Oracle Urged To Patch As Crooks Go Wild For Java Zero-Day Flaw

Numerous voices in the security community are calling on Oracle to issue an update for a Java zero-day vulnerability that hackers are actively exploiting.

Security firm FireEye discovered the first attack exploiting a flaw in Java earlier this week, but the vulnerability is now being exploited in various ways, since it was added to the Blackhole exploit kit, as reported by Websense.

Attacks have exploited the vulnerability in the latest version of the software platform, Java 7, and can execute on Windows, Mac OS X and Linux.

Attacks spiraling

Symantec has found that a round of attacks exploiting the vulnerability was carried out by a gang who were seen hitting chemical companies in 2011. The Nitro gang was seen exploiting the flaw by having users visit specially-crafted websites and infecting them with the Darkmoon backdoor by chucking a .jar file at them.

Seculert, which said the Java zero-day was “the Blackhole king”, found hackers were having plenty of success taking advantage of the flaw. “Including an unpatched zero-day vulnerability in an exploit kit is the worst nightmare for any IT security manager, especially if it is the most popular exploit kit. Therefore, it wasn’t a surprise for us to discover an increase in the numbers of infections due to the new Blackhole version which now includes the new Java zero-day,” the security vendor reported.

“Usually, a good exploit kit like Blackhole has a success rate of around 10 percent for infecting machines visiting the servers. In the new version of Blackhole infection servers, we have seen up to a 25 percent success rate.”

Sophos said it had seen cyber criminals take advantage of the critical zero-day flaw vulnerability in Java, sending out malicious emails pretending to come from an accountancy firm announcing a rise in the tax rate.

Since the reports of the zero-day emerged, it has been reported Oracle knew about the flaw, which actually amounts to two combined vulnerabilities, for four months. Polish startup Security Explorations said it had disclosed information on 31 Java flaws in April, two of which have been used in the above attacks.

Yet Oracle has kept quiet on the flaws, telling TechWeekEurope to keep an eye on its Software Security Assurance blog. Most onlookers have advised users to disable Java entirely in their browsers.

This silence has angered many, who are calling on Oracle to issue an out-of-band patch ahead of the one due on 16 October. Brian Honan, an IT security expert at BH Consulting, told TechWeekEurope “organisations and individuals should not be exposed until then.”

“While many are recommending that people disable Java in their browsers or to downgrade to version 6 until a fix is available this really is only a temporary measure and indeed in many cases may not be practical. Small business and individuals may not have the technical competence to follow such advice,” Honan said.

“Also many organisations use Java-based applications for their own in-house applications resulting in these organisations not being able to disable Java and therefore leaving their computers vulnerable. In addition many online services, such as online banking solutions, use Java to allow customers to avail of those services. Clients of those services are left in a position where they too cannot disable Java.

“Waiting until the 16 October is not an option, Oracle need to take on board the seriousness of this vulnerability and issue a fix as soon as possible.”

Are you a security guru? Try our quiz!