Hot Off the Web: New Java 0-Day Vulnerability
August 28, 2012 by admin
Filed under Security News
150 views 
3 Comments
The latest buzz on security and vulnerability these past few days revolves around Java, a software development platform originally created by Sun Microsystems and now owned by Oracle. Websites often run Java programs in them, normally as applets (.jar), in order to “provide interactive features to web applications that cannot be provided by HTML alone”. Initial reports reveal that the exploit used to take advantage of the vulnerability found in Java 7—version 1.7, updates 0 to 6—is an applet called applet.jar (Note that names of malicious files can change in the future).
Our friends at FireEye first uncovered the new 0-day Java Runtime Environment (JRE) vulnerability being exploited in the wild. It is leveraged by online criminals to perform targeted attacks, regardless of the Internet browser used or how updated it is. “The number of these attacks has been relatively low, but it is likely to increase due to the fact that this is a fast and reliable exploit that can be used in drive-by attacks and all kinds of links in emails.” said Andre’ M. DiMino and Mila Parkour of DeepEnd Research in their blog entry. An official patch from Oracle is yet to be released; however, our friends at DeepEnd are distributing a temporary fix, courtesy of Michael Schier, to system administrators only and by request. The said patch allows the execution of the exploit but stops the payload.
Once the vulnerability is successfully exploited, a binary is dropped on the compromised system. Based on initial reports, the binary is hi.exe (MD5: 4a55bf1448262bf71707eef7fc168f7d), whichGFI VIPRE Antivirus already detects as Trojan.Win32.Generic!BT.
Although earlier releases of Java do not have the said JRE vulnerability, security researchers advised against downgrading to versions 1.6 and below as flaws inherent to those versions can still affect users. Instead, users are advised to disable Java on their browser for the time being until an official patch is made available. It is expected in October based on their triannual Java patch release schedule.
Stay safe!
Jovi Umawing @ gfi.com (SOURCE)
Related posts:
- Microsoft IIS web server under attack from hackers
- Microsoft Warns of IE Exploit Code in The Wild
- Danger! Internet Explorer zero-day vulnerability – no patch yet
- Protecting against the Internet Explorer zero day vulnerability
- [SE-2012-01] New security issue affecting Java SE 7 Update 7
I want to know the reasons why you titled this particular post,
“Hot Off the Web: New Java 0-Day Vulnerability | Virus Experts – We Make Your Digital Life Secured”.
Anyway I personally admired it!Regards,Hubert
You actually make it seem so easy along with your presentation however I find
this matter to be actually something that I believe I would never understand.
It sort of feels too complex and extremely vast for me.
I am having a look forward to your next put
up, I will try to get the grasp of it!
Greetings I am so delighted I found your web site, I really
found you by accident, while I was researching on Google for something else,
Anyways I am here now and would just like to say cheers for a incredible post and a all round interesting blog (I also love the theme/design), I don’t have time to
look over it all at the minute but I have saved it and also
added your RSS feeds, so when I have time I will be back to read more, Please
do keep up the superb b.