Author Topic: Latest Java zero-day exploit renews calls to disable it  (Read 602 times)

0 Members and 1 Guest are viewing this topic.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14325
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Latest Java zero-day exploit renews calls to disable it
« on: November 28, 2012, 11:59:14 PM »
Quote
A zero-day Java exploit found for sale in the criminal underground has renewed calls to disable the cross-platform runtime environment in Web browsers.
The latest exploit of a vulnerability not yet publicly known was reported on Tuesday by Brian Krebs, author of the KrebsonSecurity blog. An established member of the Underweb forum, an invitation-only site, was selling the exploit for Java JRE 7 Update 9, the latest version of the platform. The expected price was in the "five digits."

The flaw was in the Java class "MidiDevice.Info," a component that handles audio input and output, Krebs said. The seller claimed "code execution was very reliable" on Firefox, Microsoft Internet Explorer and Windows 7.

The latest exploit discovery comes three months after two other zero-day vulnerabilities and exploit code were found, one by a security researcher at Accuvant and the other by a developer at Immunity. The flaws were in Java 7 and affected Windows, Mac OS X and Linux operating systems running a browser with a Java plug-in.

The latest exploit was unusual because they are seldom sold in such an open manner, said Chester Wisniewski, a senior security adviser for Sophos. "Granted it is on a members only criminal forum, but it sounds like the post was rather straight forward."


More at the source:  Latest Java zero-day exploit renews calls to disable it


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.