The zero-day in Java that SecurityWeek reported on Monday has gotten worse, as it can be targeted from within the Blackhole Exploit Kit and Metasploit. While this means good guys can use Metasploit as a means to proactive protection, the bad guys now have a way to automate victim collection.
To recap, security researchers from FireEye discovered the Java problem late last week, and after testing confirmed that it was a zero-day flaw. Systems running Windows, Mac OS X, or Linux, with JRE 1.7 Update 0 though 6 installed for Firefox, Safari, or Internet Explorer (and Chrome on XP), are vulnerable.
“As a user, you should take this problem seriously, because there is currently no patch from Oracle. For now, our recommendation is to completely disable Java until a fix is available,” Rapid 7 said in a blog post.
Security teams wishing to test Rapid 7’s findings can download Metasploit, where a module has been released. Rapid 7 customers with Metasploit Pro can update their installations for the latest modules, as can existing Metasploit users.
As mentioned, there is no patch for the issue from Oracle. At the earliest, Oracle may release one as a bug fix, but that is two months away (October 16). It’s extremely rare that Oracle would issue an out-of-cycle patch, and there is no expectation that they will make an exception for this latest issue.
With that said, users are advised to remove Java from their systems, unless there is an urgent need for it. For the typical home user, Java isn’t a requirement for day-to-day browsing, but it is often installed and left unpatched, making it the easiest way for an attacker to compromise a given system.
When it comes to business usage, Java remains locked in a love and hate relationship. Legacy applications sometimes require the software, meaning IT teams have to remain vigilant, and patch every four months as needed. Yet, vulnerabilities with no patches leave them exposed. In cases like this, the only option (other than to stop using Java) is to limit the access Java has to the outside. This could mean installing Java to a secondary browser and only using that browser for Java-based applications, or filtering all outbound traffic from the client. Neither option is pretty.
Targeted attacks using the latest Java flaw are expanding slowly, but with its inclusion in to the Blackhole Exploit Kit, that will change. Already, less than 24-hours after it was included in the crime kit, more than a dozen domains are using the new flaw to attack systems. Even worse, this flaw isn’t even a primary method of attack. It’s a backup.
“So far we have observed over a dozen domains actively attacking systems with this exploit, and the count is increasing rapidly...Almost all of the domains are hosting multiple exploits. If nothing else works, the new Java zero-day kicks in and all of a sudden the machine is compromised,” FireEye researcher Atif Mushtaq wrote in an update to his original blog post on the vulnerability.
“It's very disappointing that Oracle hasn't come forward and announced a date for an emergency update patch. Once again I strongly recommend if it is not critical, uninstall the JRE plug-in from your browser.”
Additional information and mitigation details can be found here.