Java is still exploitable and is likely going to remain so.
We haven't had an unpatched Java vulnerability in a while (a month?). To make up for this lack of Java exploitability, the creators of the Blackhole and Nuclear exploit pack included an exploit for a new, unpatched, Java vulnerability in their latest release [1]. The exploit has been seen on various compromissed sites serving up the exploit kit. The latest version of Java 7 is vulnerable [2].
Leave Java disabled (I am not going to recommend to disable it. If you still have it enabled, you probably have an urgent business need for it and can't disable it)
If you have any business critical applications that require Java: try to find a replacement. I don't think this will be the last flaw, and the focus on Java from people behind exploit kits like blackhole is likely going to lead to additional exploits down the road.
[1] https://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
[2] http://malware.dontneedcoffee.com
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 13th - Dec 18th 2024 |
Comments
New Java 0-day exploited in the wild
https://net-security.org/secworld.php?id=14216
Dilbert
Jan 10th 2013
1 decade ago
John
Jan 10th 2013
1 decade ago
Tim
Jan 10th 2013
1 decade ago
https://www.lucidchart.com/blog/2012/12/18/using-scala-exponential-growth-at-a-startup/
JVM
Jan 10th 2013
1 decade ago