'Mass Exploit Distribution' 0-day vulnerability of Java revealed

On 10th of January a 0-day vulnerability of Java revealed. Oracle has not quoted any response on this vulnerability till now, despite widespread adoption by exploit kits and evidence it is being used to serve up nasty malware.

Mass Exploit Distribution 0-day vulnerability of Java revealed

On 10th of January a 0-day vulnerability of Java revealed. Oracle has not quoted any response on this vulnerability till now, despite widespread adoption by exploit kits and evidence it is being used to serve up nasty malware.

Trend Micro said it believed the flaw had been integrated into hackers’ toolkits like Blackhole and  the Cool Exploit Kit, serving up the Reveton ransomware from compromised websites.

Trend Micro says in its blog post: “Reveton is one of the most common ransomware threats in existence today; these lock user systems and show spoofed notifications from local police agencies”

“These inform users that to unlock their system, they must pay a fine ranging from $200 to $300.”

0-day exploits

Kaspersky said the the 0-day had seen “mass exploit distribution”. We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java zero-day,” wrote Kurt Baumgartner, Kaspersky Lab expert.

“These sites include weather sites, news sites, and of course, adult sites.”

Security researchers have advised users to disable Java or, if they need it to run, disable Java content via the Java Control Panel, which stops it running in webpages.

Meanwhile, the exploit module targeting the vulnerability has been uploaded to Metasploit, meaning pentesters and cyber crooks alike will be able to see what they can do with the flaw.

Oracle did not respond to a request for comment.

Update:

Apple has warned its users to disable JAVA on their browsers taking security in concern.

Even Department of Homeland Security has released a warning for the Internet Users to disable the JAVA on their systems to stay safe until any security patch is not released by Oracle.


Oracle said on its security blog on Sunday that its update fixed two vulnerabilities in the version of Java 7 for Web browsers.

It said that it also switched Java’s security settings to “high” by default, making it more difficult for suspicious programs to run on a personal computer without the knowledge of the user.