A zero-day Java vulnerability that affects all versions of the browser plug-in has been incorporated in popular exploit kits used by cyber criminals, security experts say.
The exploits for the vulnerability have been implemented within the Blackhole, Cool and Nuclear Pack kits. The flaw affects all versions of the Java plug-in, including the latest Java 7 Update 10.
[ Also on InfoWorld: Battle lines drawn in the war on Java. | Security expert Roger A. Grimes offers a guided tour of the latest threats and explains what you can do to stop them in InfoWorld's "Fight Today's Malware" Shop Talk video and Malware Deep Dive Report. | Learn how to secure your systems with InfoWorld's Security Central newsletter. ]
HD Moore, chief security officer for Rapid7, said the exploits have already been found on compromised websites, which are capable of infecting visitors' PCs with malware. The exploits affect computers running Java in browsers on Windows, Mac OS X, or Linux.
"In terms of the impact, this is about as bad as it gets," Moore said.
A French researcher who uses the handle Kafeine discovered the vulnerability Thursday. "This could be mayhem," the researcher said of the flaw.
AlienVault was able to reproduce an exploit of the flaw in a fully patched new installation of Java. "The Java file is highly obfuscated, but based on the quick analysis we did, the exploit is probably bypassing certain security checks, tricking the permission of certain Java classes," researcher Jaime Blasco said in the AlienVault Labs blog.
A similar bypass mechanism was used in exploits of an earlier Java vulnerability, listed as CVE-2012-4681 in the National Vulnerability Database.
See also: Vulnerability management - The basics
"Right now, the only way to protect your machine against this exploit is disabling the Java browser plugin," Blasco said. "Let's see how long does it take for Oracle to release a patch."
Security experts often criticize Oracle for moving too slowly in releasing Java patches and for not sharing enough information about vulnerabilities. Oracle did not respond to a request for comment.
The Java plug-in has become a favorite of criminals looking to hijack PCs for botnets and to steal personal data, credit card numbers and online banking credentials. A large number of computers are infected through drive-by-downloads on compromised websites, which are typically infected through Web exploit tool kits.
Java plug-ins are particularly vulnerable because users often do not deploy security updates in a timely fashion. Rapid7 estimates that 65% of the installations today are unpatched.
Experts recommend disabling Java in browsers, unless it is needed to access specific applications. In the latter cases, a separate browser should be dedicated for that single purpose.
Read more about application security in CSOonline's Application Security section.
This story, "Java zero-day prompts renewed calls to disable" was originally published by CSO.