Java 0-day exploit added to Blackhole kit, still no news about patch
Posted on 29 August 2012.
The recently discovered Java zero-day flaw that has been spotted being used in limited targeted attacks in the wild has created quite a stir.

A module that exploits the vulnerability is already available to users of the Metasploit pentesting tool and, according to F-Secure researchers, the developer of the Blackhole exploit kit has outfitted it with an exploit that takes advantage of the flaw, too.

By comparing this exploit code to that of the proof-of-concept exploit recently published by Joshua Drake, research scientist with Accuvant Labs, they discovered that it's almost an exact copy.

Symantec researchers have already spotted two websites created to exploit the flaw, and additional ones can't be far behind.

In the meantime, researchers from Security Explorations have confirmed for Softpedia that Oracle has already been working on a patch for the two flaws that allow the attack. According to Adam Gowdiak, the firm's CEO, they had reported both to Oracle back in April 2012.

He says that the monthly status report they received from Oracle less than a week ago shows that both flaws have been addressed, but there is still no news from Oracle about when we can expect a patch to be released.

Users have been advised to either remove Java or to disable Java plugins from their machines for the time being. Detailed instructions for the latter step have been published in a security advisory by US-CERT.


MagSpoof: A device that spoofs credit cards, disables chip-and-PIN protection

The device can wirelessly spoof credit cards/magstripes, disable chip-and-PIN protection, and predict the credit card number and expiration date of Amex cards after they have reported stolen or lost.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Nov 26th