Patrick Runald, director of security research for Websense, told PC World today that his team had uncovered more than 100 infected domains – a figure expected to rise sharply after the exploit code for the Java vulnerabilities was added in recent days to the popular hacker tool Blackhole.
The original attack, believed to be based in China, is based on two vulnerabilities in one .jar file in Java 7.
Because of Java’s ubiquitousness within Web sites, and Oracle’s failure to date to release a patch out of its normal quarterly rotation, companies this week began recommending users disable Java browser plugins to help prevent the malicious code from entering machines through compromised Web sites.
“The beauty of this bug class is that it provides 100 percent reliability and is multiplatform. Hence this will shortly become the penetration test Swiss knife for the next couple of years (as did its older brother CVE-2008-5353),” wrote an Immunity developer Esteban Guillardoy earlier this week.
US-CERT recommended as a workaround disabling the Java plugin in browsers such as Safari, Chrome, Firefox and Internet Explorer. Apple’s Lion and Mountain Lion also use Java 7 while Leopard and Snow Leopard do not.
“Unless you actually need Java, you might choose to remove it from your system because of the history of exploits that have come out through it,” Chris Astacio, manager of security research at Websense Security Labs, told CRN. “Java is well known as a major attack vector for exploit kits. But if you absolutely do not need it, you’re better off removing it altogether. Most consumer type Web sites do not require it, but there are some application’s internal to enterprises that may require it.”