Back in August last year we were recommending you disable or uninstall Java unless you really needed to keep it. The reason was a zero-day exploit that Oracle had known about for months, but hadn’t bothered to fix. It meant an attacker could install malware on your machine without your knowledge.

Then in December a new zero-day exploit was being offered for a five-figure sum via an invite-only web forum called Underweb. A month later, and it has been confirmed and verified that a Java zero-day exploit is now included as part of the Blackhole and Nuclear Pack crimeware products.

Again, this means that even if you are running the most up-to-date version of Java (currently Java 7 Update 10) on your machine you are still vulnerable. Anyone purchasing the crimeware exploit kit can take advantage of it and infect machines.

There is nothing you can do to defend against such an attack other than to disable or uninstall Java. We created a guide to disable Java on everything, and again I urge you to do so just in case. Chances are you probably aren’t using Java anyway.

Oracle has also made it easier to disable Java in your web browser in recent updates and released instructions on how to do so.

Oracle did respond to the last zero-day exploit that got publicized with an emergency patch being issued, so hopefully they will do the same for this one and release another emergency patch. But until that happens it’s better to be safe than sorry.

via Geek.com

NO COMMENTS

Leave a Reply