Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Oracle Java Vulnerability Exploit Rolled into BlackHole Kit, Security Pros Urge Patch

Organizations should move to patch a Java vulnerability being targeted by attackers in the wild, security experts say.

Organizations should move to patch a Java vulnerability being targeted by attackers in the wild, security experts say.

The vulnerability in question is CVE-2012-0507, a remote execution bug patched by Oracle in February. Earlier this month, researchers at Microsoft spotted it being used in attacks to circumvent the sandbox mechanism in the Java Runtime Environment (JRE). Now, security blogger Brian Krebs has reported that cybercriminals have packaged an exploit for the bug into the infamous BlackHole toolkit.

Java VulnerabilitiesBlackHole has emerged as one of the most widely-used malware kits sold on the Web. According to security firm AVG Technologies, it accounted for more than 80 percent of toolkit detections during the fourth quarter of 2011. Krebs reported this week he had found several posts on underground carding forums stating the exploit has been included in the kit.

Security pros have commented before that the ubiquity of Java has made it an attractive target for attackers. In fact, Microsoft reported in November that the most commonly observed type of exploits in the first half of 2011 were those targeting vulnerabilities in JRE, Java Virtual Machine (JVM) and Java SE in the Java Development Kit (JDK).

“We see very slow patching rates as far as Java is concerned,” opined Wolfgang Kandek, CTO of Qualys. “In our enterprise statistics, Java is one of the slowest software to be addressed by enterprise customers, in stark contrast to operating systems, browsers and even Microsoft Office productivity applications where patching rates have improved significantly and a large percentage of problems get addressed within the first 30 days.”

“On the consumer side, Java is equally slow in getting updated,” he added. “On average 42 percent of consumer desktops have vulnerable versions of Java installed.”

Statistics from vulnerability management firm Rapid7 tell a similar story based on its analysis of the Java patching habits of Internet users. According to the company, the first month after a Java patch is released the fix is deployed by less than 10 percent. After two months, the number jumps to approximately 20 percent. The highest patch rate for Java last year was 38 percent, which represented the percentage who applied the Java Version 6 Update 26 within three months of its release.

“There is a huge lack of awareness when it comes to an application that runs in the background for the most part,” said Marcus Carey, security researcher with Rapid7. “Some people look at computer programs with the “set it and forget it” mindset. As long it works, they aren’t upgrading anything and are unaware that they could be compromised.”

In addition, some applications used by businesses may only work with older versions of Java, Carey said, requiring these companies to undergo a “significant capital investment” to update the software.

“They are stuck between a rock and a hard place, where they can’t live without the application and can’t afford to upgrade it,” he said.

In those cases, Kandek recommended organizations utilize a whitelisting strategy to limit Java to the “Trusted Sites” in Internet Explorer, which could greatly reduce successful attacks.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.