Attackers Targeting New Java Zero-Day Flaw


Security firms are warning about a new Java zero-day vulnerability that gives attackers the ability to target the Java browser plug-in.

The flaw targets fully patched installations of Java and, for now, users can only be protected by disabling the Java browser plug-in, according to Jaime Blasco, labs manager at San Mateo, Calif.-based AlienVault Labs.

"The Java file is highly obfuscated but based on the quick analysis we did the exploit is probably bypassing certain security checks, tricking the permissions of certain Java classes," Blasco wrote in the company's security blog.

[Related: Java Vulnerabilities Underscore Cross-Vendor Complexities Of Secure Code]

The attacks appear to be coming from Black Hole, Cool and Nuclear attack toolkits, according to the researcher who disclosed the latest Java zero-day vulnerability. The researcher said he detected hundreds of thousands of hits daily.

Java has become a big target in recent years, fueled by attacks from financially motivated cybercriminals who use automated attack toolkits. Blasco said a publicly available exploit targeting the latest zero-day vulnerability likely will be widely available in days.

Oracle, which maintains Java, has struggled to keep up with the onslaught of attacks. In August it issued an emergency update to address several vulnerabilities, but it was criticized for taking too long to address the issues.

Experts say the complexity of the Java Runtime Environment make it a prime target for attackers. Some experts advise users to remove Java from their systems, citing the fact that most won't need it.

Java can be disabled by consumers, but enterprise IT teams have a difficult time addressing Java threats because many corporate systems and applications use Java. Intrusion prevention systems and gateway devices that filter out exploit code and suspicious URLs are the best defense for zero-day attacks, said Gunter Ollmann, CTO of IOActive, Inc.

"Java itself has got a lot of vulnerabilities and bugs because it's a very flexible language," Ollmann said. "It tries to do an awful lot in the context of the end user, which opens up a lot of opportunities for end-user bashing."

PUBLISHED JAN. 10, 2013