Another zero-day vulnerability in Java has been discovered and is actively being exploited in the wild, according to a number of security researchers. Java has experienced a number of exploits in the past few months, followed by a few months of silence. However, recent updates to a number of exploit kits have revealed that new holes exist in Java 7 Update 10. The exploit is serious enough to warrant an announcement from the US Deparment of Homeland Security.
A researcher going by the name @kafeine spotted the exploit in action on a site that they claim receives “hundreds of thousands of hits daily”. Looking at the HTTP GET requests and their related headers, kafeine shows how a number of sites using the exploit are able to download files directly to the victim’s machine, and execute actions such as installing ransomware. According to the researcher, the exploit is already being used in the Cool EK, Nuclear Pack, Redkit, Blackhole, and Sakura exploit toolkits, making it easy for criminals to deploy and make money.
Kafeine notified AlienVault labs, which has also independently verified that the exploit exists.
“The Java file is highly obfuscated, but based on the quick analysis we did, the exploit is probably bypassing certain security checks, tricking the permissions of certain Java classes,” the company wrote on its blog.
As for kafeine’s claims that it is already being used in exploit toolkits, at least one other source is backing him on his findings. Security commentator and blogger Brian Krebs, who has a history of maintaining memberships and reporting on the activities of a number of underground forums, said that the Blackhole curator, who goes by the name Paunch, provided the feature in the newest version of the kit as a New Year’s gift. Krebs also confirmed a similar announcement made by the creator of the Nuclear Pack toolkit.
Users that have still not disabled Java are advised to uninstall it or disable the plug-in from their browser if they believe they are at risk.