New Java zero-day exploit hits the internet, is “massively exploited in the wild” — disable Java now!

java_zero_day_exploit_map

So you thought Java season was over, eh? Wrong! It is still open season on Java and a brand new, previously unknown bug has been discovered in Java that allows scumbags to install malware on the computers of netizens.

It isn’t entirely clear how this exploit is conducted but it has been tested and confirmed to work on all versions of Java 7 (including the latest Java 7u10); it may or may not work on earlier versions of Java. It is also confirmed that this exploit has already been introduced in the wild; the exploit has been added to crimeware packs ‘Blackhole’, ‘Redkit’, ‘Nuclear Pack’, and ‘Metasploit’ and multiple websites are already using it, leading a security expert to proclaim it is “massively exploited in the wild”. And according to Kaspersky, even “ads from legitimate sites, especially in the UK, Brazil, and Russia, [are] redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course, adult sites.”

Update: It has been confirmed this vulnerability is present in all current versions of Java, from Java 4 to Java 7.

If you have Java installed and you visit a website that is employing this exploit, you will be prompted to run a Java applet; if you run the applet, you will be infected. Once infected, your computer is open for scumbags to remotely install malware, such as keyloggers. Once malware is installed, you are at their mercy.

It isn’t entirely clear if this exploit is Windows-only or affects Max OS X and Linux, too. Seeing as Java is cross-platform, my guess is this probably affects Windows, Mac OS X, and Linux.

Since this is a new zero day exploit that has not been patched by Oracle yet, the only way to stay safe is to uninstall or disable Java. If you are not sure how to uninstall or disable Java, read the following guides by dotTech:

Stay safe everyone!

[via Ars Technica, Sophos, Kaspersky]

 

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

21 comments

  1. JT

    @DoktorThomas:
    I disagree with you on the statement that even God can’t save us, but that’s not a discussion for a tech site. :)
    Almost all of the tech companies are not what they once were. With so many more malicious coders out there, the entire playing field has been changed, and nothing will ever be as it was in my mind.

  2. AFPhys

    @Cathy Seymour:
    I don’t see many downsides to keeping Java disabled. Occasionally a slideshow won’t work, or I a graph doesn’t display on a web page I visit, or some columns don’t line up perfectly.

    I use Firefox and have a plugin called “QuickJava” which allows very easy enable/disable of Java, Silverlight, Flash, etc. with buttons on the bottom line of the browser. I highly recommend it. On rare occasions something I really want to see appears on a site that I trust, I will enable one or more of them.

    I typically have Silverlight, Flash, and Java disabled. If I want to see video, I will enable Flash while I am looking at that website (I am spared many advertisements on other sites). I have never enabled Silverlight. If I want to see a slideshow, I first disable the CSS (stylesheet) and often find that the whole slideshow is already embedded in the code that was downloaded and I don’t need to allow Java to run to view those pictures. Enabling Java is always my last resort.

    You’ll probably be surprised how little is affected by disabling Java.

    (Years ago 10+? I went on a writing campaign discouraging website programmers from using Java… fat lot of good that did!)

  3. AFPhys

    @JT: … and others

    – Since my discussion of has not been countered, I have to believe my understanding (from long years in this field) is accurate, and I’ll continue from there.

    Having Java on your computer is not the problem. There are many whole programs that are written in Java and have no contact with the internet. If those programs were written before the recent exploits were “discovered”, you can certainly continue to run them as is. I would be somewhat leery of updating them, however.

    For example, I have a Java program that goes out to some NWS weather sites, and can get temperature, wind, and other data, and graph it as I change the graphing parameters. I do not download that program each time I use it. I will continue to run it when I wish, and that it goes to get data through the internet from NWS is no problem. I have NO fear of problems with this.

    I have a small Java program (applet) that monitors computer performance. That is no problem.

    So, I will NOT uninstall Java completely, but will continue to use the version I have had here for an age.

    I WILL (have) disable Java in my browser, and will not allow Intrade.com (for example) to download the Java program/window/popup which graphs price betting action for a sports event, since I don’t know those programmers at all, and whether they will be unwittingly (indirectly) use a Java programming package that is infected with the exploit to make their life simpler and provide better coverage for their product. I may miss all this for a while, but I’ll live with it until the security software catches up with how to screen for the nasty stuff.

  4. Cathy Seymour

    It’s all very well saying “disable Java now” but what’s the flipside? How will I know if something is not working due to disabling Java? How can I identify which apps that are important to me depend on Java? Who’s is going support me with their time and effort when I have a problem?

    There are consequences to this action and if you advise on taking it then I request that you also advise on the possible consequences. I wonder if everyone who has taken your advice actually knows what the implications are?

  5. JT

    @AFPhys:

    That sums up what I was wanting to know, and how ti would be possible. Basically as long as any of my Java “apps” aren’t set to “phone home” then there should be no way for this malicious code to use an exploit to break out of the fence right?

  6. AFPhys

    @JT:
    See my comment above. I hope it at least motivates an understanding of “how”

    @Ashraf:
    I spent some fair amount of time on Oracle’s site trying to see what their take is on this. I am disturbed that they don’t have some type of news release in plain sight. Perhaps I’m looking in the wrong place, but I checked their forum, too.

    I would appreciate a ping by anyone who sees official news from Oracle – what is going on, how to prevent problems, revert to version, etc…

  7. AFPhys

    @kelltic:
    If your applications do not “phone home” to update code, it is very hard for me to see how these “exploits” could affect their safety. I believe you can use your programs without fear if they don’t.

    The “strength” of Java is that a universal-machine program can be downloaded to anywhere and run on that computer. Java is intended to run within its own small and very constricted fence, and to have no access to your computer at large. The malware codepacks that are now “in the wild” are essentially instructions as to how to get around the fence, and those instructions have to be added to the code.

    Apparently, these malware codepacks contain re-written subroutines of some type that surreptitiously breach the fence and allow nasty types to gain control of the affected computer, possibly without the primary programmer even knowing what has occurred. This can happen because many programmers use program packs that are themselves updated and downloaded “on the fly” from central depositories. They do that to accommodate all sorts of checks like, “if browser version is xyz, do this”. If the depository gets screwed up all bets are off. I would bet those depositories in turn use other depositories. Take a look at the source and *.js files on some of the complex web pages sometime for an inkling of the hoops that get jumped through.

    So, to accommodate the different browsers and technologies, programmers get more and more removed from actually writing the code they use and rely on others.

    Ideally, there would be no possible way that Java would have ways around their fencing. We know that is not true.

    Still, in order for those exploits to be utilized, your “good” code has to be changed to allow the bad guys in.

    Bottom Line – I am pretty confident you can use your Java-Coded applications that don’t “phone home” for code updates without fear.

    —-

    To Ashraf and anyone else:
    PS- my explanation above is off the top of my head, and did not rely on any research by this 40-yr programmer who does NOT program in Java. Please, anyone who is interested and able to correct my concepts or terminology, feel free to smack me up side the head about anything I’m incorrect about, or that I discuss improperly. I almost think this would be a good concept for a column in DotTech.

    AFPhys

  8. JT

    Maybe I don’t entirely understand how Java works, but how can simply visiting a legitimate exploit with malicious ads get your PC infected? Wouldn’t you have to actually click on one of those malicious ads or links to bring anything to your computer, or is it in the cookies that it downloads from that particular site?

  9. Strahd

    There needs to be a viable alternative to Java. I am so tired of these damn security risks/exploits in Java.

    EDIT: Thanks for the heads up Ashraf. Its reasons like this article, that I have Dottech.org, set as my homepage.