A vulnerability in the latest version of Oracle’s Java software framework is under active attack, and the damage is likely to get worse thanks to the availability of reliable exploit code that works on a variety of browsers and computer platforms, security experts warn.
The flaw in Java version 1.7 was reported on Sunday afternoon by FireEye security researcher Atif Mushtaq. A separate post published on Monday by researchers Andre M. DiMino and Mila Parkour said the number of attacks, which appear to install the Poison Ivy Remote Access Trojan, were low. But they went on to note that the typical delay in issuing Java patches, combined with the circulation of exploit code, meant it was only a matter of time until the vulnerability is exploited more widely by other attackers.
Members of Rapid7, the security company that helps maintain the open-source Metasploit exploit framework used by penetration testers and hackers, said they have already developed an exploit that works against Windows 7. They are in the process of testing it against the Microsoft Internet Explorer, Mozilla Firefox, and Google Chrome browsers running on other operating systems, including Ubuntu Linux 10.04 and Windows XP. They went on to suggest that users should disable Java until a patch plugging the gaping hole is released.
“As a user, you should take this problem seriously, because there is currently no patch from Oracle,” a Rapid7 exploit developer wrote in a blog post. “For now, our recommendation is to completely disable Java until a fix is available.”