Another quarter, another Java zero-day. Oracle (NASDAQ:ORCL) is staying silent over confirmed sightings of a 'widely exploited,' unpatched security hole in Java.
In IT Blogwatch, bloggers fall over themselves to tell us to just uninstall it already.
Your humble blogwatcher curated these bloggy bits for your entertainment.
Our constant companion, Lucian Constantin, reports:
Attackers are using such exploits to silently install malware [in] drive-by download attacks. ...the exploit is specific to Java 7...the attacks probably started on Jan. 2 or 3.
The exploit vector used in the new attack is...known to Oracle [since] September. MORE
Jarred awake, John Leyden adds:
The best way to defend against the attacks is to disable any Java browser plugins. ... No fix is available and early indications suggest that exploitation is widespread.
In all but a limited number of cases Java support in web browsers is not mandatory for home users. ... Businesses, on the other hand, that rely on Java for particular applications are not so fortunate. MORE
Charlie "kafeine" Hurel first brought the bad news:
This could be a mayhem. ... Based on my tests (fast not 100% sure) it's 1.7 specific. MORE
Helpfully, Michael Lee translates Hurel's doggerel:
According to the researcher, the exploit is already being used in the Cool EK, Nuclear Pack, Redkit, Blackhole, and Sakura exploit toolkits. MORE
In the whatnow? Brian Krebs has all the "best" contacts:
The hackers who maintain Blackhole and Nuclear Pack – competing crimeware products...say they’ve added a brand new exploit that attacks [a] security hole in Java. ... According to both crimeware authors, the vulnerability exists in all versions of Java 7.
it would be a very good idea to unplug Java from your browser, or uninstall [it] entirely. ... Java 7 Update 10 ships with a feature that makes it far simpler to unplug Java from the browser. ...the folks at DHS’s U.S.-CERT are now recommending this method as well. MORE
But Kelly Jackson Higgins has seen it all before:
Another Java zero-day exploit...and, once again, cries of “disable Java now.” ... And this is likely only the first of many Java zero-day attacks to come this year. MORE