Seems like Oracle is having a busy week that started right after FireEye posted a report on the new Java zero-day vulnerability. According to Atif Mushtaq criminals use the exploit in targeted attacks. Most of the environments with fully patched JRE 1.7x are vulnerable. The expert said that the exploit would probably become available to broad community of hackers and they could use it quite often.
It took Rapid 7 less than 24 hours to produce its own Metasploit Framework module for the vulnerability, which by that time obtained its own CVE id (CVE-2012-4681). The Metasploit exploit can compromise JRE plugin of Mozilla Firefox, Internet Explorer and Safari operated by Linux, Windows and Macintosh.
According to (Brian Krebs) the exploit is or will soon be available in BlackHole exploit kit. “The price of such an exploit if it were sold privately would be about $100,000” – said the BlackHole author according to Krebs.
Right now it’s Oracle’s turn to make a move and let’s hope the company will not patch the zero-day during it’s scheduled updates, which is not expected sooner that October. While Oracle keeps the silence all users can do is shut down their Java plugins or use them for trusted sites only.
Remember – with a zero-day or without one, the Interned is not a safe place at all, so stay secure.
Detailed description of the vulnerability is accessible here:
http://naked-security.com/nsa/234069.htm
