Java zero day skyrockets BlackHole exploit success rates

Already the hacker's tool of choice, BlackHole exploitation rates have soared from a success rate of one in 10 to just one in four, due to the inclusion of a recent Java zero day.
Written by Michael Lee, Contributor

On the back of news that not one, but two, zero-day vulnerabilities have been found in the current version of Oracle's Java Runtime Environment, many predicted that it was just a matter of time before the vulnerabilities were weaponised.

Only hours after FireEye Malware Intelligence Lab researcher Atif Mushtaq disclosed his discovery of the vulnerabilities, proof-of-concept code appeared online and a module for Rapid7's popular exploit framework Metasploit was developed.

But the situation has become even worse, with the exploit now working its way in to BlackHole, the hacker's Swiss Army toolkit for infecting unsuspecting users that visit BlackHole-compromised sites.

Yesterday, as Mushtaq began to see evidence of a mounting large-scale attack against the vulnerability from several sites, he predicted that if it were worked into BlackHole, casualties would shoot into the thousands.

Indeed, Seculert has now confirmed that the latest version of BlackHole is making use of the vulnerability with huge success.

According to Seculert, good exploit kits can typically infect one in 10 visitors to a compromised site, but the latest version of BlackHole now has a one-in-four chance. Granted, not all of these infections will be due to the Java exploit, but, according to Seculert, where Java exploits are used, they are now between 75 and 99 per cent successful.

"We were able to count tens of thousands of new infected machines due to the Java zero day since the exploit was added to the BlackHole exploit kit," the company wrote.

Yet, anecdotal evidence suggests that users aren't taking precautionary measures. An informal poll conducted by F-Secure indicates that the majority of users still have Java installed, despite the vulnerability affecting all platforms. While the payload being dropped suggests that only Windows machines are being targeted by attackers at this point, there is nothing to stop them from developing payloads for Linux and Mac OS X.

Given that there is still no patch from Oracle, Pure Hacking chief technology officer Ty Miller recommended uninstalling Java if it's not something that users specifically need, since it is best practice to reduce the potential vectors for an attack. However, he acknowledged that there are still some users who would need to have it installed.

"Java is used for far more than just web applications. It was designed to allow software to be created to run across multiple operating systems. For instance, Java is the underlying programming language for Android applications that run on smartphones and tablets. Java can be quite an important piece of software for Linux users, as it is a requirement for software such as OpenOffice, which is the open-source alternative to Microsoft Office," he said.

In these cases, he recommends that users keep a close eye on their antivirus updates, as these vendors begin to roll out detection for the payloads as well as staying vigilant about what emails they open and what websites they visit.

Additionally, users who must have Java installed but do not require it for browsing have the option of disabling the plug-in within their browser. ESET has a complete guide on how to do so in Chrome, Firefox, Safari, Opera and Internet Explorer for Windows users.

Users can check whether their installation of Java is vulnerable by visiting Rapid7's Is Java Exploitable? website.

Editorial standards