Unpatched Java exploit spreading –Sophos

Cybercriminals are using a zero-day Java exploit to infect and take control of victims' computers, a security vendor warned Tuesday.

 

Sophos said the flaw, first reported by security firm FireEye, was used in a targeted attack whose origin was traced to a Chinese server.

 

"The flaw affects all versions of Oracle's Java 7 (version 1.7) on all supported platforms. Java 6 and earlier are unaffected. No patch is available at this time," it noted.

 

It warned this could be a major concern as the exploit could be used in the Blackhole kit, which is used by cybercriminals to infect computers.

 

Yet, Sophos noted the next scheduled update for Java is more than a month away - on October 16.

 

"Oracle has a bad track record for releasing timely patches for Java exploits, but with all the attention this flaw is getting I would hope it would release an out of cycle fix if for no other reason than to save face," it said.

 

"Considering this is flaw is not patched and is not likely to be patched soon is a very dangerous situation," it added.

 

But Sophos also cited early reports indicating Google's Chrome browser was "immune" to the issue. It said this could have been a bug on the attacker's part.

 

Otherwise, it said the Metaploit project released proof of concept code that exploits the flaw on all browsers and operating systems, including Windows, OS X, and Linux.

 

Sophos suggested that users disable the Java plugin in their web browsers for now.

 

"Need to access intranet pages that require Java in your browser? Use your client firewall to disallow access to non-intranet resources for javaw.exe (on Windows)," it added.

 

It also suggested surfing the net using a browser with Java disabled, and have an alternate browser available for the occasional site that needs it. — TJD, GMA News