Researchers are tracking a zero-day Java exploit that is being used in active attacks and may leave users with no choice but to disable the platform.
First reported on Sunday by FireEye, the vulnerability affects most versions of Java Runtime Environment, including the most recent iteration. The proof-of-concept code has been published and with no patch available, researchers now are bracing themselves for an uptick in incidents beyond the limited and targeted occurrences that so far have been seen.
FireEye claimed that exploits are being launched from IP addresses based in the Asia region. Developers at vulnerability management company Rapid7, owner of the Metasploit Project, have also added the exploit to their penetration testing framework.
Oracle, which releases Java patches on a quarterly basis, isn't scheduled to fix the software again until 16th October, though researchers believe this vulnerability may warrant an out-of-cycle update.
Michael Schierl, a German software developer and Java expert, told SC Magazine US that this particular exploit only affects instances where the Java sandbox is used, such as in browser applets. Other Java scenarios, such as when the software is used in back-end systems for applications or websites, are not impacted.
Schierl said: “My personal opinion is that Java in the browser is mostly useless these days and should not be used unless really needed. Most things that Java applets used to do can be done with HTML5 nowadays or, if needed, with SVG (Scalable Vector Graphics) or Flash. While Flash has its security problems too, the attack surface of Flash is a lot smaller and it is a lot harder to build a reliable exploit for Flash vulnerabilities.
“Java on the server or on the desktop, however, is a nice way to generally build more secure applications than in native languages such as C++. Just let its sandbox die."
"The number of these attacks has been relatively low, but it is likely to increase due to the fact that this is a fast and reliable exploit that can be used in drive-by attacks and all kinds of links in emails," researchers Andre' DiMino and Mila Parkour of DeepEnd Research said in a blog post.