Sunday, September 2, 2012

Much Ado Over JAVA



Earlier this week, FireEye released an article mentioning a new breed of an attack that involves zero-day exploit directed at JAVA® 7 (JRE1.7), the exploit (that was later revealed to contain 2 different attacks simultaneously) was mentioned as being used as an attack vector for malware spreading.

It wasn't 24 hours until the exploit code was tracked down by several sources, which probably focused their malware tracking beams by FireEye's article, and was pasted on sites such as pastie.com and similar, for all to see and research. It took merely several hours for Rapid7 to pick it up from there and turn it into a fully automatic Metasploit exploit module. By releasing such a dangerous exploit into a publicly available exploit kit such as Metasploit, the story hit its climax and there was much debating on Rapid7's team part on giving such a devious device that probably fell to the hands of wrongdoers and security researchers alike.

Up until this very morning there was no public acknowledgement on Oracle's side (the latest owners of JAVA® codebase), but the fiasco apparently got a happy ending by this morning's patch from them.

Consider testing and implementing the latest patch from Oracle on your systems that involve JAVA 7 in any constellation.