A recently discovered Java vulnerability that’s been circulating throughout the hacking underground has begun to show up alongside the BlackHole exploit kit, according to a post on Brian Krebs’ KrebsonSecurity blog.
The National Vulnerability Database claims the vulnerability is found in the Java Runtime Environment Component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier builds. Specifically, a weakness in Java’s Rhino Script Engine allows attackers to run arbitrary Java code outside of the sandbox. Those with the latest version of Java, Java 6 Update 29, or Java 7 Update 1, are not affected.
According to an interview Krebs had with the hacker that maintains the BlackHole kit, the Java exploit is now being distributed free-of-charge to existing exploit kit owners. Otherwise it’s being sold for $4,000, in addition to a license for the kit, which normally runs for $700 for three months.
Even after being patched in mid-October along with 19 other script engine flaws, the vulnerability has become trickier to deal with when packaged with an exploit kit like BlackHole. Stumbling upon a vulnerability-laden site on Internet Explorer or Mozilla Firefox could trigger the installation of malware if users are running an out-of-date build of the software.
Java vulnerabilities continue to gain steam, even surpassing Adobe last year when it comes to the number of exploits. BlackHole, one of the newer and more popular exploit kits this year, makes extensive use of Java flaws. The platform’s OBE (Open Business Engine) frequently uses them to load malicious executables.
To read Krebs’ full account, head here.
