Monday, January 14, 2013

Homeland Security Warns of Java Vulnerability Used for Ransomeware

ZDNet (and all major outlets) covers the Department of Homeland Security warning about the latest Java vulnerability:
"We are currently unaware of a practical solution to this problem," said the DHS' Computer Emergency Readiness Team (CERT) in a post on its Web site on Thursday evening. "This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available."
The Next Web discusses the popular exploit kits that are already  available and take advantage of the vulnerability, including ransomware - or taking over a users computer and only giving back control after the user pays a ransom. Apparently all of this could have been avoided if Oracle properly fixed a previous vulnerability:

The 0-day code would not have worked if Oracle had properly addressed an old vulnerability, according to Security Explorations, the security firm responsible for identifying most of the latest Java vulnerabilities. Back in late August 2012, the company informed Oracle about the insecure implementation of the Reflection API, dubbed Issue 32, and Oracle released a patch for it in October 2012, but the fix wasn’t a complete one.


No comments: