- 26 Maj 2010
A previously unknown and currently unpatched security hole in the latest version of the Java software framework is under attack online, according to security researchers and bloggers.
Attack code that exploits vulnerability in Java's browser plugin has been added to the Blackhole, Cool, Nuclear Pack, and Redkit exploit kits, according to the Malware Don't Need Coffee blog, prompting its author to say that the bug is being "massively exploited in the wild." Miscreants use these products to turn compromised websites into platforms for silently installing keyloggers and other types of malicious software on the computers of unsuspecting visitors. KrebsOnSecurity reporter Brian Krebs said the curators of both Blackhole and Nuclear Pack have taken to the underweb to boast of the addition to their wares. It's not yet clear how many websites have been outfitted with the exploits.
According to researchers at Alienvault Labs, the exploits work against fully patched installations of Java. Attack files are highly obfuscated and are most likely succeeding by bypassing security checks built in to the program. KrebsOnSecurity said the malware authors say the exploits work against all versions of Java 7.
Update: Analysis from antivirus provider Kaspersky Lab indicates the exploits are already deployed on a variety of websites.
"There appears to be multiple ad networks redirecting to Blackhole sites, amplifying the mass exploitation problem," Kaspersky Lab expert Kurt Baumgartner wrote. "We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course, adult sites."
People who don't use Java much should once again consider unplugging Java from their browser, while those who don't use it at all may want to uninstall it altogether. The release notes for Java 7 Update 10—the most recent version—say users can disable the program from the browser by accessing the Java Control Panel. KrebsOnSecurity has instructions here for other ways to do this.