Change the record

Java zero-day vulnerability unleashed into wild by Blackhole

Elliot Bentley

“New Year’s Gift” by crimeware creator is the latest vulnerability to hit Java browser plugin.

A new zero-day Java applet vulnerability has already been spotted in the wild, after being added to a widely-used exploit kit.

It’s the latest in a string of security holes to emerge, leading experts to recommend end users disable Java in their browsers.

This particular exploit was added to the ‘Blackhole’ exploit kit yesterday as a “New Year’s Gift” by its creator, who goes by the nickname Paunch. According to security blogger Brian Krebs, Blackhole is a ‘crimeware’ product that can be easily installed into hacked websites to target unwitting visitors.

From just $50 per day, it allows any site to be converted into a platform for all your favourite malware: The Register reported last year that typical payloads include “rootkit droppers, fake AV and malware to turn infected machines into botnets”.

The new Java-based method was confirmed by security company AlienVault, who said it was “probably bypassing certain security checks tricking the permissions of certain Java classes”. They recommended immediately disabling the Java browser plugin, especially since both Blackhole and a competing kit known as ‘Nuclear Pack’ have both been spotted exploiting the vulnerability in the wild.

This story may sound familiar, as it was only last August that Java was in the headlines for all the wrong reasons – in that case because of Oracle’s sluggish response to reports of known vulnerabilities.

If client-side Java was already on its last legs, this constant stream of security vulnerabilities may provide the finishing blow should they continue.

Inline Feedbacks
View all comments