Another Zero-Day Java Exploit Discovered, When Will It Stop?
Is there a world record for number of software vulnerabilities exposed within the span of a single month? If so, I'm willing to bet that Oracle's Java is the clear winner. We've reported on many Java happenings over the past couple of months, and it doesn't look like the fun is going to end anytime soon.
Security firm FireEye is responsible for the latest finding, noting that this zero-day exploit has been successfully executed using Java 1.6 update 41 and the most recent 1.7 update 15. It takes advantage of a vulnerability that might allow someone to overwrite bits of data Java has stored in the RAM - such as the area that tells it whether or not the security manager is enabled. While success is hit or miss, if it does land, an HTTP GET command will be issued that downloads the McRAT malware, which could be used to download additional malware.
FireEye recommends disabling Java until a patch has been released, or to at least set its security to "High". We'd recommend considering getting rid of it entirely, because with the number of vulnerabilities being made known about all the time, things are just getting ridiculous. If you do have Java installed, it might be worth asking yourself what you're using it for. In talking to friends, I've discovered that it's not uncommon for people to have Java installed from something they needed once, and then just never bothered to uninstall it.
For those who do require it, we feel your pain.