F-Secure anti-malware analyst Timo Hirvonen reported finding an in-the-wild exploit actively targeting an unpatched vulnerability in Java 6 following the recent publication of related proof-of-concept (POC) attack code.
The Neutrino crimeware kit was first spotted in March 2013, when it was identified as the source of a series of attacks that were exploiting Java vulnerabilities to install ransomware on victims' PCs, freezing them until users paid a fine that was supposedly being levied by the FBI and other law enforcement agencies
According to statistics released in March 2013, at least 47% of all Java users in the United States were still running Java version 6.
Vulnerability information provider Secunia reported that; the bug could be exploited by malicious local users to disclose certain sensitive information, manipulate certain data, and gain escalated privileges and by malicious people to conduct spoofing attacks, disclose certain sensitive information, manipulate certain data, cause a denial of service, bypass certain security restrictions, and compromise a vulnerable system.
While Java 6 is under the gun, the latest version of Java 7 also sports at least one serious unpatched vulnerability. However, no technical details about that vulnerability have been publicly released.
Oracle plans to patch the bug. The fix will come in the form of "a back-ported (from JDK 8) implementation of the affected component in JDK 7 update 40. Also Oracle announced to delay the release of Java 8 (aka JDK or JRE 8) while it redeployed developers to strengthen Java 7 security.
No comments:
Post a Comment