X

Java flaw draws Web attacks, reports say

A vulnerability in the Java software has the potential to affect a wide swath of computer users, and researchers warn that it's already being exploited "in the wild."

Jon Skillings Editorial director
Jon Skillings is an editorial director at CNET, where he's worked since 2000. A born browser of dictionaries, he honed his language skills as a US Army linguist (Polish and German) before diving into editing for tech publications -- including at PC Week and the IDG News Service -- back when the web was just getting under way, and even a little before. For CNET, he's written on topics from GPS, AI and 5G to James Bond, aircraft, astronauts, brass instruments and music streaming services.
Expertise AI, tech, language, grammar, writing, editing Credentials
  • 30 years experience at tech and consumer publications, print and online. Five years in the US Army as a translator (German and Polish).
Jon Skillings
2 min read

Security researchers have spotted a new vulnerability in the widely used Java software that could give attackers access to your computer.

The US-CERT group today issued an alert saying that Java 7 Update 10 and earlier versions of the software contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code. The attack can be induced if someone visits a Web site that's been set up with malicious code to take advantage of the hole.

This weak spot is already being attacked "in the wild" -- that is, it's a real-world threat -- and is being incorporated into exploit kits that make it easier for those with ill intentions to create an attack.

Java supplier Oracle has yet to issue a fix for the vulnerability, so researchers are advising users to disable Java for the time being.

The zero-day vulnerability was reported to US-CERT by a blogger named Kafeine at the site Malware don't need Coffee. The exploit has been confirmed by AlienVault Labs, which also was alerted to the matter by Kafeine, and by BitDefender, according to a report in Computerworld.

Updated January 12 at 6:33 a.m. PT: Oracle responded to our query on the matter late last night with this statement:

Oracle is aware of a flaw in Java software integrated with web browsers. The flaw is limited to JDK7. It does not exist in other releases of Java, and does not affect Java applications directly installed and running on servers, desktops, laptops, and other devices. A fix will be available shortly.

[Via The Next Web]