Security experts from around the globe are warning Internet users to disable Java while browsing the web, after attacks using a previously unknown (“zero day”) vulnerability in Java began to surface, as part of multi-purpose “exploit kits” that are used to launch attacks from hostile or compromised web sites.
The exploit works on all versions of Java 7, including update 10 – the latest release from Oracle, which now manages the Java technology, after acquiring it with the assets of Sun Microsystems, according to an analysis by the firm Alienvault, which said that the exact nature of the vulnerability wasn’t known because the exploit was heavily obfuscated to slow down security researchers.
According to this report from Krebsonsecurity, the first word of the new exploit came by way of underground forums, where the administrators of popular exploit kits like Blackhole and the Nuclear exploit kits added the Java exploit as a “New Year’s” present. Though analysis by the researcher using the handle @Kafeine found evidence of the same exploit in a wide range of exploit kits including Cool, RedKit and Sakura. The exploit – which works on all major web browsers – was being distributed from sites getting “hundreds of thousands of hits” daily, he wrote.
As of late Wednesday, researchers at Kaspersky Lab said they had evidence of attacks that were being served from “multiple ad networks” that redirected victims to web sites running the Blackhole exploit kit. Those include ads appearing on “legitimate sites, especially in the UK, Brazil, and Russia,” according to a note by Kaspersky’s Kurt Baumgartner. The sites include weather sites, news sites as well as pornography sites. The malicious files that are being delivered to victim systems have names like Stretch.jar, Edit.jar, UTTER-OFFEND.JAR, Baumgartner wrote.
It is unclear when exploit code for the previously unknown vulnerability first appeared in the wild. Kaspersky claims to have detected it as early as January 6, though most reports suggest that it appeared more recently than that – possibly on the 9th. With no patch available from Oracle, and none expected in the short-term, security experts advised those who could to disable the use of Java in their web browsers.
Indeed, Java has been the source of a string of dangerous and exploitable security holes in recent years. In fact, Version 7 of Java fixed a similar, critical hole in Version 6 in August that was being used in drive by attacks with links back to China.
In response to those attacks, web users were urged to disable Java altogether, rather than risk infection. Writing on Wednesday, The SANS Internet Storm Center handler Johannes Ullrich said that users should just keep Java disabled if at all possible.
“If you have any business critical applications that require Java: try to find a replacement. I don’t think this will be the last flaw,” Ullrich wrote in a blog post on Wednesday.
The ubiquitous platform gets attention from attackers because it is so widely used on the web, prompting users to make a Faustian bargain: enabling desirable interactive features on web page, at the price of security.