If you haven't installed last week's patch from Oracle that plugs dozens of critical holes in its Java software framework, now would be a good time. As in immediately. As in, really, right now.
In the past few days, attack code targeting one of the many remote-code-execution vulnerabilities fixed in Java 7 Update 21 was folded into either the folded into the RedKit or CrimeBoss exploit kit. By Sunday, that attack code was being actively unleashed on unsuspecting end users, according to a short blog post published by a researcher from antivirus provider F-Secure.
The post doesn't say where the attacks were being hosted or precisely how attackers are using them. Still, Oracle describes the vulnerability as allowing remote code execution without authentication. And that means you should install the patch before you do anything else today. The track record of malware purveyors of abusing advertising networks, compromised Apache servers, and other legitimate enterprises means readers could encounter attacks even when they're browsing a site they know and trust.
F-Secure noted that the code encountered in the new attacks looks similar to the source code contained in an exploit module released for the Metasploit framework used by penetration testers and hackers. The module was published a day before the nearly identical exploit began circulating in the wild. No doubt, private firms that sell exploits to governments for amounts in the six-figure range already had similar, and probably more potent, attacks available for days, weeks, or even months. Given the openness of the Metasploit project and its high value to network defenders, the copycat exploit is an unfortunate side effect of the democratic nature of the open-source framework. More about the proof-of-concept is here.
Most Java installations should be configured to deliver updates automatically. But if your system hasn't yet informed you of last week's update, you should go here and install it manually.
Post updated to reflect new information about the possible tool kits that incorporated the exploit.
reader comments
91