Java 0-day exploit added to Blackhole kit, still no news about patch
Posted on 29 August 2012.
The recently discovered Java zero-day flaw that has been spotted being used in limited targeted attacks in the wild has created quite a stir.

A module that exploits the vulnerability is already available to users of the Metasploit pentesting tool and, according to F-Secure researchers, the developer of the Blackhole exploit kit has outfitted it with an exploit that takes advantage of the flaw, too.

By comparing this exploit code to that of the proof-of-concept exploit recently published by Joshua Drake, research scientist with Accuvant Labs, they discovered that it's almost an exact copy.

Symantec researchers have already spotted two websites created to exploit the flaw, and additional ones can't be far behind.

In the meantime, researchers from Security Explorations have confirmed for Softpedia that Oracle has already been working on a patch for the two flaws that allow the attack. According to Adam Gowdiak, the firm's CEO, they had reported both to Oracle back in April 2012.

He says that the monthly status report they received from Oracle less than a week ago shows that both flaws have been addressed, but there is still no news from Oracle about when we can expect a patch to be released.

Users have been advised to either remove Java or to disable Java plugins from their machines for the time being. Detailed instructions for the latter step have been published in a security advisory by US-CERT.


Stagefright 2.0: A billion Android devices could be compromised

Most Android users are, once again, in danger of having their devices compromised by simply previewing specially crafted MP3 or MP4 files.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Oct 2nd