Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Oracle Java Vulnerability Exploit Rolled into BlackHole Kit, Security Pros Urge Patch

Organizations should move to patch a Java vulnerability being targeted by attackers in the wild, security experts say.

Organizations should move to patch a Java vulnerability being targeted by attackers in the wild, security experts say.

The vulnerability in question is CVE-2012-0507, a remote execution bug patched by Oracle in February. Earlier this month, researchers at Microsoft spotted it being used in attacks to circumvent the sandbox mechanism in the Java Runtime Environment (JRE). Now, security blogger Brian Krebs has reported that cybercriminals have packaged an exploit for the bug into the infamous BlackHole toolkit.

Java VulnerabilitiesBlackHole has emerged as one of the most widely-used malware kits sold on the Web. According to security firm AVG Technologies, it accounted for more than 80 percent of toolkit detections during the fourth quarter of 2011. Krebs reported this week he had found several posts on underground carding forums stating the exploit has been included in the kit.

Security pros have commented before that the ubiquity of Java has made it an attractive target for attackers. In fact, Microsoft reported in November that the most commonly observed type of exploits in the first half of 2011 were those targeting vulnerabilities in JRE, Java Virtual Machine (JVM) and Java SE in the Java Development Kit (JDK).

“We see very slow patching rates as far as Java is concerned,” opined Wolfgang Kandek, CTO of Qualys. “In our enterprise statistics, Java is one of the slowest software to be addressed by enterprise customers, in stark contrast to operating systems, browsers and even Microsoft Office productivity applications where patching rates have improved significantly and a large percentage of problems get addressed within the first 30 days.”

“On the consumer side, Java is equally slow in getting updated,” he added. “On average 42 percent of consumer desktops have vulnerable versions of Java installed.”

Statistics from vulnerability management firm Rapid7 tell a similar story based on its analysis of the Java patching habits of Internet users. According to the company, the first month after a Java patch is released the fix is deployed by less than 10 percent. After two months, the number jumps to approximately 20 percent. The highest patch rate for Java last year was 38 percent, which represented the percentage who applied the Java Version 6 Update 26 within three months of its release.

“There is a huge lack of awareness when it comes to an application that runs in the background for the most part,” said Marcus Carey, security researcher with Rapid7. “Some people look at computer programs with the “set it and forget it” mindset. As long it works, they aren’t upgrading anything and are unaware that they could be compromised.”

In addition, some applications used by businesses may only work with older versions of Java, Carey said, requiring these companies to undergo a “significant capital investment” to update the software.

Advertisement. Scroll to continue reading.

“They are stuck between a rock and a hard place, where they can’t live without the application and can’t afford to upgrade it,” he said.

In those cases, Kandek recommended organizations utilize a whitelisting strategy to limit Java to the “Trusted Sites” in Internet Explorer, which could greatly reduce successful attacks.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...