Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Java zero-day exploit goes mainstream, 100+ sites serve malware

Gregg Keizer | Aug. 30, 2012
Attackers using two recently-uncovered Java unpatched vulnerabilities, or "zero-days," have quickly expanded their reach by going mainstream, security experts said today.

"Oracle is unlikely to patch this ahead of their scheduled October update and that's plenty of time for evil-doers to profit if we don't block until then," said Daniel Veditz, a Firefox security engineer, on Bugzilla.

Oracle is scheduled to release its next Java security update Oct. 12.

Although the current exploits -- and Blackhole -- target only Windows PCs, some machines running OS X will also be vulnerable to attacks if hackers integrate the Java zero-days in Mac-specific malware.

Apple stopped bundling Java with OS X starting with 2011's Lion; this year's Mountain Lion also omits Java. Those users, however, may still have Java 7 installed. When a browser encounters a Java applet, OS X asks the user for permission to download the Oracle software.

People running the older Snow Leopard (2009) and Leopard (2007) are apparently not at risk, since Java 7 requires the more recent Lion and Mountain Lion. The unpatched vulnerabilities are present only in Java 7.

While more than half of all Macs were running Lion or Mountain Lion as of July 31, statistics on OS X Java 7 installations were unavailable.

 

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.