Just as Oracle is ramping up for the September 30 start of JavaOne 2012 in San Francisco, researchers from the Polish firm Security Explorations disclosed yet another critical Java vulnerability that might “spoil the taste of Larry Ellison's morning…Java.”new critical Java 5, 6, 7 flaw puts 1 billion users at risk
Researchers believe a new zero-day vulnerability, affecting Internet Explorer (IE) 9 and earlier versions, was exploited by the Nitro cyber gang.
Microsoft has already released a security advisory to alert users of the bug, and said it would issue a temporary patch, which will be available within the next few days for download.
While looking around a compromised server that was being used to exploit Java vulnerabilities, a security researcher stumbled upon another exploit that he claims affects fully patched versions of Microsoft Internet Explorer 7 and 8.
Eric Romang found four files on the server: an executable, a Flash Player movie and two HTML files called exploit.html and protect.html
Adam Gowdiak, the CEO of Security Explorations – the company that discovered the recent Java vulnerabilities -, told Softpedia that Oracle confirmed the existence of the second flaw, reported on August 31, 2012.
“Oracle confirmed the security issue reported to them on Aug 31, the one that affects the out-of-band patch released on Aug 30. This is visible at our vendor status page,” Gowdiak wrote in an email.
Apple has released a security update for the Apple-supported Java runtime for OS X, which many users have installed on their systems. Java for OS X is available for Apple's latest three OS X releases starting with Snow Leopard. The update should be available through Apple's Software Update service (in the Apple menu).
Oracle's latest patch to close up several vulnerabilities that were being actively exploited in the wild may not have been enough, with researchers now claiming that even the latest patch (Version 7 Update 7) contains yet another vulnerability.
Oracle knew since April about the existence of the two unpatched Java 7 vulnerabilities that are currently being exploited in malware attacks, according to Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations.
Security Explorations reported 19 Java 7 security issues to Oracle on Apr. 2. Those issues included the two zero-day -- unpatched -- vulnerabilities that attackers are exploiting to infect computers with malware, Gowdiak said Wednesday via email.
Security researchers have proposed several methods for users to protect their computers from ongoing attacks that target a new and yet-to-be-patched vulnerability in all versions of Java Runtime Environment 7.
Most of the proposed solutions have drawbacks or are applicable only to certain system configurations and environments. However, the hope is that in the absence of an official patch from Oracle users will be able to use one or a combination of them in order to reduce the risk of their systems being compromised.
Attacks targeting an unpatched vulnerability in the latest versions of Java 7 have become widespread after an exploit for the new flaw was integrated into the popular Blackhole attack toolkit, according to security researchers from antivirus vendor Kaspersky Lab.
"The first victim regions to be hit with the Blackhole stuff were the U.S., the Russian Federation, Belarus, Germany, the Ukraine and Moldova," Kaspersky senior security researcher Kurt Baumgartner said Tuesday in a blog post.
Hackers are exploiting a zero-day vulnerability in Java 7, security experts said today.
The unpatched bug can be exploited through any browser running on any operating system, from Windows and Linux to OS X, that has Java installed, said Tod Beardsley, the engineering manager for Metasploit, the open-source penetration testing framework used by both legitimate researchers and criminal hackers.
