Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. The flaw was first spotted by ‘Malware Don’t Need Coffee’ blog. This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits.
This exploit is already available in two Exploit Packs, that is available for $700 a quarter or $1,500 for a year. Similar tactics were used in CVE-2012-4681, which was discovered last August. Source of this new Exploit available to download Here.
The two most popular exploits packs used by hackers to distribute malware, the BlackHole Exploit Kit and the Cool Exploit Kit already having this latest Java Zero-Day exploit. Blackhole kit is usually installed on compromised websites and uses vulnerabilities in web browsers and other software to inject malware into visitors' PCs.
The creator of Blackhole, who uses the nickname 'Paunch,' announced yesterday on several Under web forums that the Java zero-day was a 'New Year's Gift,' to customers who use his exploit kit. Vulnerability was later confirmed by security firm AlienVault Labs, "On the other hand we expect a Metasploit module in the upcoming days as it has been happening during the last year as well as most of the exploit kits adopting this new zeroday sooner than later."
Last option for readers, deactivate the Java plugin in their browsers without delay.
About the author