts, including Websense, recommend that users disable the Java browser plugin to protect against Internet attacks that use the plugin to compromise vulnerable systems.
The latest exploit built into the Blackhole kit may be based on a description written by security researcher Michael Schierl, who coded his own proof-of-concept in about an hour, according to a description of the effort. The program ended up being quite compact, about 50 lines of code.
“The resulting exploit is quite short…, and I am sure you can make it shorter if you really try,” he stated. “However, I don’t want to make it too easy for criminals to leverage this vulnerability just by copying and pasting; therefore I won’t publish my exploit code in the near future.”
Oracle patched the vulnerability in mid-June.
The latest Java exploit will likely get picked up by other toolkits, such as Phoenix, quite quickly says, Websense’s Astacio. The authors of the frameworks tend to borrow each other’s latest techniques, he says. More than five years ago, most attacks focused on vulnerabilities in Microsoft Office and then moved to Adobe’s Acrobat program. Only in the last few years have the attackers really focused on Java.
“Java was not heavily used for exploit kits two or three years ago, but they tend to trickle into one kit and then they spread to others,” he says.
Do you know the secrets of Wi-Fi? Take our quiz.
Digital transformation is an ongoing journey, requiring continuous adaptation, strong leadership, and skilled talent to…
Australian computer scientist faces contempt-of-court claim after suing Jack Dorsey's Block and Bitcoin Core developers…
OpenAI's ChatGPT gets search features, putting it in direct competition with Microsoft and Google, amidst…
New Google Maps allows users to ask for detailed information on local spots, adds AI-summarised…
US-sanctioned Huawei sees sales surge in first three quarters of 2024 on domestic smartphone popularity,…
Apple posts slight decline in China sales for fourth quarter, as Tim Cook negotiates to…