- V3 Apps
Oracle has released a security update designed to patch a recently discovered zero-day vulnerability in its Java software.
The newly released Java 7 Update 11 aims to fix the security flaw by altering the way Java handles web applications.
The Java vulnerability was initially discovered last week, when security firm Trend Micro discovered a ransomware Trojan known as Reveton targeting the flaw. The malware has been connected with the popular Blackhole and Cool exploit kits, which allow criminals to mount automated attacks targeting the exploit.
F-Secure security researcher Sean Sullivan highlighted the flaw's connection to Blackhole and Cool as particularly dangerous, warning that the attacks' high success rate will undoubtedly increase criminal's interest in exploit kits.
"It was a bad vulnerability, allowing for a reliable exploit. An exploit which was first incorporated into the 'Cool' exploit kit. As that kit reportedly rents itself for $10,000 per month, the ‘badness' should speak for itself," he said.
Sullivan went on to reiterate security experts' claim that Oracle failed to react to the threat quickly enough, urging the company to re-address inherent problems with its security strategy.
"Reports say that Oracle was informed four months ago. But then, there was no evidence of exploitation in the wild. It is always difficult to judge the amount of resources that should be spent on a potential problem. It was a rather fast reaction once the vulnerability was known to the public," said Sullivan.
"Oracle really just needs to come to better terms with being the target."
Trend Micro security director Rik Ferguson was similarly unimpressed with Oracle's reaction to the vulnerability.
"The patch from Oracle is really nothing more than a Band-Aid, elevating the security settings on the client PC such that applets from unknown sources will require user authorisation to run. This is obviously still wide open to socially-engineered attacks," Ferguson told V3.
"Java really is not a necessity for the majority of web users, my advice would be to ensure that it remains switched off in web browsers at least unless there is an overriding need for it.
"In cases where it is needed it is advisable to use an alternate browser with the plug-in installed rather than having it permanently exposed to the web as you browse."
The Reveton ransomware has been uncovered targeting numerous other vulnerabilities in the past. Prior to the Oracle attack, a form of it had been uncovered masquerading as a copyright infringement message from the FBI.