The Java zero-day that has recently been spotted being exploited in the wild has turned into big, big news as a number of popular exploit kits have been fitted with the exploit for it and there’s still no news from Oracle on when we could expect a fix.
As shared by AlienVault’s Head of Labs Jaime Blasco and confirmed by other security researchers, the exploit for the zero-day bypassing certain security checks tricking the permissions of certain Java classes as was the occurrence with the CVE-2012-4681 Java flaw discovered in August 2012.
“Similar to previous bugs, it enables you to run Java code outside the sandbox, so the thing about that is that it’s not dependent on OS or platform. It will run the same exact code on Mac OS X, Windows or Linux,” Metasploit creator HD Moore explained for ThreatPost. “The exploits going around are targeting Windows, but more than likely, we’ll see attacks for Mac like we did with the Flashback stuff last year.”
It is known that the exploit is very effective and affects the latest Java version (1.7 Update 10), but there’s no news about whether it works on version 1.6 – still rather popular with users. Trend Micro researchers say the exploit is being used to spread ransomware.
Everyone – including US-CERT – is advising users to disable Java until Oracle releases a patch.
“We’ve been telling folks to disable Java 10 times a year for the past couple of years now,” commented Moore. “It’s really to the point where you should be telling people to keep it disabled all the time.”
A Metasploit module for the exploit in question is in the works.
Update: Monday, 14 January 2013 – Oracle patches critical 0-day with new Java update.