Numerous voices in the security community are calling on Oracle to issue an update for a Java zero-day vulnerability that hackers are actively exploiting.
Security firm FireEye discovered the first attack exploiting a flaw in Java earlier this week, but the vulnerability is now being exploited in various ways, since it was added to the Blackhole exploit kit, as reported by Websense.
Attacks have exploited the vulnerability in the latest version of the software platform, Java 7, and can execute on Windows, Mac OS X and Linux.
Symantec has found that a round of attacks exploiting the vulnerability was carried out by a gang who were seen hitting chemical companies in 2011. The Nitro gang was seen exploiting the flaw by having users visit specially-crafted websites and infecting them with the Darkmoon backdoor by chucking a .jar file at them.
“Usually, a good exploit kit like Blackhole has a success rate of around 10 percent for infecting machines visiting the servers. In the new version of Blackhole infection servers, we have seen up to a 25 percent success rate.”
Sophos said it had seen cyber criminals take advantage of the critical zero-day flaw vulnerability in Java, sending out malicious emails pretending to come from an accountancy firm announcing a rise in the tax rate.
Since the reports of the zero-day emerged, it has been reported Oracle knew about the flaw, which actually amounts to two combined vulnerabilities, for four months. Polish startup Security Explorations said it had disclosed information on 31 Java flaws in April, two of which have been used in the above attacks.
Yet Oracle has kept quiet on the flaws, telling TechWeekEurope to keep an eye on its Software Security Assurance blog. Most onlookers have advised users to disable Java entirely in their browsers.
This silence has angered many, who are calling on Oracle to issue an out-of-band patch ahead of the one due on 16 October. Brian Honan, an IT security expert at BH Consulting, told TechWeekEurope “organisations and individuals should not be exposed until then.”
“While many are recommending that people disable Java in their browsers or to downgrade to version 6 until a fix is available this really is only a temporary measure and indeed in many cases may not be practical. Small business and individuals may not have the technical competence to follow such advice,” Honan said.
“Also many organisations use Java-based applications for their own in-house applications resulting in these organisations not being able to disable Java and therefore leaving their computers vulnerable. In addition many online services, such as online banking solutions, use Java to allow customers to avail of those services. Clients of those services are left in a position where they too cannot disable Java.
“Waiting until the 16 October is not an option, Oracle need to take on board the seriousness of this vulnerability and issue a fix as soon as possible.”
Are you a security guru? Try our quiz!
Welcome to Silicon UK: AI for Your Business Podcast. Today, we explore how AI can…
Japanese tech investment firm SoftBank promises to invest $100bn during Trump's second term to create…
Synopsys to work with start-up SiMa.ai on joint offering to help accelerate development of AI…
Start-up Basis raises $34m in Series A funding round for AI-powered accountancy agent to make…
Data analytics and AI start-up Databricks completes huge $10bn round from major venture capitalists as…
Congo files legal complaints against Apple in France, Belgium alleging company 'complicit' in laundering conflict…