Java 0-day exploit added to Blackhole kit, still no news about patch
Posted on 29 August 2012.
The recently discovered Java zero-day flaw that has been spotted being used in limited targeted attacks in the wild has created quite a stir.

A module that exploits the vulnerability is already available to users of the Metasploit pentesting tool and, according to F-Secure researchers, the developer of the Blackhole exploit kit has outfitted it with an exploit that takes advantage of the flaw, too.

By comparing this exploit code to that of the proof-of-concept exploit recently published by Joshua Drake, research scientist with Accuvant Labs, they discovered that it's almost an exact copy.

Symantec researchers have already spotted two websites created to exploit the flaw, and additional ones can't be far behind.

In the meantime, researchers from Security Explorations have confirmed for Softpedia that Oracle has already been working on a patch for the two flaws that allow the attack. According to Adam Gowdiak, the firm's CEO, they had reported both to Oracle back in April 2012.

He says that the monthly status report they received from Oracle less than a week ago shows that both flaws have been addressed, but there is still no news from Oracle about when we can expect a patch to be released.

Users have been advised to either remove Java or to disable Java plugins from their machines for the time being. Detailed instructions for the latter step have been published in a security advisory by US-CERT.






Spotlight

Patching: The least understood line of defense

Posted on 29 August 2014.  |  How many end users, indeed how many IT pros, truly get patching? Sure, many of us see Windows install updates when we shut down our PC and think all is well. Itís not.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Sep 3rd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //