New Java Zero-Day Flaw Being Actively Exploited
All users are urged to disable Java immediately.
Researcher Kafeine recently uncovered a new zero day vulnerability in Java that's already being exploited in the wild.
"This could be mayhem," Kafeine wrote.
"The curator of Blackhole, a miscreant who uses the nickname 'Paunch,' announced yesterday on several Underweb forums that the Java zero-day was a 'New Year’s Gift,' to customers who use his exploit kit," writes Krebs on Security's Brian Krebs. "Paunch bragged that his was the first to include the powerful offensive weapon, but shortly afterwards the same announcement was made by the maker and seller of Nuclear Pack."
"HD Moore, creator of Metasploit and CSO at Rapid7, told Threatpost the exploits are targeting a privilege escalation vulnerability in the MBeanInstantiator, as it exposes two classes which in turn expose the class loader," writes Threatpost's Michael Mimoso. "He expects a Metasploit module for this exploit to be ready today."
"The offending bug is present in fully patched and up-to-date installations of the Java platform, now overseen by database giant Oracle, according to Jaime Blasco, head of labs at security tools firm AlienVault," writes The Register's John Leyden. "'The exploit is the same as the zero-day vulnerabilities we have been seeing in the past year in IE, Java and Flash,' Blasco warned. 'The hacker can virtually own your computer if you visit a malicious link thanks to this new vulnerability.'"
"Remember, Java 7 update 10 introduced some very useful security controls for those that do require Java to be installed," writes Sophos' Fraser Howard. "A single check-box can be used to disable the web plugin entirely, protecting you not just against this latest zero-day, but also against the ones we are likely to see during 2013."