Earlier this week, FireEye
released an article mentioning a new breed of an attack that involves
zero-day exploit directed at JAVA® 7 (JRE1.7), the exploit (that was later
revealed to contain 2 different attacks simultaneously) was mentioned as being
used as an attack vector for malware spreading.
It wasn't 24 hours until the exploit code
was tracked down by several sources, which probably focused their malware
tracking beams by FireEye's article, and was pasted on sites such as pastie.com
and similar, for all to see and research. It took merely several hours for
Rapid7 to pick it up from there and turn it into a fully automatic Metasploit
exploit module. By releasing such a dangerous exploit into a publicly available
exploit kit such as Metasploit, the story hit its climax and there was much
debating on Rapid7's team part on giving such a devious device that probably
fell to the hands of wrongdoers and security researchers alike.
Up until this very morning there was no
public acknowledgement on Oracle's side (the latest owners of JAVA® codebase),
but the fiasco apparently got a happy ending by this morning's patch
from them.
Consider testing and implementing the latest
patch from Oracle on your systems that involve JAVA 7 in any
constellation.
