More than a Billion Users Exposed to Java Zero-Day Exploit
More than a billion users worldwide are exposed to the Java Zero-Day flaws recently disclosed on underground forums, which can be exploited to execute arbitrary code on users’ machines.
Oracle’s platform is currently installed on 3 billion devices, but not all of them run the 7.1 version that is vulnerable to the exploit. The company patches Java every four months, and the next security update is scheduled on October 16.
Bitdefender Labs have already pleaded for the “three billion reasons for which Java should get an official update, yesterday,” in the form of a small graphic novel that starts with the story of an unsuspecting browser luring users with downloadable freebies.
“Now, if this reads to you as an advertisement for Metasploit, you may be in the wrong business,” BD Labs security experts said. “If on the other hand it’s making you question the Java update policy and wondering if it may be time for an unofficial patching framework to match, you might want to drop us a line.”
HotForSecurity wrote about the Java bug Metasploit and BlackHole exploits after spotting the news on the Rapid7 community. The exploitation method is being widely spread on the Internet, and has already been integrated in two of the world’s most popular frameworks: Metasploit, a white-hat tool, and Blackhole Exploit Pack, a malware toolkit renowned in the cyber-crook world.
Zero-day exploits are attacks that take advantage of previously unknown vulnerabilities in computer applications. Their name comes from the developers’ lack of time for patching the vulnerabilities. Security specialists advise users to disable Java in their web browser or downgrade to an earlier version such as Java 1.6 that is not affected by the breach.