Late Thursday evening, the Department of Homeland Security's U.S. Computer Emergency Response Team (CERT) issued an alert
warning of a JAVA 7 "vulnerability". The vulnerability exploit allows hackers to remotely "execute arbitrary code" on vulnerable systems.
Users who have the most recent versions of Oracle's Java software installed are at risk, with CERT saying web browsers that use the JAVA 7 plug-in are "at high risk".
According to CNET
, hackers have recently discovered the JAVA 7 security weakness, learning they can remotely install malicious software and malware on computers, making identity theft much easier. The security weakness also allows hackers to access and use the computers of unsuspecting owners to create a botnet
, thus allowing them to shut down networks or attack websites.
News of the software vulnerability began surfacing earlier this week after two different hackers began selling software kits aimed at exploiting the vulnerability. According to KrebsonSecurity
, “Paunch", owner of a crimeware site called Blackhole, made an announcement Thursday which stated:
"The Java zero-day [is] a “New Year’s Gift,” to customers who use [my] exploit kit."
Shortly after "Paunch" made his announcement, a similar announcement was made by the maker of Nuclear Pack.
CERT confirmed that exploit kits for JAVA 7 were readily available, saying
"This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available."
confirmed the exploit by reproducing it using a fully patched newly installed version of JAVA. In their laboratory, they were able to get a malicious JAVA applet to execute a calc.exe function.
They stated the exploit is believed to bypass certain security checks, essentially tricking the permissions of certain Java classes. They also confirmed that at this point, the only way to protect computers is to disable all JAVA 7 functions.
In December, KasperSky
reported that Java had surpassed Adobe Reader as the most frequently exploited software. The report said that JAVA was responsible for 50 percent of all cyber attacks in 2012.
Instructions on how to disable JAVA can be found at the Oracle website
Oracle has yet to comment on the CERT announcement.