More

    New Java Zero-Day Exploit Hits

    I’ve lost track of how many times I’ve asked security experts about Java’s security problems. I don’t know why I bother anymore because the answer is always the same: Uninstall it from your computer.

    However, I suspect most people don’t do that. I know I almost never think about Java until I see a pop-up that tells me that I need Java when I visit a website while using the computer without Java installed or I get a Java update alert on a computer I rarely use.

    If you need another reminder about why you might want to consider uninstalling Java, one arrived in my email today, courtesy of Rapid7, which stated:

    A Java zero-day surfaced Sunday night. Currently, there is no patch for this vulnerability and Rapid7 is recommending that users take this vulnerability seriously and completely disable Java until a fix is available.

    The Rapid7 alert was followed up by FireEye, which reported:

    New Java zero-day vulnerability has been spotted in the wild. We have seen this unpatched exploit being used in limited targeted attacks. Most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable. In my lab environment, I was able to successfully exploit my test machine against latest version of FireFox with JRE version 1.7 update 6 installed.

    An infected computer could be used as a drone for a malware botnet, according to ZDNet

    No one knows when Oracle will release a patch for this new vulnerability in Java, which is why Rapid7 suggests disabling Java for the time being (or maybe for good?). But is that a course that IT pros will want to tackle? On the other hand, is it worth the risk to company computers to not disable Java?

    Like I said earlier, this new zero-day vulnerability may be the one that triggers a discussion on whether or not Java is worth the hassle and the security risk.

    Sue Poremba
    Sue Poremba
    Sue Poremba is freelance writer based on Central PA. She's been writing about cybersecurity and technology trends since 2008.

    Latest Articles