The Inquirer-Home

Java zero day flaw puts millions of users at risk

No fix for vulnerability on the horizon
Wed Aug 29 2012, 12:29
Java logo

MILLIONS OF COMPUTER USERS - whether they favour the Windows, Mac or Linux operating systems - are at risk from a recently discovered zero day vulnerability in Java for which there is as yet no fix.

It appears that the flaw allows the Blackhole exploit kit to target the Java system using a Pre.jar file that lets it install malware, in this case a banking Trojan, onto users machines through a variety of methods.

Security firm Fireeye warned that criminals have already begun targeting the flaw using the Blackhole exploit kit. Some versions of the malware toolkit were updated to include the ability to exploit the vulnerability earlier this week, the company claimed.

"This morning we started getting the first indication of a large scale attack. So far we have observed over a dozen domains actively attacking systems with this exploit, and the count is increasing rapidly," reads Fireeye's blog post.

"After seeing the reliability of this attack, I have no doubt in my mind that within hours the casualties will be in the thousands."

Fireeye went on to criticise Oracle, which owns Java, for its lack of action regarding the flaw.

"It's very disappointing that Oracle hasn't come forward and announced a date for an emergency update patch," wrote Fireeye's Atif Mushtaq.

At the time of writing Oracle had not responded to The INQUIRER's request for comment on the exploit or when a patch might be released.

The flaw was uncovered earlier in August and reportedly works on the Windows, Linux and Mac OS X operating systems, according to Errata security.

"I have tested the following operating systems: Windows7, Ubuntu 12.04, OSX 10.8.1. I have tested the following browsers: Firefox 14.0.1 (Windows, Linux, OSX), IE 9, Safari 6. The same exploit worked on all of them," an Errata representative wrote on a company blog.

The Blackhole exploit kit is an automated attack kit available for sale in several online black markets. It allows cyber criminals without sophisticated IT skills to mount automated cyber campaigns. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Microsoft's Windows 10 Preview has permission to watch your every move

Does Microsoft have the right to keylog users of its Windows 10 Technical Preview?