We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Latest Java zero-day exploit renews calls to disable it

A zero-day Java exploit found for sale in the criminal underground has renewed calls to disable the cross-platform runtime environment in Web browsers.

The latest exploit of a vulnerability not yet publicly known was reported on Tuesday by Brian Krebs, author of the KrebsonSecurity blog. An established member of the Underweb forum, an invitation-only site, was selling the exploit for Java JRE 7 Update 9, the latest version of the platform. The expected price was in the "five digits."

The flaw was in the Java class "MidiDevice.Info," a component that handles audio input and output, Krebs said. The seller claimed "code execution was very reliable" on Firefox, Microsoft Internet Explorer and Windows 7.

The latest exploit discovery comes three months after two other zero-day vulnerabilities and exploit code were found, one by a security researcher at Accuvant and the other by a developer at Immunity. The flaws were in Java 7 and affected Windows, Mack OS X and Linux operating systems running a browser with a Java plug-in.

The latest exploit was unusual because they are seldom sold in such an open manner, said Chester Wisniewski, a senior security adviser for Sophos. "Granted it is on a members only criminal forum, but it sounds like the post was rather straight forward."

Java is used in 3 billion devices worldwide, says its steward, Oracle. The platform's ubiquity makes it a favorite hacker target, along with the fact that the platform often goes unpatched in people's computers. Security company Rapid7 estimates that 65% of the installations today are unpatched.

"Many people don't even know Java is installed on their computers and browsers, and that's a huge problem," said Andrew Storms, director of security operations at nCircle.

Oracle contributes to the problem by not working more closely with the security industry in building better defenses in Java, Storms said. The company shares very little information with security experts between patches.

[See also:Oracle knew about currently exploited Java vulnerabilities for months, researcher says]

"We could all benefit by Oracle stepping up the game to engage the community at large," Storms said.

Experts recommend disabling Java in Web browsers, unless it is needed to access specific business applications. In the latter case, a separate browser should be dedicated for the sole purpose of accessing those applications.

"IT departments should really consider if users need to access Java for business critical applications, otherwise, they should get rid of it," said Rob Rachwald, director of security strategy at Imperva.

Another option is to configure a client firewall to block a browser's Java plug-in from accessing the Internet, unless the destination site is on a whitelist.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.


IDG UK Sites

Best Black Friday 2014 tech deals: Get bargains on smartphones, tablets, laptops and more

IDG UK Sites

What the Internet of Things will look like in 2015: homes will get smarter, people might get fitter

IDG UK Sites

See how Trunk's animated ad helped Ade Edmondson plug The Car Buying Service

IDG UK Sites

Yosemite tips: Complete Guide to OS X Yosemite