All the latest UK technology news, reviews and analysis

Oracle looks to plug Java zero-day vulnerability

14 Jan 2013
Java logo

Oracle has released a security update designed to patch a recently discovered zero-day vulnerability in its Java software.

The newly released Java 7 Update 11 aims to fix the security flaw by altering the way Java handles web applications.

The Java vulnerability was initially discovered last week, when security firm Trend Micro discovered a ransomware Trojan known as Reveton targeting the flaw. The malware has been connected with the popular Blackhole and Cool exploit kits, which allow criminals to mount automated attacks targeting the exploit.

F-Secure security researcher Sean Sullivan highlighted the flaw's connection to Blackhole and Cool as particularly dangerous, warning that the attacks' high success rate will undoubtedly increase criminal's interest in exploit kits.

"It was a bad vulnerability, allowing for a reliable exploit. An exploit which was first incorporated into the 'Cool' exploit kit. As that kit reportedly rents itself for $10,000 per month, the ‘badness' should speak for itself," he said.

Sullivan went on to reiterate security experts' claim that Oracle failed to react to the threat quickly enough, urging the company to re-address inherent problems with its security strategy.

"Reports say that Oracle was informed four months ago. But then, there was no evidence of exploitation in the wild. It is always difficult to judge the amount of resources that should be spent on a potential problem. It was a rather fast reaction once the vulnerability was known to the public," said Sullivan.

"Oracle really just needs to come to better terms with being the target."

Trend Micro security director Rik Ferguson was similarly unimpressed with Oracle's reaction to the vulnerability.

"The patch from Oracle is really nothing more than a Band-Aid, elevating the security settings on the client PC such that applets from unknown sources will require user authorisation to run. This is obviously still wide open to socially-engineered attacks," Ferguson told V3.

"Java really is not a necessity for the majority of web users, my advice would be to ensure that it remains switched off in web browsers at least unless there is an overriding need for it.

"In cases where it is needed it is advisable to use an alternate browser with the plug-in installed rather than having it permanently exposed to the web as you browse."

The Reveton ransomware has been uncovered targeting numerous other vulnerabilities in the past. Prior to the Oracle attack, a form of it had been uncovered masquerading as a copyright infringement message from the FBI.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus

Tech gifts for Christmas 2014

Is a new tablet on your wish list this festive season, or have they become yesterday’s fad?

Popular Threads

Powered by Disqus
iPhone 6 is available in silver gold and space grey

iPhone 6 video review

The best iOS handset to date

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Systems Engineer - Contactor (Philippine Based)

Responsibilities • Maintain development infrastructure...

Network Services Senior Analyst

The Network Services team is responsible for the network...

Software Development & Delivery Manager

Fixed term until 31 July 2016, available immediately...

IS Service Desk Team Leader

Have you got a strong IT Service Desk or Helpdesk background...
To send to more than one email address, simply separate each address with a comma.