Slashdot Mirror

← Back to Stories (view on slashdot.org)

Experts Develop 3rd-Party Patch For New Java Zero-Day

Posted by samzenpus on from the patch-it-up dept.

tsu doh nimh writes "A new exploit for a zero-day vulnerability in Oracle's Java JRE version 7 and above is making the rounds. A Metasploit module is now available to attack the flaw, and word in the underground is that it will soon be incorporated into BlackHole, a widely used browser exploit pack. KrebsOnSecurity.com talked to the BlackHole developer, who said the Java exploit would be worth at least $100,000 if sold privately. Instead, this vulnerability appears to have been first spotted in targeted/espionage attacks that used the exploit to drop the remote control malware Poison Ivy, according to experts from Deep End Research. Because Oracle has put Java on a quarterly patch cycle, and the next cycle is not scheduled until October, experts have devised and are selectively releasing an unofficial patch for the flaw."

4 of 154 comments (clear)

  1. Re:Quarterly security patch? by plover · · Score: 4, Funny

    The analysts figured that exploits only come out an average of four times a year, therefore they only need to send updates every quarter. Who can question the CIO's master stroke of logic?

    --
    John
  2. Re:It's Worse for Apple Users by Anonymous Coward · · Score: 4, Funny

    It's up to Sun to release a JVM for OS X now

    Boy, are you Apple users in trouble!

  3. Re:A better idea... by monkeyhybrid · · Score: 3, Funny

    I locked it down so *only* those 2 things can use it. One of them is not the web browser...

    But the other one is the web browser? ;)

  4. Re:Quarterly security patch? by ruiner13 · · Score: 3, Funny

    The US doesn't use the metric system, therefore it is full of liars. :)

    --

    today is spelling optional day.