Attackers Targeting New Java Zero-Day Flaw

By Robert Westervelt
January 10, 2013 12:10 PM ET

Security firms are warning about a new Java zero-day vulnerability that gives attackers the ability to target the Java browser plug-in.

The flaw targets fully patched installations of Java and, for now, users can only be protected by disabling the Java browser plug-in, according to Jaime Blasco, labs manager at San Mateo, Calif.-based AlienVault Labs.

"The Java file is highly obfuscated but based on the quick analysis we did the exploit is probably bypassing certain security checks, tricking the permissions of certain Java classes," Blasco wrote in the company's security blog.

The attacks appear to be coming from Black Hole, Cool and Nuclear attack toolkits, according to the researcher who disclosed the latest Java zero-day vulnerability. The researcher said he detected hundreds of thousands of hits daily.

Java has become a big target in recent years, fueled by attacks from financially motivated cybercriminals who use automated attack toolkits. Blasco said a publicly available exploit targeting the latest zero-day vulnerability likely will be widely available in days.

Oracle, which maintains Java, has struggled to keep up with the onslaught of attacks. In August it issued an emergency update to address several vulnerabilities, but it was criticized for taking too long to address the issues.

Experts say the complexity of the Java Runtime Environment make it a prime target for attackers. Some experts advise users to remove Java from their systems, citing the fact that most won't need it.

Java can be disabled by consumers, but enterprise IT teams have a difficult time addressing Java threats because many corporate systems and applications use Java. Intrusion prevention systems and gateway devices that filter out exploit code and suspicious URLs are the best defense for zero-day attacks, said Gunter Ollmann, CTO of IOActive, Inc.

"Java itself has got a lot of vulnerabilities and bugs because it's a very flexible language," Ollmann said. "It tries to do an awful lot in the context of the end user, which opens up a lot of opportunities for end-user bashing."

PUBLISHED JAN. 10, 2013

To continue reading this article, please download the free CRN Tech News app for your iPad or Windows 8 device.

Related: Videos | Slide Shows | Comments

SHARE THIS ARTICLE

More Security

Comments by Vanilla

Recent Articles

	10 Emerging Security Technologies Gaining Interest, Adoption Despite some security defenses being only in their infancy, they are attracting interest for addressing BYOD issues, cloud security concerns and stolen account credentials. Here's a look at some of the top new security areas gaining industry interest.
	5 Government Intelligence Facilities You've Never Heard Of One facility has been around since the dawn of space exploration, while other buildings are still in construction. But, they all have serious data analysis and surveillance support activities associated with them.
	Data Breach Costs: 10 Ways You're Making It Worse A little planning and avoiding these 10 costly missteps can help mitigate the impact of a data security breach, according to the Ponemon Institute's latest research.
	More Slide Shows