“There is no delight in owning anything unshared.”

Cyberattacks January 2013 [Part II] – Zero-Day Java Exploit Debuts in Crimeware

New Java zero-day that exploits a vulnerability (CVE-2013-0422) in fully-patched versions of Java 7.

This zero-day vulnerability affects the latest version, Java 7 Update 10.This vulnerability is already included in most of the Crimeware Kits which included:

  • Blackhole
  • Nuclear Pack
  • Cool Exploit Kit
  • Redkit

while Metasploit  is expected to release an module soon. The zero-day will be exploited in various attack vectors.

java-7-

Advisories:

  • Disable Java if it is not required.
  • If there is critical application/websites requires Java. It is Suggested to use different web browser to access them such as:
  • Disable Java Plug-in on Web Browser intended for normal web surfing.
  • Enable Java Plug-in on another Web Browser for opening websites which require Java.
  • For Example: Use Firefox (Java Plug-in DISABLED) for normal web surfing and Internet Explorer (Java Plug-in ENABLED) for websites which requires Java.
  • Always wary of clicking on links received from known/unknown sources. An attacker would have to convince the user to exploit this vulnerability, typically by getting them to click on malicious URL through email, instant messenger message, social network and many more…

You may also refer to the in-depth security news provide by KrebsonSecurity:

In-depth KrebsonSecurity on Java Zero Days Exploits

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s