The problem of the two unpatched Java zero-day vulnerabilities that are actively exploited in the wild by attackers looking to gain access to their targets’ computers is getting more serious by the hour.
After an exploit for them has been added to the Blackhole exploit kit, the number of sites functioning as entrance points for malware has risen exponentially. According to Patrik Runald, director of security research at Websense, the company has already spotted over 100 unique domains serving the Java exploit.
“The number is definitely growing…and because Blackhole has an updatable framework and already has a foothold on thousands of sites, we anticipate that the number of sites compromised with this new zero-day will escalate rapidly in the coming days,” he told Gregg Keizer.
Malware peddlers have also begun their efforts to drive traffic to those domains, as witnessed by a slew of emails purportedly coming from the Dutch branch of the accountancy firm BDO Stoy Hayward, trying to trick people into following the offered link with news that the VAT rate will increase starting on October 1, 2012.
“Although this particular attack uses Dutch language to try to trick users into following the link there is, of course, no reason why cybercriminals wouldn’t also try similar tactics in other more commonly-used languages too. So, no-one should be complacent about the threat posed by this Java vulnerability,” Sophos’ Graham Cluley points out.
Oracle still hasn’t commented on the situation or has said when a patch for the flaws could be expected to be released.
According to researchers from Security Explorations, who found the two flaws and reported them to Oracle back in April, the monthly status report they received from Oracle less than a week ago shows that both flaws have been addressed.
“Oracle’s patching cycle should take into account that from time to time there is a need to release and out-of-band patch for ongoing 0-day attacks threatening the security of the users of the company’s Java software,” Gowdiak said to The Register.
Every day that passes without Oracle reacting by issuing a patch or at least by giving a good explanation on why it doesn’t is tarnishing the company’s reputation.
The next Java Critical Patch Update is scheduled for October 16.