Experts Develop 3rd-Party Patch For New Java Zero-Day

tsu doh nimh writes "A new exploit for a zero-day vulnerability in Oracle's Java JRE version 7 and above is making the rounds. A Metasploit module is now available to attack the flaw, and word in the underground is that it will soon be incorporated into BlackHole, a widely used browser exploit pack. KrebsOnSecurity.com talked to the BlackHole developer, who said the Java exploit would be worth at least $100,000 if sold privately. Instead, this vulnerability appears to have been first spotted in targeted/espionage attacks that used the exploit to drop the remote control malware Poison Ivy, according to experts from Deep End Research. Because Oracle has put Java on a quarterly patch cycle, and the next cycle is not scheduled until October, experts have devised and are selectively releasing an unofficial patch for the flaw."

Don't browse with Java

[JDG1980]

There is no good reason to have Java installed in your primary browser. The only reason why it's everywhere is that it often comes preinstalled for no good reason, and (even worse) the installer shoves its way into all your browsers, for even less reason. If there are specific business sites using Java that you must access, then use IE with Java exclusively for those, and Firefox or Chrome for normal browsing. Using Java on the open web is just asking to get 0wned.

Re:Don't browse with Java

[Megahard]

Agreed. Before HTML5, Java was an acceptable way to implement app-like stuff in the browser. Now with dynamic HTML, Canvas, SVG, and AJAX, Java in the browser has become an anachronism.

Re:It's Worse for Apple Users

[MacColossus]

Not any more. Oracle is providing Java 7 and later for Mac. http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1637588.html