Security Experts:

Connect with us

Hi, what are you looking for?



New Java Zero Day Surfaces, Exploit Already Added to Popular Crimeware Toolkits

New Java Vulnerability Being “Massively Exploited” in the Wild

Another Java zero-day security flaw is actively being targeted in the wild, and exploits are already in use across some of the most popular crimeware toolkits.

If you haven’t disabled Java yet, there is no better time than now.

New Java Vulnerability Being “Massively Exploited” in the Wild

Another Java zero-day security flaw is actively being targeted in the wild, and exploits are already in use across some of the most popular crimeware toolkits.

If you haven’t disabled Java yet, there is no better time than now.

The vulnerability exists in all versions of Java 7, and AlienVault Labs researchers were able to reproduce the exploit in a system running the fully-patched and up-to-date Java 7 Update 10, Jamie Blasco, the labs manager at AlienVault wrote on the company blog Jan. 10. The latest bug resembles the earlier Java zero-day (CVE-2012-4681) that was uncovered in August, Blasco said.

Java Zero DayWhile Oracle took the rare step of releasing an out-of-band patch for that zero-day bug a few days after the flaw was identified, at the moment, there is no word of a fix or mitigation controls from the company at this time. Users should immediately disable the Java plugin (version 1.7) in their browser (or if they already have done so, leave it disabled for the time being).

“Java 7 Update 10 and earlier Java 7 versions contain an unspecified remote-code-execution vulnerability,” Department of Homeland Security’s U.S. Computer Emergency Readiness Team (CERT) warned in its Vulnerability Note.

The Java file was “highly obfuscated” and the current exploit in the wild can bypass security checks, Blasco wrote in his analysis. By tricking a user into visiting a specially crafted HTML document, either a website or even a booby-trapped email attachment, a remote attacker may be able to execute arbitrary code, US-CERT warned.

If a user visits a malicious site exploiting this vulnerability, the attacker can “virtually own your computer,” Blasco said.

Java exploits are exceptionally dangerous because they tend to be cross-platform attacks. The exact same code can run on Mac OS X, Windows, and Linux. Kafeine, the French researcher who alerted AlienVault to the vulnerability and the exploit, described the situation as “mayhem.”

It’s not clear how many sites may have already been infected with this exploit and how many users have been compromised, although Kafeine said the site he found the infection on had “hundreds of thousands of hits daily.” The security hole is “massively exploited in the wild,” wrote Kafeine, as several crimeware toolkits, including Blackhole, Cool Exploit, and NuclearKit, are already using the exploit.

Blackhole’s creator bragged on underground forums about the new Java exploit, calling it a “New Year’s Gift” for customers, wrote security writer Brian Krebs on Krebs on Security.

Oracle shipped Java 7 update 10 with a built-in disabling feature last month, which allows users to disable the Java content in the browser through the Java control panel applet. US-CERT and SANS Institute recommended using the feature. Otherwise, users can just disable the entire Java plugin in their browsers outright.

Users are “strongly advised to put Java down and keep it that way until things get sorted out,” Bogdan Botezatu, senior e-threat analyst at BitDefender wrote on the Hot for Security blog. They should also make sure to not click on “any spammy links, regardless of how appealing they might look like in the following days,” Botezatu said.

It seems that only version 1.7 of the Java plugin is being targeted at this time.

Exploit writers are increasingly targeting Java, as the installed base is quite large. In many cases, users may have installed Java once, and then never updated it again because they forgot about it.

This Java zero-day is a reminder for administrators to think about the policy of “least privilege,” Marc Maiffret, CTO of BeyondTrust, told SecurityWeek. Considering the “constant stream” of client application vulnerabilities, “one of the best things an organization can do to limit their impact is to properly manage user account privileges across an organization,” Maiffret said.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.