10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
100.0%
A new Java 0-day vulnerability has been discovered, already wind in use by an exploit pack, taking advantage of a fresh zero-day vulnerability in Java and potentially letting hackers take over usersβ machines.
Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. The flaw was first spotted by βMalware Donβt Need Coffeeβ blog. This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits.
This exploit is already available in two Exploit Packs, that is available for $700 a quarter or $1,500 for a year. Similar tactics were used in CVE-2012-4681, which was discovered last August. Source of this new Exploit available to download Here.
The two most popular exploits packs used by hackers to distribute malware, the BlackHole Exploit Kit and the Cool Exploit Kit already having this latest Java Zero-Day exploit. Blackhole kit is usually installed on compromised websites and uses vulnerabilities in web browsers and other software to inject malware into visitorsβ PCs.
The creator of Blackhole, who uses the nickname βPaunch,β announced yesterday on several Under web forums that the Java zero-day was a βNew Yearβs Gift,β to customers who use his exploit kit. Vulnerability was later confirmed by security firm AlienVault Labs, βOn the other hand we expect a Metasploit module in the upcoming days as it has been happening during the last year as well as most of the exploit kits adopting this new zeroday sooner than later.β
Last option for readers, deactivate the Java plugin in their browsers without delay.