Java Zero-Day Bug Super-Stars in Metasploit and BlackHole Exploit Kits
A new zero-day exploit for Java has been discovered and added to the world’s most popular exploitation frameworks, according to news on the Rapid7 community. The bug is labeled as critical and affects the latest version of the Java Runtime Environment. Exploitation can lead to arbitrary execution of code on the victim’s machine straight from the web.
Zero-day exploits are extremely difficult to guard against: in the absence of a vendor-specific patch, computer users running Java are vulnerable to this kind of attack at any given time. To add insult to injury, the method of exploitation has become public knowledge and has already been integrated in two of the world’s most popular exploit frameworks: the white-hat Metasploit security assessment tool and the Blackhole Exploit Pack, a do-it-yourself malware creation toolkit that is notorious among cyber-criminals.
With plenty of documentation and proof of concept attack code readily available, computer users who rely on Java for their day to day tasks are in great danger, with no permanent possibility to mitigate the attack. Since Java creator Oracle has a patch cycle of 4 months, it won’t be until October 16 that end-users will get a company-supported resolution to the issue.
In the meantime, users are advised to limit their exposure to Java by simply disabling the browser plugins or add-ons in the primary browser and moving to a secondary, different browser, for all things that require the Java Runtime Environment.