Java Exploit (zero-day) is actively being exploited by hackers

java zero-day exploit

A zero-day exploit in Java currently exists…

Networkworld.com has reported that a Java Zero-Day vulnerability is actively being exploited by attackers.

A previously unknown and as yet, unpatched vulnerability within Java exists, which allows an attacker to run code silently on a PC with the affected Java – currently those Java versions verified as affected are Java 7 Update 9 and 10.

Bogdan Botezaku of Bitdefender confirmed via email to networkworld.com journalist Lucian Constantin that “We can confirm that this is a new vulnerability. We reproduced the exploitation mechanism on Java 1.7 Update 9 and Update 10. Other versions may be vulnerable as well, we’re currently analyzing whether other older updates are vulnerable.”

Bitdefender’s tests proved that the exploit appears to be limited to Java 7 with older versions being unaffected.

This exploit is known to Oracle (the company that produces Java) as it was originally reported in September of 2012 with proof of concept code being released as far back as August 2012.

Oracle has not yet confirmed the vulnerability, although not much confirmation is required – this exploit has been demonstrated by malware companies all over the globe. A confirmed patch schedule has also not yet been released.

Previously, Oracle released a patch outside their regular schedule for a similar zero-day exploit in August of 2012 – that patch actually created vulnerabilities in previously unaffected Java releases -as such, another “out of band” patch is not predicted according to Botezatu (Bitdefender).

Immediate steps to be taken:

1. update your antivirus
2. disable Java plugins for your browser


For Firefox 18.0 – Click the “Tools” Menu – “Add-ons” – click “Disable” next to each instance of Java – be that the deployment kit, or the Plugin – once clicked – the selection will gray-out – and the button will read ““nable”do not click the button again, but close all windows of your browser and restart Firefox – alternatively – restart your computer.


To disable Java in Internet Explorer 9 – click the “Tools” Menu – select “Manage Add-ons” – scroll down to Java – and the left-click once to highlight – then RIGHT-Click so the drop-down menu appears – and select “Disable” – once again, you need to restart Internet explorer (by closing all windows – or restarting your computer).


Edit: Since Java 7 Update 10 features built into the software make it even easier to disable Java from browsers – the official – and recommended way to “disable java within browsers” can be found here.

If you do not currently have Java 7 Update 10 – upgrade your Java installation manually to the latest version – THEN – manually disable Java. Stand-by for news on a Java patch which will fix this vulnerability! If you do not have Java 7 – but instead have Java 6 – it might be a good idea to update to the latest Java 6 version, but NOT to the Java 7 installation. In the event that you have multiple, older versions of Java 6 installed – you are advised to uninstall all of them but the latest.

More info.

Related:
How to Update Java Manually / How to check you have the latest Java

Ready for the right solutions?

It’s time to offload your technology troubles and security stress.