Java is still exploitable and is likely going to remain so.

Published: 2013-01-10
Last Updated: 2013-01-10 15:40:42 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

We haven't had an unpatched Java vulnerability in a while (a month?). To make up for this lack of Java exploitability, the creators of the Blackhole and Nuclear exploit pack included an exploit for a new, unpatched, Java vulnerability in their latest release [1]. The exploit has been seen on various compromissed sites serving up the exploit kit. The latest version of Java 7 is vulnerable [2].

Leave Java disabled (I am not going to recommend to disable it. If you still have it enabled, you probably have an urgent business need for it and can't disable it)

If you have any business critical applications that require Java: try to find a replacement. I don't think this will be the last flaw, and the focus on Java from people behind exploit kits like blackhole is likely going to lead to additional exploits down the road.


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: java
4 comment(s)


So funny you're posting at this particular moment. As I was going through my feeds I came across this article only moments before coming here:

New Java 0-day exploited in the wild
Amazing! A new Java 0-day to go with the release of this month's OUCH describing Java problems. What are the odds of that? Given the number of Java 0-days, ...
Now, is this primarily significant for browser applets, or in general? "Dilbert's" link is about attacks on the browser, where a "replace all the Java apps" scenario might be a much larger issue if required. Server-side apps aren't relying on a sandbox, for instance, so other controls are expected to be in place, without running untrusted code.
I really like the JVM but I do agree with the sentiment. I true language that I can respect is Scala. Here is a little write up for those not familiar.

Diary Archives