14 DAY TRIAL // Currently, Oracle’s Java appears to be one of the most vulnerable pieces of software around, and judging by the way things are going, some time will pass until experts will tell users that they can utilize it safely.
FireEye researchers have identified yet another Java zero-day being exploited in the wild. Experts say that the vulnerability, which affects Java 6 Update 41 and Java 7 Update 15, leads to arbitrary memory read and write in the JVM process.
In the attacks observed by FireEye, the cybercriminals exploited the vulnerability in order to download an McRAT malware.
On the bright side, researchers say the exploit is not very reliable, as it tries to overwrite a big chunk of memory.
“As a result, in most cases, upon exploitation, we can still see the payload downloading, but it fails to execute and yields a JVM crash,” experts explained.
FireEye has notified Oracle. The company has confirmed the issued and assigned it CVE-2013-1493.
Earlier this week, Security Explorations reported finding a couple of vulnerabilities affecting Java 7 Update 15 and earlier versions of Java 7. Oracle has confirmed that a combination of the two flaws could lead to a sandbox bypass, but argued that one of the issues is not actually a security hole because it demonstrates “allowed behavior.”
If Oracle sticks to this assessment, Security Explorations plans on make the details of the issue public to allow the security community to determine if it’s a vulnerability or not.
So there you have it. The old rule still applies. If you don’t need Java, don’t install it. If you do need it, consider using alternative pieces of software and be careful about what sites you visit and what links you click on.