Lately, I’ve been posting about Adobe Flash having multiple exploits out in the wild that threaten users. But an old attack vector for evil doers has returned in the form of an exploit on the Java platform. Here are the details from Trend Micro on the exploit dubbed “Pawn Storm”:
Throughout our on-going investigation and monitoring of a targeted attack campaign, Operation Pawn Storm, we found suspicious URLs that hosted a newly discovered zero-day exploit in Java. This is the first time in nearly two years that a new Java zero-day vulnerability was reported.
And:
The said URLs hosting the new Java zero-day exploit are similar to the URLs seen in the attack launched by the threat actors behind Pawn Storm that targeted North Atlantic Treaty Organization (NATO) members and White House last April 2015. However, at that time, these URLs were not hosting the said exploit yet. Pawn Storm also targeted other nation-state organizations using political events and meetings such as the Asia-Pacific Economic Cooperation (APEC) Forum and the Middle East Homeland Security Summit 2014 as part of its social engineering tactics. Media and defense industries were other entities targeted by this APT campaign apart from military and government.
Now the Trend Micro products apparently already protect users from this threat. But…. :
Currently, this vulnerability is still not patched by Oracle. Based on our investigation, the latest Java version 1.8.0.45 is affected. Older versions, Java 1.6 and 1.7 are not affected by this zero-day exploit. We already notified Oracle and we’re collaborating with their security team regarding this threat.
Translation, if you have Java installed, you are at risk until it is patched by Oracle. Thus you should consider yanking it off your system if you don’t need it. And to be frank, most people don’t need Java. So you’re likely better off without it. Plus you’re likely better off without Adobe Flash as well. By not having both, your system will be way more secure.
Related
This entry was posted on July 13, 2015 at 12:48 pm and is filed under Commentary with tags Java. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Zero Day Java Exploit Exposed
Lately, I’ve been posting about Adobe Flash having multiple exploits out in the wild that threaten users. But an old attack vector for evil doers has returned in the form of an exploit on the Java platform. Here are the details from Trend Micro on the exploit dubbed “Pawn Storm”:
Throughout our on-going investigation and monitoring of a targeted attack campaign, Operation Pawn Storm, we found suspicious URLs that hosted a newly discovered zero-day exploit in Java. This is the first time in nearly two years that a new Java zero-day vulnerability was reported.
And:
The said URLs hosting the new Java zero-day exploit are similar to the URLs seen in the attack launched by the threat actors behind Pawn Storm that targeted North Atlantic Treaty Organization (NATO) members and White House last April 2015. However, at that time, these URLs were not hosting the said exploit yet. Pawn Storm also targeted other nation-state organizations using political events and meetings such as the Asia-Pacific Economic Cooperation (APEC) Forum and the Middle East Homeland Security Summit 2014 as part of its social engineering tactics. Media and defense industries were other entities targeted by this APT campaign apart from military and government.
Now the Trend Micro products apparently already protect users from this threat. But…. :
Currently, this vulnerability is still not patched by Oracle. Based on our investigation, the latest Java version 1.8.0.45 is affected. Older versions, Java 1.6 and 1.7 are not affected by this zero-day exploit. We already notified Oracle and we’re collaborating with their security team regarding this threat.
Translation, if you have Java installed, you are at risk until it is patched by Oracle. Thus you should consider yanking it off your system if you don’t need it. And to be frank, most people don’t need Java. So you’re likely better off without it. Plus you’re likely better off without Adobe Flash as well. By not having both, your system will be way more secure.
Share this:
Like this:
Related
This entry was posted on July 13, 2015 at 12:48 pm and is filed under Commentary with tags Java. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.