Experts Develop 3rd-Party Patch For New Java Zero-Day 154
tsu doh nimh writes "A new exploit for a zero-day vulnerability in Oracle's Java JRE version 7 and above is making the rounds. A Metasploit module is now available to attack the flaw, and word in the underground is that it will soon be incorporated into BlackHole, a widely used browser exploit pack. KrebsOnSecurity.com talked to the BlackHole developer, who said the Java exploit would be worth at least $100,000 if sold privately. Instead, this vulnerability appears to have been first spotted in targeted/espionage attacks that used the exploit to drop the remote control malware Poison Ivy, according to experts from Deep End Research. Because Oracle has put Java on a quarterly patch cycle, and the next cycle is not scheduled until October, experts have devised and are selectively releasing an unofficial patch for the flaw."
You know its funny (Score:3, Interesting)
We were told Java was going to be the answer to all our security problems. No more buffer over flows, and few if any other remote code exploits would be possible with applications written in Java.
Its to bad someone finds a critical vulnerability in the platform every other month seemingly.
If I remind well (Score:5, Interesting)
During SUN's era, the motto for Java was : "if there is a vulnerability, stop everything until it's fixed"... Sun was quite responsive in order to keep java's secure reputation...
But now, it's Oracle... Oracle screwed on OpenOffice... Oracle is screwing up over MySQL... And it looks like Oracle is screwing up over Java... I wonder what treatement gets VirtualBox...