New Java zero-day exploit hits the web

Written by Russell Co. Posted in News, Security

Tagged: , , ,

Published on August 29, 2012 with No Comments

Recently a new browser-based exploit for Java hit the web that allowed nefarious elements execute arbitrary code on client systems. Atif Mushtaq of security firm FireEye reported on Sunday that the vulnerabilities are present only in Java Runtime Environment (JRE) version 1.7 or later while versions 1.6 and below are not at risk. All browsers that had the Java plugin were found to be vulnerably which included Chrome, Firefox, Internet Explorer, Opera, and Safari.

This exploit gives attackers the ability to use a custom web page to force systems to execute an arbitrary program such as malware for example. The exploit currently only works on Windows machines, as the payload that it downloads is a Windows executable, but could be adapted to other systems just as easily.

Oracle usually sticks to a thrice-annual patch schedule for Java and as such fixes won’t be due till October 16. As such, experts say that the best solution right now is to disable the Java browser plugin till Oracle issues an official patch. Check whether Java is enabled on your browser here.



Source: The Register