Java exploit built into BlackHole exploit kit

Warnings have been made of a new exploit that takes advantage of a recently patched flaw in Java that is being incorporated into exploit kits.

According to security blogger Brian Krebs, the exploit attacks a vulnerability that exists in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier. He also said that it is slowly being incorporated into the BlackHole exploit kit, one of the most widely deployed exploit packs on the market.

“If you are using Java 6 Update 29, or Java 7 Update 1, then you have the latest version that is patched against this and 19 other security threats. If you are using a vulnerable version of Java, it's time to update. Not sure whether you have Java or what version you may be running? Check out this link and then click the ‘Do I have Java?' link below the big red ‘Free Java Download” button',” he said.

“Java exploits are notoriously successful when bundled into commercial exploit packs, software kits that can turn a hacked website into a virtual minefield for web users who aren't keeping up to date with the latest security patches. Users would need only to browse to a booby-trapped site with a version of Mozilla Firefox or Internet Explorer that is running anything older than the latest Java package and the site could silently install malware.”

Krebs also said that as Java is cross-platform software, this attack could theoretically be used to infiltrate non-Windows systems, such as computers running Mac OS X, but he had only heard about it being used to target Windows PCs.

Monitoring a cyber crime forum, Krebs said the hacker principally responsible for maintaining and selling BlackHole claimed the new Java exploit was being rolled out for free to existing licence holders. For all others, the exploit can be had for $4,000 (£2,500), in addition to the cost of a BlackHole licence – $700 (£450) for three months, $1,000 (£650) for six months or $1,500 (£965) per year.

The author of BlackHole also sells his own hosted solution, in which customers can rent bulletproof servers with pre-installed copies of his kit for $200 (£128) a week, or $500 (£320) per month.

Bill Morrow, executive chairman of Quarri Technologies, said: “Cyber thieves and hackers are always looking for a new way to obtain sensitive information and infected websites continue to prove to be one of the best. Java's recently patched critical security flaw is the latest example of how the ‘bad guys' can take advantage of the unsuspecting end-user.

“Java exploits are most effective when included in exploit packs since they can turn any hacked website into a particularly dangerous place for end-users. The browser at the endpoint continues to be the weakest part of any network, as one wrong click of the mouse can open a company's most sensitive data to significant threats.

“As companies of all sizes increasingly use browsers as the primary platform for the delivery of information, browsers have also become the primary point of theft or data leakage, by not only malware, but also by end-users. Not knowing the security state of the endpoint is a critical security gap for a website or web application owner.”

Sign up to our newsletters