Java Zero-Day Attack Threats Widening, Security Experts Warn
Modernizing Authentication — What It Takes to Transform Secure Access
Security firms warned business users and consumers to remove Java if possible, after one company identified an attack against its customers using a previously unknown vulnerability in Java.
On Aug. 24, threat-protection firm FireEye stopped an attack targeting the flaw and over the weekend confirmed that the security issue was previously undiscovered. The attack exploited the vulnerability in the latest version of the software platform, Java 7, and can execute on Windows, Mac OS X and Linux, said Atif Mushtaq, a senior staff scientist with FireEye.
FireEye and other security firms have discovered that the attack works silently.
Known for its cross-platform functionality and tag line, "write once, run everywhere," the Java software platform has become a very popular target of cybercriminals with major exploit kits, such as Blackhole, including at least a handful of exploits to target Java vulnerabilities. The software's widespread deployment, especially in enterprise environments and the necessity of keeping older, vulnerable versions around for backwards compatibility, give attackers an ideal environment to easily exploit targeted systems.
The failed attack, which led to the discovery of the vulnerability, attempted to install Poison Ivy, a well-known rootkit, but also one that has been used in some nation-state-related attacks. The attack emanated from servers in China, but experts are quick to point out that cyber-criminals utilize compromised servers in other countries to mislead investigators.
Mushtaq and other security researchers worried that Oracle, which took over the development of Java when it purchased Sun Microsystems, will delay releasing a patch until its regularly scheduled patch day on Oct. 16.
"Oracle almost never issues out-of-cycle patches but hopefully they will consider it serious enough to do it this time," Mila Parkour, co-founder of DeepEnd Research, stated in a blog post on Aug. 27.