Change the record

Java zero-day vulnerability unleashed into wild by Blackhole

Elliot Bentley
blackhole1

“New Year’s Gift” by crimeware creator is the latest vulnerability to hit Java browser plugin.

A
new zero-day Java applet vulnerability has already been spotted in
the wild, after being added to a widely-used exploit kit.

It’s the latest in a string of security holes to emerge, leading
experts to recommend end users disable Java in their
browsers.

This particular exploit was added to the ‘Blackhole’ exploit kit
yesterday as a “New Year’s Gift” by its creator, who goes by the
nickname Paunch. According to
security blogger Brian Krebs
, Blackhole is a ‘crimeware’
product that can be easily installed into hacked websites to target
unwitting visitors.

From just $50 per day, it allows any site to be converted into a
platform for all your favourite malware: The
Register reported last year
that typical payloads include
“rootkit droppers, fake AV and malware to turn infected machines
into botnets”.

The new Java-based method was
confirmed by security company AlienVault
, who said it was
“probably bypassing certain security checks tricking the
permissions of certain Java classes”. They recommended immediately
disabling the Java browser plugin, especially since both Blackhole
and a competing kit known as ‘Nuclear Pack’ have both been spotted
exploiting the vulnerability in the wild.

This story may sound familiar, as it was only last August that Java
was in the headlines for all the wrong reasons – in that case
because of Oracle’s sluggish response to reports of known
vulnerabilities.

If client-side Java was already on its last legs, this constant
stream of security vulnerabilities may provide the finishing blow
should they continue.

Author
Comments
comments powered by Disqus