Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

Oracle Java Vulnerability Exploit Rolled into BlackHole Kit, Security Pros Urge Patch

Organizations should move to patch a Java vulnerability being targeted by attackers in the wild, security experts say.

Organizations should move to patch a Java vulnerability being targeted by attackers in the wild, security experts say.

The vulnerability in question is CVE-2012-0507, a remote execution bug patched by Oracle in February. Earlier this month, researchers at Microsoft spotted it being used in attacks to circumvent the sandbox mechanism in the Java Runtime Environment (JRE). Now, security blogger Brian Krebs has reported that cybercriminals have packaged an exploit for the bug into the infamous BlackHole toolkit.

Java VulnerabilitiesBlackHole has emerged as one of the most widely-used malware kits sold on the Web. According to security firm AVG Technologies, it accounted for more than 80 percent of toolkit detections during the fourth quarter of 2011. Krebs reported this week he had found several posts on underground carding forums stating the exploit has been included in the kit.

Security pros have commented before that the ubiquity of Java has made it an attractive target for attackers. In fact, Microsoft reported in November that the most commonly observed type of exploits in the first half of 2011 were those targeting vulnerabilities in JRE, Java Virtual Machine (JVM) and Java SE in the Java Development Kit (JDK).

“We see very slow patching rates as far as Java is concerned,” opined Wolfgang Kandek, CTO of Qualys. “In our enterprise statistics, Java is one of the slowest software to be addressed by enterprise customers, in stark contrast to operating systems, browsers and even Microsoft Office productivity applications where patching rates have improved significantly and a large percentage of problems get addressed within the first 30 days.”

“On the consumer side, Java is equally slow in getting updated,” he added. “On average 42 percent of consumer desktops have vulnerable versions of Java installed.”

Statistics from vulnerability management firm Rapid7 tell a similar story based on its analysis of the Java patching habits of Internet users. According to the company, the first month after a Java patch is released the fix is deployed by less than 10 percent. After two months, the number jumps to approximately 20 percent. The highest patch rate for Java last year was 38 percent, which represented the percentage who applied the Java Version 6 Update 26 within three months of its release.

“There is a huge lack of awareness when it comes to an application that runs in the background for the most part,” said Marcus Carey, security researcher with Rapid7. “Some people look at computer programs with the “set it and forget it” mindset. As long it works, they aren’t upgrading anything and are unaware that they could be compromised.”

Advertisement. Scroll to continue reading.

In addition, some applications used by businesses may only work with older versions of Java, Carey said, requiring these companies to undergo a “significant capital investment” to update the software.

“They are stuck between a rock and a hard place, where they can’t live without the application and can’t afford to upgrade it,” he said.

In those cases, Kandek recommended organizations utilize a whitelisting strategy to limit Java to the “Trusted Sites” in Internet Explorer, which could greatly reduce successful attacks.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.