Exploit kits are big business for cybercriminals, Infosecurity notes, as they can be sold or rented to less technical aware cybercriminals who have the ability to seed the internet with infected web sites, emails and similar darkware strategies.
According to Brian Krebs, of the Krebs on Security newswire, the exploit leverages a vulnerability that exists in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier.
“If you are using Java 6 Update 29, or Java 7 Update 1, then you have the latest version that is patched against this and 19 other security threats. If you are using a vulnerable version of Java, it’s time to update”, he says.
Krebs goes on to say that, earlier in November, researcher Michael Schierl outlined how one might exploit this particular Java flaw.
Over this last weekend, the researcher said he stumbled on a discussion in an exclusive cybercrime forum about an exploit that appears to have been weaponized along the same lines as described by Schierl, and has posted a video showing how the exploit can be used.
Java exploits, notes Krebs, are notoriously successful when bundled into commercial exploit packs, software kits that can turn a hacked web site into a virtual minefield for internet users who aren’t keeping up to date with the latest security patches.
“Users would need only to browse to a booby-trapped site with a version of Mozilla Firefox or Internet Explorer that is running anything older than the latest Java package, and the site could silently install malware”, he says in his latest security posting.
And now here’s the bad news, as, because Java is cross-platform, this attack methodology could theoretically be used to infiltrate non-Windows systems, such as computers running Mac OS X.
“For now, though, I’ve only heard about it being used to target Windows PCs: It is slowly being incorporated into the BlackHole exploit kit, one of the most widely-deployed exploit packs on the market today”, he said.