Java zero day skyrockets BlackHole exploit success rates

Java zero day skyrockets BlackHole exploit success rates

Summary: Already the hacker's tool of choice, BlackHole exploitation rates have soared from a success rate of one in 10 to just one in four, due to the inclusion of a recent Java zero day.

TOPICS: Security, Malware

On the back of news that not one, but two, zero-day vulnerabilities have been found in the current version of Oracle's Java Runtime Environment, many predicted that it was just a matter of time before the vulnerabilities were weaponised.

Only hours after FireEye Malware Intelligence Lab researcher Atif Mushtaq disclosed his discovery of the vulnerabilities, proof-of-concept code appeared online and a module for Rapid7's popular exploit framework Metasploit was developed.

But the situation has become even worse, with the exploit now working its way in to BlackHole, the hacker's Swiss Army toolkit for infecting unsuspecting users that visit BlackHole-compromised sites.

Yesterday, as Mushtaq began to see evidence of a mounting large-scale attack against the vulnerability from several sites, he predicted that if it were worked into BlackHole, casualties would shoot into the thousands.

Indeed, Seculert has now confirmed that the latest version of BlackHole is making use of the vulnerability with huge success.

According to Seculert, good exploit kits can typically infect one in 10 visitors to a compromised site, but the latest version of BlackHole now has a one-in-four chance. Granted, not all of these infections will be due to the Java exploit, but, according to Seculert, where Java exploits are used, they are now between 75 and 99 per cent successful.

"We were able to count tens of thousands of new infected machines due to the Java zero day since the exploit was added to the BlackHole exploit kit," the company wrote.

Yet, anecdotal evidence suggests that users aren't taking precautionary measures. An informal poll conducted by F-Secure indicates that the majority of users still have Java installed, despite the vulnerability affecting all platforms. While the payload being dropped suggests that only Windows machines are being targeted by attackers at this point, there is nothing to stop them from developing payloads for Linux and Mac OS X.

Given that there is still no patch from Oracle, Pure Hacking chief technology officer Ty Miller recommended uninstalling Java if it's not something that users specifically need, since it is best practice to reduce the potential vectors for an attack. However, he acknowledged that there are still some users who would need to have it installed.

"Java is used for far more than just web applications. It was designed to allow software to be created to run across multiple operating systems. For instance, Java is the underlying programming language for Android applications that run on smartphones and tablets. Java can be quite an important piece of software for Linux users, as it is a requirement for software such as OpenOffice, which is the open-source alternative to Microsoft Office," he said.

In these cases, he recommends that users keep a close eye on their antivirus updates, as these vendors begin to roll out detection for the payloads as well as staying vigilant about what emails they open and what websites they visit.

Additionally, users who must have Java installed but do not require it for browsing have the option of disabling the plug-in within their browser. ESET has a complete guide on how to do so in Chrome, Firefox, Safari, Opera and Internet Explorer for Windows users.

Users can check whether their installation of Java is vulnerable by visiting Rapid7's Is Java Exploitable? website.

Topics: Security, Malware

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Nobody should still be using Java, client or server

    And nobody in their right mind still is.
    Johnny Vegas
    • you must...

      you must be living in a dream world. In the real world, Java is still heavily used.
    • Troll alert

      Apparently you work at a job where you don't need a computer or you're an Apple fanboi who has been brainwashed by Steve Jobs.

      I have at least a dozen applications both proprietary and big business related which require java. These are applications developed by industry leading companies some of which support billions in infrastructure. Java is more prevalent now than it was even 12 mos ago.
      John Al
      • Eh?

        Johnny Vegas? He loves all things Microsoft. His problem with java users is that all the Windows java programmers should have gone .net ages ago and all the non-Windows java programmers should have gone to Windows and .net years ago.

        As for you Mr. Al, Apple has outsourced java maintenance to Oracle and it is among a group of technologies that are not included with OS X (since Lion). A JRE will be downloaded and installed (it might even be a JDK, I develop in java on my Mac and don't remember a second download to get javac and other parts of the developer toolchain) should an application which requires java be launched.

        This newish status does suggest that java is not considered by Apple to be the strategic technology it used to be, and I'd put my money on there never being a jre in iOS, but I don't really remember Apple saying anything negative about it. You may be confused with Flash, though the world has tended to endorse and follow Apple's actions in deprecating it as a web standard, leaving it as a specialized technology where it makes sense.
    • Tell that to Arduino

      Their IDE uses it, and its in schools and colleges everywhere...
  • Patch is out - Oracle releases Version 7 Update 7

    Visit, or test your workstation using the link, which will tell you to patch if you're using an older version.
  • Sun Java isn't everywhere...

    "Java can be quite an important piece of software for Linux users, as it is a requirement for software such as OpenOffice, which is the open-source alternative to Microsoft Office"

    Sun Java is gone from Ubuntu PPAs since april!