Exploit kits abuse yet another zero-day vulnerability in Java

Summary:Although Java has had a couple of quiet months without a security incident, criminals have been taking advantage of yet another vulnerability in Java to make money.

Another zero-day vulnerability in Java has been discovered and is actively being exploited in the wild, according to a number of security researchers.

Java has experienced a number of exploits in the past few months, followed by a few months of silence. However, recent updates to a number of exploit kits have revealed that new holes exist in Java 7 Update 10.

A researcher going by the name @kafeine spotted the exploit in action on a site that they claim receives "hundreds of thousands of hits daily". Looking at the HTTP GET requests and their related headers, kafeine shows how a number of sites using the exploit are able to download files directly to the victim's machine, and execute actions such as installing ransomware.

According to the researcher, the exploit is already being used in the Cool EK, Nuclear Pack, Redkit, Blackhole, and Sakura exploit toolkits, making it easy for criminals to deploy and make money.

Kafeine notified AlienVault labs, which has also independently verified that the exploit exists.

"The Java file is highly obfuscated, but based on the quick analysis we did, the exploit is probably bypassing certain security checks, tricking the permissions of certain Java classes," the company wrote on its blog.

As for kafeine's claims that it is already being used in exploit toolkits, at least one other source is backing him on his findings. Security commentator and blogger Brian Krebs, who has a history of maintaining memberships and reporting on the activities of a number of underground forums, said that the Blackhole curator, who goes by the name Paunch, provided the feature in the newest version of the kit as a New Year's gift. Krebs also confirmed a similar announcement made by the creator of the Nuclear Pack toolkit.

Users that have still not disabled Java are advised to uninstall it or disable the plug-in from their browser if they believe they are at risk.

Topics: Security, Oracle

About

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.