Experts Develop 3rd-Party Patch For New Java Zero-Day 154
tsu doh nimh writes "A new exploit for a zero-day vulnerability in Oracle's Java JRE version 7 and above is making the rounds. A Metasploit module is now available to attack the flaw, and word in the underground is that it will soon be incorporated into BlackHole, a widely used browser exploit pack. KrebsOnSecurity.com talked to the BlackHole developer, who said the Java exploit would be worth at least $100,000 if sold privately. Instead, this vulnerability appears to have been first spotted in targeted/espionage attacks that used the exploit to drop the remote control malware Poison Ivy, according to experts from Deep End Research. Because Oracle has put Java on a quarterly patch cycle, and the next cycle is not scheduled until October, experts have devised and are selectively releasing an unofficial patch for the flaw."
Re:Quarterly security patch? (Score:5, Funny)
The analysts figured that exploits only come out an average of four times a year, therefore they only need to send updates every quarter. Who can question the CIO's master stroke of logic?
Re:It's Worse for Apple Users (Score:4, Funny)
It's up to Sun to release a JVM for OS X now
Boy, are you Apple users in trouble!
Re:A better idea... (Score:4, Funny)
I locked it down so *only* those 2 things can use it. One of them is not the web browser...
But the other one is the web browser? ;)
Re:Quarterly security patch? (Score:4, Funny)