Java 0-day exploit added to Blackhole kit, still no news about patch

The recently discovered Java zero-day flaw that has been spotted being used in limited targeted attacks in the wild has created quite a stir.

A module that exploits the vulnerability is already available to users of the Metasploit pentesting tool and, according to F-Secure researchers, the developer of the Blackhole exploit kit has outfitted it with an exploit that takes advantage of the flaw, too.

By comparing this exploit code to that of the proof-of-concept exploit recently published by Joshua Drake, research scientist with Accuvant Labs, they discovered that it’s almost an exact copy.

Symantec researchers have already spotted two websites created to exploit the flaw, and additional ones can’t be far behind.

In the meantime, researchers from Security Explorations have confirmed for Softpedia that Oracle has already been working on a patch for the two flaws that allow the attack. According to Adam Gowdiak, the firm’s CEO, they had reported both to Oracle back in April 2012.

He says that the monthly status report they received from Oracle less than a week ago shows that both flaws have been addressed, but there is still no news from Oracle about when we can expect a patch to be released.

Users have been advised to either remove Java or to disable Java plugins from their machines for the time being. Detailed instructions for the latter step have been published in a security advisory by US-CERT.