Java Exploit in New Kit

Thursday, April 25, 2013 @ 06:04 PM gHale

It is a known fact when a patch comes out, a good majority of people do not install it. If that is the case with the latest Java patch, security pros implore users to install that patch.

That is because an exploit for one of the vulnerabilities it patched is now in a popular exploit kit and the bad guys have it in full play.

Java Patched; New Holes Found
Oracle Fixes 128 Vulnerabilities
Java 7 Security Update Fills Holes
Adobe Patches Platforms

The exploited flaw (CVE-2013-2423) affects only client deployments of Java (versions 7u17 and before), and allows remote attackers to execute malicious code without having to authenticate themselves in order to do it.

The kit sporting the exploit is CrimeBoss, and the exploit has been partially copied from the source code of the Metasploit module that targets the flaw, said Timo Hirvonen, anti-malware analyst at F-Secure.

It took the kit’s developer(s) only a day to fit in the exploit and it ended up spotted starting April 21, researchers said.

Leave a Reply

You must be logged in to post a comment.